A tiny framework for easily manipulate the tty and create fake binaries.

How it works?

The framework has three main functions, tas_execv, tas_forkpty, and tas_tty_loop.

  • tas_execv: It is a function similar to execv, but it doesn’t re-execute the current binary, something very useful for creating fake binaries.

  • tas_forkpty: Is the same as forkpty, but it fills a custom structure, check forkpty man page for more details.

  • tas_tty_loop: here is where the manipulation of the tty happen, you can set a hook function for the input and output, so it is possible to store the keys typed by the user or manipulate the terminal output. (see leet-shell).

This is a superficial overview, check the codes in tas/fakebins/fun folders to understand how it really works.



Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.


Welcome to 0x1.gitlab.io my personal blog to share my knowledge
Cyber Security, Ethical Hacking, Web & Network Auditing, Reverse Engineering and Cryptography
Website semi-configured to use with No-Script. No ADS and No use analytics tracking.


Forum : @0x1

© 0x1 | Cyber Security Consulting - Copyright All Rights Reserved