Donut vs ScareCrow
GitHub Stats
About Donut
Donut is a position-independent code generation tool that creates x86 or x64 shellcode payloads from .NET assemblies, PE files, DLLs, and VBS/JS/XSL files. The generated shellcode can load and execute the payload entirely in memory without touching disk, making it extremely useful for AV/EDR evasion. Donut supports encryption (Chaskey cipher), decoy module loading, and CLR bootstrapping for .NET payloads. It's a critical component in modern red team toolchains.
About ScareCrow
ScareCrow is a payload creation framework designed to generate loaders that bypass Endpoint Detection and Response (EDR) products. It uses direct Windows system calls instead of standard WinAPI calls, avoiding the userland hooks that EDR products use for detection. ScareCrow supports multiple loader types (DLL sideloading, binary, JScript, HTA), code signing with spoofed certificates, and integration with shellcode generators like Donut. It represents the current state of the art in EDR evasion.
Platform Support
Tags
Shared
Donut only
ScareCrow only