commit dff94927e5e8a7d3aca8816d1395e5eb9211754c
Author: meowmycks <meowmycks@noreply.localhost>
Date:   Sat Apr 12 23:44:59 2025 -0400

    Add README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d4b73b8
--- /dev/null
+++ b/README.md
@@ -0,0 +1,26 @@
+# koneko
+A Cobalt Strike shellcode loader with multiple advanced evasion features.
+
+## Disclaimer
+Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.
+
+----------------------------------------------------------------------------------------------------------
+
+Historically was able to (and may still) bypass
+- Palo Alto Cortex xDR
+- Windows Defender
+- Malwarebytes Anti-Malware
+
+## Features
+- Fully custom sleep implementation with thread callstack spoofing using NtCreateEvent and NtWaitForSingleObject
+- Inline hook on Sleep/SleepEx to redirect to said custom sleep implementation
+- Switching between Fiber threads to further avoid memory scanning
+- Return address spoofing on (almost?) every other API/NTAPI call
+- All the indirect syscalls!
+- Bunch of anti-VM and anti-debugger checks
+- Splitting and hiding shellcode as a bunch of x64 addresses with the EncodePointer API
+- Probably other stuff I forgot to mention here
+
+## Negatives
+- It's not a UDRL loader, these spoof tricks are limited to only the running executable and will go away when you process inject to something else.
+- The sleep obfuscation is tailored to Cobalt Strike. To work with other C2s you'd need to tailor how the hooking happens. Use a tool like `apimonitor` to intercept API calls from your beacon, detect the API(s) called on the sleep cycle, and then adjust the hooks as needed.
\ No newline at end of file