Add README.md
This commit is contained in:
commit
dff94927e5
26
README.md
Normal file
26
README.md
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
# koneko
|
||||||
|
A Cobalt Strike shellcode loader with multiple advanced evasion features.
|
||||||
|
|
||||||
|
## Disclaimer
|
||||||
|
Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.
|
||||||
|
|
||||||
|
----------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Historically was able to (and may still) bypass
|
||||||
|
- Palo Alto Cortex xDR
|
||||||
|
- Windows Defender
|
||||||
|
- Malwarebytes Anti-Malware
|
||||||
|
|
||||||
|
## Features
|
||||||
|
- Fully custom sleep implementation with thread callstack spoofing using NtCreateEvent and NtWaitForSingleObject
|
||||||
|
- Inline hook on Sleep/SleepEx to redirect to said custom sleep implementation
|
||||||
|
- Switching between Fiber threads to further avoid memory scanning
|
||||||
|
- Return address spoofing on (almost?) every other API/NTAPI call
|
||||||
|
- All the indirect syscalls!
|
||||||
|
- Bunch of anti-VM and anti-debugger checks
|
||||||
|
- Splitting and hiding shellcode as a bunch of x64 addresses with the EncodePointer API
|
||||||
|
- Probably other stuff I forgot to mention here
|
||||||
|
|
||||||
|
## Negatives
|
||||||
|
- It's not a UDRL loader, these spoof tricks are limited to only the running executable and will go away when you process inject to something else.
|
||||||
|
- The sleep obfuscation is tailored to Cobalt Strike. To work with other C2s you'd need to tailor how the hooking happens. Use a tool like `apimonitor` to intercept API calls from your beacon, detect the API(s) called on the sleep cycle, and then adjust the hooks as needed.
|
||||||
Loading…
x
Reference in New Issue
Block a user