Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool rely on PowerShell the execute the final shellcode payload.
Why it's called don't kill my cat? Since I suck at finding names for tools, I decided to rely on the fact that the default BMP image is a cat to name the tool.
Presentation on how it works internally can be found here:Â https://github.com/Mr-Un1k0d3r/DKMC/blob/master/DKMC%20presentation%202017.pdf
Basic Flow
- Generate shellcode (meterpreter / Beacon)
- Embed the obfuscated shellcode inside the image
- PowerShell download the image and execute the image as shellcode
- Get your shell