https://github.com/tijme/kong-loader

Using Just In Time (JIT) instruction decryption, this shellcode loader ensures that only the currently executing instruction is visible in memory.
https://github.com/tijme/kong-loader

cobaltstrike evasion loader memory redteam scanning shellcode

Last synced: 9 months ago
JSON representation

Using Just In Time (JIT) instruction decryption, this shellcode loader ensures that only the currently executing instruction is visible in memory.

• Host: GitHub
• URL: https://github.com/tijme/kong-loader
• Owner: tijme
• License: mpl-2.0
• Created: 2024-07-10T07:40:38.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2025-03-30T15:35:10.000Z (about 1 year ago)
• Last Synced: 2025-03-30T16:28:54.200Z (about 1 year ago)
• Topics: cobaltstrike, evasion, loader, memory, redteam, scanning, shellcode
• Language: C
• Homepage:
• Size: 5.02 MB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE.md

Awesome Lists containing this project

README

          


    





    

        

      

    

        

      

    

        

    





    The hidden ART of rolling shellcode decryption.

    


    Built with ♥ by Tijme Gommers – Buy me a coffee via PayPal.

    






    Abstract

    •

    Getting started

    •

    Caveats

    •

    Future work

    •

    Issues & requests

    •

    License & copyright





## Abstract

Executing malicious shellcode may trigger memory scans by EDR, leading to detection of your malware. Sleep masks were introduced to ensure that your malware is encrypted in memory while it's idle (sleeping), aiming to prevent that detection. Using sleep masks, your malware is decrypted after sleeping, executes commands, and is then encrypted and instructed to sleep again. This ensures that your malware is only briefly visible in memory.

**Kong Loader** prevents your malware from being visible in memory *entirely* and *whatsoever*, even while executing commands. It uses rolling decryption, terminology I'm likely misusing, but which *does* represent how Kong Loader works. For each assembly instruction, Kong Loader decrypts that specific assembly instruction, executes it, and encrypts it again. This means only the currently executing instruction is visible in memory, which is insufficient for EDR to trigger detection on.

## Getting started

Clone this repository first. Install the dependencies, then [review the code](https://github.com/tijme/kong-loader/blob/master/.github/laughing.gif) and compile it from source. The steps below were tested on MacOS x64 and arm64.

**Dependencies**

* [MinGW](https://formulae.brew.sh/formula/mingw-w64)

**Compiling**

    make

**Usage**

Execute `./dst/KongLoader.x64.exe` on your Windows target machine.

## Caveats

There are various caveats, for both offensive & defensive cyber security. Some examples:

* Memory corruptions might occur if the shellcode tries to alter itself during runtime. 

* Kong Loader's native code can be signatured and thus easily detected.

* The execution is extremely slow, and can currently only be used for tiny first stage malware.

* Malware that runs using Kong Loader can be hardly debugged.

    - Exceptions trigger in your debugger, for every single instruction.

    - Exceptions can't be dismissed, as they decrypt the instruction to be executed.

    - Ignoring the exceptions using `sxi sse` (windbg) adds millions of instructions per instruction to be executed.

* Multi-threading is not supported as encryption race conditions would occur.

## Detection

At this moment, it is quite easy to detect Kong Loader because Kong Loader's native code is static and can therefore be signatured. There is no polymorphic engine yet that modifies the static code during each build. The following files contains rules that allows you to detect Kong Loader:

* [`kong_loader_native_code.yara` (Yara)](https://github.com/tijme/kong-loader/blob/master/sig/kong_loader_native_code.yara)

## Future work

* Write a shellcode transpiler that transpiles to a interpretable format that prevents the need of a disassembler.

    - This essentialy moves the Kong Loader funcionality from runtime to compile time.

* Possibly decrypt full basic blocks instead of single instructions, to improve speed.

* Make use of a polymorphic engine to ensure that the native code does not contain static signatures.

## Issues & requests

Issues or new feature requests can be reported via the [issue tracker](https://github.com/tijme/kong-loader/issues). Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

## License & copyright

Copyright (c) 2024 Tijme Gommers. Kong Loader is released under the Mozilla Public License Version 2.0. View [LICENSE.md](https://github.com/tijme/kong-loader/blob/master/LICENSE.md) for the full license. Kong Loader depends on [Zydis](https://zydis.re/), which is licenced under the [MIT Licence](https://github.com/zyantific/zydis/blob/master/LICENSE).