Skip to content

PROJECT_SUMMARY.md

Latest commit

 

History

History
213 lines (174 loc) · 6.95 KB

PROJECT_SUMMARY.md

File metadata and controls

213 lines (174 loc) · 6.95 KB

Kainefiltrator Project Summary

Project Overview

Kainefiltrator is a comprehensive post-exploitation exfiltration framework designed for educational purposes and authorized red team engagements. The tool demonstrates modern APT techniques including multiple exfiltration channels, evasion methods, persistence mechanisms, and credential harvesting.

File Structure

kainefiltrator/
├── include/                    # Header files (8 files)
│   ├── kf_types.h             # Core types, structures, enums
│   ├── kf_str.h               # String obfuscation macros
│   ├── kf_evasion.h           # Evasion technique declarations
│   ├── kf_exfil.h             # Exfiltration method declarations
│   ├── kf_tui.h               # Terminal UI interface
│   ├── kf_toast.h             # Toast notification system
│   ├── kf_persist.h           # Persistence mechanisms
│   └── kf_stage.h             # In-memory staging operations
│
├── src/                        # Source files (11 files)
│   ├── main.c                 # Entry point, TUI logic, menu handlers
│   ├── evasion.c              # AMSI bypass, ETW patching, unhooking
│   ├── crypto.c               # AES encryption, Base64, compression
│   ├── exfil_doh.c            # DNS over HTTPS exfiltration
│   ├── exfil_tcp.c            # Raw TCP socket exfiltration
│   ├── exfil_smb.c            # SMB share exfiltration
│   ├── exfil_ftp.c            # FTP upload exfiltration
│   ├── exfil_lol.c            # Cloud API exfiltration (Dropbox, Mega, etc.)
│   ├── tui.c                  # Terminal UI implementation
│   ├── toast.c                # Credential phishing notifications
│   ├── persist.c              # Registry, startup, scheduled tasks
│   └── stage.c                # PE loading, process hollowing
│
├── docs/                       # Documentation (3 files)
│   ├── TECHNICAL.md           # Deep technical documentation
│   ├── USAGE.md               # User guide and workflows
│   └── POC_EXCERPTS.md        # Proof-of-concept code snippets
│
├── Makefile                    # Build configuration (MinGW/MSVC)
├── README.md                   # Project overview
├── LICENSE                     # MIT License with legal notice
├── .gitignore                  # Git ignore patterns
└── PROJECT_SUMMARY.md          # This file

Code Statistics

Component Files Approx. Lines
Headers 8 ~800
Source 11 ~2,500
Documentation 4 ~1,200
Total 23 ~4,500

Key Features Implemented

Exfiltration Methods (9)

  1. DoH - DNS over HTTPS for bypassing DNS filtering
  2. SMB - Windows file share uploads
  3. FTP - File transfer protocol
  4. TCP - Raw socket communication
  5. Dropbox - Cloud storage API
  6. Mega - Encrypted cloud storage
  7. Mediafire - Anonymous file hosting
  8. GitHub - Gist API for text storage
  9. Pastebin - Text paste service

Evasion Techniques (6)

  1. Userland Unhooking - Restores clean ntdll from disk
  2. AMSI Bypass - Patches AmsiScanBuffer
  3. ETW Patching - Disables Event Tracing
  4. PPID Spoofing - Creates processes under legitimate parents
  5. DLL Blocking - Prevents non-MS DLL loading
  6. Clean DLL Loading - Loads fresh DLLs from disk

Persistence Methods (5)

  1. Registry Run - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  2. Registry RunOnce - One-time execution at login
  3. Startup Folder - Shortcut in user's startup
  4. Scheduled Tasks - Task Scheduler integration
  5. Windows Service - System service (requires elevation)

Credential Harvesting (4)

  1. Office 365 Prompt - Fake Microsoft authentication
  2. VPN Prompt - Corporate VPN connection dialog
  3. Wi-Fi Prompt - Network security key request
  4. Smart Card Prompt - PIN entry dialog

In-Memory Operations

  1. PE Loading - Execute PE files without touching disk
  2. Process Hollowing - Replace legitimate process memory
  3. APC Injection - Asynchronous procedure call injection
  4. Thread Injection - CreateRemoteThread-based injection

Build Instructions

Prerequisites

  • MinGW-w64 or Visual Studio
  • Windows SDK
  • Make (optional)

Build Commands

# Standard build
make

# Debug build
make debug

# MSVC build
make msvc

# Clean build artifacts
make clean

Output

  • bin/kainefiltrator.exe - Release build
  • bin/kainefiltrator_debug.exe - Debug build

Usage Flow

1. Launch kainefiltrator.exe
        ↓
2. TUI interface loads
        ↓
3. Select exfiltration method
        ↓
4. Configure target/credentials
        ↓
5. (Optional) Apply evasion
        ↓
6. (Optional) Install persistence
        ↓
7. Select files to exfiltrate
        ↓
8. Data is encrypted and transmitted

Security Features

Operational Security

  • XOR string obfuscation (compile-time)
  • Dynamic API resolution
  • In-memory operations
  • Jittered sleep intervals
  • Minimal disk artifacts

Anti-Detection

  • Clean syscall restoration
  • AMSI/ETW bypass
  • Process masquerading
  • Module stomping support

Extension Points

The framework is designed for easy extension:

Adding New Exfiltration Methods

  1. Declare in kf_exfil.h
  2. Implement in exfil_mymethod.c
  3. Add to enum in kf_types.h
  4. Wire up in main.c

Adding New Evasion Techniques

  1. Declare in kf_evasion.h
  2. Implement in evasion.c
  3. Call from initialization

Custom Cryptography

Replace crypto.c implementations or add new algorithms

Educational Value

This project demonstrates:

  • Windows internals (PE format, syscalls, memory management)
  • Network protocols (DNS, SMB, FTP, HTTP/HTTPS)
  • Cryptography (AES, Base64, compression)
  • Evasion techniques (hooking, patching, injection)
  • Persistence mechanisms (registry, WMI, services)
  • Social engineering (credential phishing)

Legal and Ethical Considerations

  • Educational Purpose Only: Designed for learning and authorized testing
  • Authorization Required: Only use on systems you own or have permission to test
  • Responsible Disclosure: Report vulnerabilities appropriately
  • Compliance: Follow all applicable laws and regulations

Future Enhancements

Potential additions for further learning:

  • Hardware breakpoint-based hook bypass
  • Kernel driver for advanced evasion
  • Domain Fronting support
  • WebSocket exfiltration
  • ICMP tunneling
  • Covert timing channels
  • Blockchain-based C2
  • Machine learning for detection evasion

References

  • Windows Internals, 7th Edition
  • "The Art of Memory Forensics"
  • "Practical Malware Analysis"
  • Various security research papers and conference presentations

Note: This project is for educational purposes only. The authors assume no liability for misuse. Always obtain proper authorization before security testing.