Don’t kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it’s a simple “legit” image. For now the tool rely on PowerShell the execute the final shellcode payload.

Why it’s called don’t kill my cat? Since I suck at finding names for tools, I decided to rely on the fact that the default BMP image is a cat to name the tool.

Presentation on how it works internally can be found here.

Basic Flow

• Generate shellcode (meterpreter / Beacon)
• Embed the obfuscated shellcode inside the image
• PowerShell download the image and execute the image as shellcode
• Get your shell

Download