Skip to content

Whispergate/Kainefiltrator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
docs
docs
 
 
include
include
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
PROJECT_SUMMARY.md
PROJECT_SUMMARY.md
 
 
README.md
README.md
 
 

Repository files navigation

Kainefiltrator

A post-exploitation exfiltration framework for authorized red team engagements and malware research. This tool is designed for educational purposes and legitimate security testing only.

DISCLAIMER: I AM AWARE THE TOOL IS NOT WORKING

As of 15/04/26 (dd/mm/yy), I am aware the Kainefiltrator tool is broken. This project was never intended fully to work and admittedly was overcomplicated regardless. The project was intended as a proof-of-concept to myself and to familiarise myself with project structures and the Windows API alongside certain concepts I find interesting.

Expect updates later this month as I work on creating smaller projects to build up to effectively rewriting the entire codebase. The project is made public so that others may view it and utilise it solely as reference.

Overview

Kainefiltrator is a modular post-exploitation tool designed to demonstrate various data exfiltration techniques used in advanced persistent threats (APTs). It incorporates modern evasion techniques, multiple exfiltration channels, and operational security considerations.

Features

Exfiltration Methods

Method Description Use Case
DoH DNS over HTTPS Bypass DNS filtering, blend with normal traffic
SMB Server Message Block Internal lateral movement exfil
FTP File Transfer Protocol Legacy system compatibility
TCP Raw TCP sockets Direct C2 communication
Dropbox Cloud storage API Living-off-the-land
Mega Encrypted cloud storage Privacy-focused exfil
Mediafire File hosting service Anonymous upload
GitHub Gist API Developer environment blending
Pastebin Text paste service Small data chunks

Evasion Techniques

  • Userland Unhooking: Restores original syscall stubs from clean disk copy of ntdll
  • AMSI Bypass: Patches AmsiScanBuffer to return clean
  • ETW Patching: Disables Event Tracing for Windows
  • Clean DLL Loading: Loads fresh copies of system DLLs from disk
  • PPID Spoofing: Creates processes under legitimate parent processes
  • DLL Blocking: Prevents non-Microsoft DLLs from loading into process

Persistence Mechanisms

  • Registry Run/RunOnce keys
  • Startup folder shortcuts
  • Scheduled tasks
  • WMI event subscriptions
  • Windows services (elevated)

Credential Harvesting

Toast notification-based credential prompts that mimic legitimate Windows dialogs:

  • Office 365 authentication
  • VPN connection prompts
  • Wi-Fi network keys
  • Smart card PIN entry

Building

Prerequisites

  • MinGW-w64 or Visual Studio
  • Windows SDK
  • Make (optional)

MinGW Build

make

Visual Studio Build

make msvc

Debug Build

make debug

Usage

Launch the TUI interface:

kainefiltrator.exe

Configuration

  1. Select exfiltration method from the menu
  2. Configure target host/port or API credentials
  3. Enable/disable encryption and compression
  4. Set sleep/jitter intervals for timing obfuscation

Command Line Options (Future)

kainefiltrator.exe [options]
  -m, --method    Exfiltration method
  -t, --target    Target host/URL
  -p, --port      Target port
  -f, --file      File to exfiltrate
  -e, --encrypt   Enable encryption
  -c, --compress  Enable compression
  -s, --sleep     Sleep interval (ms)
  -j, --jitter    Jitter percentage
  --persist       Install persistence
  --evade         Apply evasion techniques

Architecture

kainefiltrator/
├── include/          # Header files
│   ├── kf_types.h    # Core types and structures
│   ├── kf_str.h      # String obfuscation macros
│   ├── kf_evasion.h  # Evasion technique declarations
│   ├── kf_exfil.h    # Exfiltration method declarations
│   ├── kf_tui.h      # Terminal UI declarations
│   ├── kf_toast.h    # Toast notification declarations
│   ├── kf_persist.h  # Persistence mechanism declarations
│   └── kf_stage.h    # In-memory staging declarations
├── src/              # Source files
│   ├── main.c        # Entry point and TUI logic
│   ├── evasion.c     # Evasion implementations
│   ├── crypto.c      # Encryption/encoding
│   ├── exfil_*.c     # Exfiltration methods
│   ├── tui.c         # Terminal UI
│   ├── toast.c       # Toast notifications
│   ├── persist.c     # Persistence mechanisms
│   └── stage.c       # In-memory operations
├── docs/             # Documentation
└── Makefile

Security Considerations

Operational Security

  • String obfuscation using XOR encoding
  • Minimal string literals in binary
  • Dynamic API resolution
  • In-memory operations where possible
  • Jittered sleep intervals

Detection Evasion

  • Clean syscall stubs from disk
  • AMSI/ETW patching
  • Process hollowing capabilities
  • APC injection support

Legal Notice

This tool is provided for educational purposes and authorized security testing only. Unauthorized access to computer systems is illegal. Users are responsible for complying with all applicable laws and regulations.

License

MIT License - See LICENSE file for details

Credits

Inspired by various open-source security research projects and educational materials.

About

Windows-targeting exfiltration tool written in C, supports 9 different types of exfiltration including DoH, SMB, TCP, FTP and LoLexfil methods.

Resources

Readme

License

View license
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages