Skip to content

entropy-z/Kharon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

149 Commits
agent_kharon
agent_kharon
 
 
assets
assets
 
 
doc
doc
 
 
listener_kharon_http
listener_kharon_http
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup_kharon.sh
setup_kharon.sh
 
 

Repository files navigation

Kharon v0.2

Kharon is a fully Position-Independent Code (PIC) agent that operates without a reflective loader. It incorporates multiple evasion mechanisms, including sleep obfuscation, heap obfuscation during sleep, stack spoofing with indirect syscalls, a BOF API proxy for spoofed and indirect BOF API execution, and AMSI/ETW bypass.

For detailed information about features, setup, and usage, check the official documentation here

PIC Logic

Kharon uses a class-based design to store the beacon instance.
The instance is retrieved using a magic value stored in a custom heap, allowing reliable access without relying on global symbols.

Core Features

This section covers the main capabilities related to evasion, malleable profiles, and runtime control.

HTTP Malleable Profile

  • Proxy configuration (URL, username, and password)
  • Domain rotation strategies:
    • Random
    • Failover
    • Round-robin
  • Multi-host configuration
  • Independent User-Agent and headers for GET and POST requests
  • Custom parameters
  • Fine-grained control over route behavior:
    • Output data via body, parameter, or header
    • Append / Prepend output data
  • Custom empty server responses
  • Custom error responses

Documentation here: http-malleable

Post-Exploitation Execution

Post-exploitation routines are based on Beacon Object Files (BOFs) and PIC shellcode, which can be executed:

  • In the current process (BOF/PIC)
  • In a remote target process (PIC)

Evasion

  1. Spoofed + Indirect Syscalls
    Applies call stack spoofing to selected API executions.

  2. BOF API Proxy
    Proxies BOF API calls to enable spoofed call stacks and indirect syscalls.

  3. Memory Evasion

    • Sleep obfuscation
    • Heap masking during beacon sleep

Runtime Configuration Changes

Kharon supports live runtime configuration updates using the config command.
This allows dynamic changes to beacon behavior, including:

  • Kill date (date-based or self-delete)
  • Working hours
  • BOF API proxy enable/disable
  • Spoofed + indirect syscall enable/disable
  • Memory obfuscation:
    • Heap masking status
    • Beacon masking technique
  • Process creation behavior:
    • Parent Process ID (PPID) spoofing
    • Block DLL policy
  • AMSI / ETW bypass
  • Sleep and jitter configuration

Check commands documentation.

About

Agent for AdaptixC2 with focus in evasion, capability and malleable.

Resources

Readme

License

View license
Activity

Stars

182 stars

Watchers

9 watching

Forks

40 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 5

Languages