# Using subTee's katz to Reflectively Load an exe

I haven't seen this specifically outlined anywhere so I figured I'd write a short post to go over using subTee's Katz2.0 program to create a custom binary that loads mimikatz (or whatever executable you'd like) into memory. Casey Smith (subTee) and company have created some incredible tools that have made my life easier, so hats off to them.

### Reflective Injection

The following steps will create a custom binary with an encrypted and encoded mimikatz binary string which will load mimikatz into memory through reflective PE injection.

1. Compile Mimikatz for release - remember it's architecture specific so you'll probably want to compile both or download the binaries
2. Download subTee's Katz2.0. My fork simply makes the encryption method easier to access and outputs the base64. The following is based on that.
3. Open in Visual Studio
4. Find/Replace “password” with something more subtle like “WaitForSingleObject”
5. Find “SALT” and replace those bytes with 0xde 0xad 0xbe 0xef and so on.
6. Compile Katz2.0
7. And run the resulting binary pointing to your mimikatz executable
8. c:\>katz.exe encrypt c:\path\to\mimikatz64.exe | clip
9. If you clipd from before this will be in your clipboard, otherwise copy the output string from newly created file.b64
10. Paste that string into the filex64 variable (at the bottom of Katz2.0.cs)
11. And now rebuild Katz2.0 again
12. Note that you could/should repeat this process for the x86 mimikatz binary

Now when you run the katz2.0 binary without any arguments, mimikatz should be loaded into memory and run without issue. This will get by most AV out there although some programs may flag some mimikatz functionality (e.g. dumping sekurlsa::logonpasswords).

### Similar projects

• p0wnedShell is pretty sweet, and does a similar thing although it's considerably larger including more tools

• Customize mimikatz to reflectively load the DLL into memory - great post here

• Similar work by subTee lets you execute shellcode using JScript here

• For more fully featured obfuscation, ObfuscatedEmpire is an awesome integration of Invoke-Obfuscation and Empire. Highly recommend checking it out.

• Similar but using Invoke-Mimikatz - simply make a few string modifications to slip by AV - BHIS

• Powershell without powershell.exe - Also by BHIS