Welcome back, Chooms!

You’re jackin’ into another GonkWare drop! If you’ve been ridin’ with us, you already know; this ain’t just another toolkit. GonkWare is built for those who like their malware laced with just the right amount of chaos during their Night City journey or PEN 300 course in our case.

For those just tuning in to the madness: GonkWare is a custom-built GUI tool developed in Python, designed to automate and enhance key basic malware tasks. Back in the May drop, we showcased the first working build, where GonkWare could run msfvenom, extract and encrypt the shellcode using AES, and generate a fully weaponized shellcode runner EXE ready to deploy on a target. Click, transfer, execute and popped a shell.

Neat, ain’t it?

The tool isn’t built (yet) to go against any hyper-defended, patched-to-the-teeth, Adam Smasher looking environments. But that’s part of the grind, and you can bet we’re pushing toward full evasive capabilities.

Alright, with that out of the way.. let’s dig into what’s new in this latest build. Ya ready?

Previously, the whole GonkWare framework lived in one loooong single page. Now we’ve started migrating functions into a cleaner, modular core engine layout. While we love the idea of breaking things up, we think we went a little too far with this idea, and then we started to scale back the number of files currently required. By the next release, we expect to have a more integrated core of GonkWare.

Here’s a snapshot of the current file structure in GonkWare v0.4x:

Splitting the code into core modules has been the heaviest lift over the past few weeks. While we’ve made progress, we’re far from done refining and optimizing the core engine and we’re excited to keep leveling up that part of the project.

On the template side, things are looking much cleaner. We’ve consolidated multiple techniques into a single JSON file for better organization. The only outlier for now is Process Hollowing, which remains separate until it’s fully integrated into the system.

A major highlight in this release is the addition of process injection functionality and we are very excited about it. We’ve updated the JSON template to support the process injection technique. Once compiled, simply transfer the executable to the target and run it with a desired process ID as an argument. If no PID is provided, it will attempt to inject into explorer.exe by default.

Another significant change in this release is the removal of the AES encryption checkbox. Honestly, it seemed kinda silly to have this as optional and we found ourselves clicking the box to implement every single time. I mean, who’s out there generating unencrypted payloads? Silly, just silly! So now, AES encryption is automatically built into the code once the user clicks the Generate button. No more box! We expect more features to behave this way as we move forward in the development of GonkWare. Streamlined, automatic, and easy out of the box.So easy a Gonk can do it!

We have also removed the sleep functionality; the checkbox and dropdown are gone. Instead, we have built in a ping functionality to replace the obvious footprint of a hardcoded sleep call. This new approach mimics sleep and once executed, it takes around some time for the ping to time out before the payload calls back to your listener.

The final feature that slipped in just before the buzzer is AppLocker bypass for Shellcode runner. We debated two ways to implement it:

Option one: create entirely new templates for each technique with the bypass logic built-in.

Option two: take the harder path and build backend logic to dynamically merge the AppLocker bypass into whatever technique the user selects.

Obviously! We chose the more challenging route.

The AppLocker checkbox now integrates with the existing encryption logic and wraps the AppLocker bypass code dynamically.

We’ve also made improvements to the setup process. In the last build, the operator had to manually handle Metasploit’s interactive setup and database initiation. That’s now fully automated and tested on Ubuntu 22.04 and Kali. On top of that, we updated the Ubuntu install flow to use snap install Metasploit-framework, removing the old curl dependency.

The current build is stable and running hot. But Chooms like us? We’re always chasing the next gig.

Next Steps:

Now that GonkWare supports two core techniques, Shellcode Runner and Process Injection, we’re taking a step back to evaluate what small, high-impact features needs to be prioritized before adding any new techniques. We’ve been diving back into course notes and revisiting a few of our favorite Red Team reads to inspire better design and smarter development. The excitement’s real! We’re curious just how far this beast can go.

We’ve wrapped up the first phase: proof-of-concept complete. We can now reliably build C# code into executables and run them on Windows targets. With that milestone, it’s time to shift gears from hacking things to strategically creating features that makes GonkWare better. The better we plan now, the smoother the ride.

With every update, our goal is to evolve GonkWare into a more powerful and streamlined tool.

DEMOS

Shellcode Runner:

Shellcode Runner w/ Applocker bypass:

Process Injection:

Haha, look at DumDum, figured out how to use a text editor. Now that’s some preem Neo-level process injection!

If you’ve made it this far, props to you, Choom. Thanks for riding along, supporting us in this journey and another GonkWare drop.

Hexxed BitHeadz- signing off.

TROUBLESHOOTING

If GonnkWare hangs after hitting generate, try running closing, running the msfconsole command to set up the database, and run GonkWare again.

PSSST… Check out this sick fully illustrated behind the scenes GonkWare artbook bonus content super legendary GOTY edition DLC, exclusively just for you! :