{"id":31056592,"url":"https://github.com/mochabyte0x/mochimapper","last_synced_at":"2025-09-15T06:00:10.212Z","repository":{"id":312772779,"uuid":"1048613680","full_name":"mochabyte0x/MochiMapper","owner":"mochabyte0x","description":"Minimal in-memory PE loader","archived":false,"fork":false,"pushed_at":"2025-09-01T21:53:47.000Z","size":1410,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-01T23:31:35.515Z","etag":null,"topics":["antivirus-evasion","malware-development","malware-res","pe-loader"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mochabyte0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-01T18:20:43.000Z","updated_at":"2025-09-01T21:53:50.000Z","dependencies_parsed_at":"2025-09-01T23:31:37.954Z","dependency_job_id":"40634ad8-55cc-4483-8913-70d9f7ad78fb","html_url":"https://github.com/mochabyte0x/MochiMapper","commit_stats":null,"previous_names":["mochabyte0x/mochimapper"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mochabyte0x/MochiMapper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FMochiMapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FMochiMapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FMochiMapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FMochiMapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mochabyte0x","download_url":"https://codeload.github.com/mochabyte0x/MochiMapper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FMochiMapper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275213915,"owners_count":25424888,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-15T02:00:09.272Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","malware-development","malware-res","pe-loader"],"created_at":"2025-09-15T06:00:07.293Z","updated_at":"2025-09-15T06:00:10.075Z","avatar_url":"https://github.com/mochabyte0x.png","language":"C","readme":"# MochiMapper\n\nA minimal **manual PE loader** that maps a PE from the `.rsrc` section into memory and emulates some parts of the Windows loader. I'm (probably) not gonna add more features to it. Too lazy for that, sry.\n\n\u003e[!CAUTION]\n\u003eThis tool is designed for authorized operations only. I AM NOT RESPONSIBLE FOR YOUR ACTIONS. DON'T DO BAD STUFF.\n\n## Features\n\n- Manual map from memory (payload embedded in `.rsrc` and optionally encrypted)\n- Supports AES-128-CBC encrypted payloads \n- Robust relocation walker (bounds checked)\n- Import repair that **reads INT/ILT** and **writes IAT**\n- Optional **IAT-level interception** of command-line/CRT/exit APIs\n- TLS callback runner\n- x64 exception/unwind support by registering `.pdata`\n- Export resolver with forwarder handling\n\n## How-To\n\n\u003e[!NOTE]\n\u003e If you compile *MochiMapper* and run it, the loader will launch *mimikatz.exe* which is put as a \"demo\" binary. Replace the content of the `.rsrc` section with something else.\n\n### Utility\n\n*ObfusX* is also included as a utility tool to encrypt PEs/shellcode in various formats.\n\n```powershell\npython3 obfusX.py -p \u003cTARGET PE\u003e -enc aes-128 -o encrypted_pe\n```\n\nPlace the generated file in the `.rsrc` section of *MochiMapper*. Change the AES KEY/IV (located in the main function) in the code aswell.\n\n### CMD-Line Argument Support\n\n*MochiMapper* supports command line arguments. You can define them in the \"structs.h\" header. Leave blank if not needed.\n\n\u003cimg width=\"657\" height=\"92\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ce239b6-5a04-44d6-bfeb-566cfc9df928\" /\u003e\n\n### Exported Function Support (DLL)\n\nIf your target PE is a DLL AND the entrypoint is not DllMain but an exported function, you can specify this in the \"structs.h\" header. Leave blank if not needed.\n\n\u003cimg width=\"657\" height=\"92\" alt=\"image\" src=\"https://github.com/user-attachments/assets/af68478d-b97d-4e56-8b42-c9fa5d26fdad\" /\u003e\n\n### IAT hooks (optional)\n\n\u003e[!NOTE]\n\u003e In the current implementation of MochiMapper, you do NOT need to enable this. There are no command line arguments per se since the PE is read from the .rsrc section. However, in case you want to change MochiMappers behavior and read the PE file from disk, you will need some kind of command line argument \"obfuscation\". This is your (potential) solution to it.\n\nEnable command-line hiding/spoofing without touching the PEB:\n\n- GetCommandLineA/W → return synthetic strings\n- __getmainargs/__wgetmainargs → supply argc/argv or just pass env from the real CRT\n- __p___argv/__p___wargv/__p___argc → return stable pointers\n- ExitProcess / exit family → observe or suppress termination\n- GetModuleFileNameA/W(NULL, …) → return a fake name\n\nJust pass `CmdlineHookCB` to the IAT repair function (already placed, but remove if you don't want to use this feature). *Hooks* store originals and swap IAT slots to your hook functions.\n\n## Demo\n\n\u003cimg width=\"1351\" height=\"739\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8255f54e-1c12-4854-8b75-a53c59668ccb\" /\u003e\n\n## OPSEC\n\nStatic analysis will likely catch this in the current state. For better OPSEC, consider adding:\n\n- API Hashing\n- (indirect) Syscalls\n- Better KEY/IV retrieval (maybe remotely ?)\n- Build it CRT Free for better entropy\n- Convert this into a reflective DLL loader\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmochabyte0x%2Fmochimapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmochabyte0x%2Fmochimapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmochabyte0x%2Fmochimapper/lists"}