https://github.com/mochabyte0x/mochimapper
Minimal in-memory PE loader
https://github.com/mochabyte0x/mochimapper
antivirus-evasion malware-development malware-res pe-loader
Last synced: 22 days ago
JSON representation
Minimal in-memory PE loader
- Host: GitHub
- URL: https://github.com/mochabyte0x/mochimapper
- Owner: mochabyte0x
- License: mit
- Created: 2025-09-01T18:20:43.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2025-09-01T21:53:47.000Z (about 1 month ago)
- Last Synced: 2025-09-01T23:31:35.515Z (about 1 month ago)
- Topics: antivirus-evasion, malware-development, malware-res, pe-loader
- Language: C
- Homepage:
- Size: 1.34 MB
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# MochiMapper
A minimal **manual PE loader** that maps a PE from the `.rsrc` section into memory and emulates some parts of the Windows loader. I'm (probably) not gonna add more features to it. Too lazy for that, sry.
>[!CAUTION]
>This tool is designed for authorized operations only. I AM NOT RESPONSIBLE FOR YOUR ACTIONS. DON'T DO BAD STUFF.
## Features
- Manual map from memory (payload embedded in `.rsrc` and optionally encrypted)
- Supports AES-128-CBC encrypted payloads
- Robust relocation walker (bounds checked)
- Import repair that **reads INT/ILT** and **writes IAT**
- Optional **IAT-level interception** of command-line/CRT/exit APIs
- TLS callback runner
- x64 exception/unwind support by registering `.pdata`
- Export resolver with forwarder handling
## How-To
>[!NOTE]
> If you compile *MochiMapper* and run it, the loader will launch *mimikatz.exe* which is put as a "demo" binary. Replace the content of the `.rsrc` section with something else.
### Utility
*ObfusX* is also included as a utility tool to encrypt PEs/shellcode in various formats.
```powershell
python3 obfusX.py -p -enc aes-128 -o encrypted_pe
```
Place the generated file in the `.rsrc` section of *MochiMapper*. Change the AES KEY/IV (located in the main function) in the code aswell.
### CMD-Line Argument Support
*MochiMapper* supports command line arguments. You can define them in the "structs.h" header. Leave blank if not needed.
### Exported Function Support (DLL)
If your target PE is a DLL AND the entrypoint is not DllMain but an exported function, you can specify this in the "structs.h" header. Leave blank if not needed.
### IAT hooks (optional)
>[!NOTE]
> In the current implementation of MochiMapper, you do NOT need to enable this. There are no command line arguments per se since the PE is read from the .rsrc section. However, in case you want to change MochiMappers behavior and read the PE file from disk, you will need some kind of command line argument "obfuscation". This is your (potential) solution to it.
Enable command-line hiding/spoofing without touching the PEB:
- GetCommandLineA/W → return synthetic strings
- __getmainargs/__wgetmainargs → supply argc/argv or just pass env from the real CRT
- __p___argv/__p___wargv/__p___argc → return stable pointers
- ExitProcess / exit family → observe or suppress termination
- GetModuleFileNameA/W(NULL, …) → return a fake name
Just pass `CmdlineHookCB` to the IAT repair function (already placed, but remove if you don't want to use this feature). *Hooks* store originals and swap IAT slots to your hook functions.
## Demo
## OPSEC
Static analysis will likely catch this in the current state. For better OPSEC, consider adding:
- API Hashing
- (indirect) Syscalls
- Better KEY/IV retrieval (maybe remotely ?)
- Build it CRT Free for better entropy
- Convert this into a reflective DLL loader