Skip to content

mochabyte0x/MochiMapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
MochiMapper
MochiMapper
 
 
ObfusX
ObfusX
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
image.png
image.png
 
 

Repository files navigation

MochiMapper

A minimal manual PE loader that maps a PE from the .rsrc section into memory and emulates some parts of the Windows loader. I'm (probably) not gonna add more features to it. Too lazy for that, sry.

Caution

This tool is designed for authorized operations only. I AM NOT RESPONSIBLE FOR YOUR ACTIONS. DON'T DO BAD STUFF.

Features

  • Manual map from memory (payload embedded in .rsrc and optionally encrypted)
  • Supports AES-128-CBC encrypted payloads
  • Robust relocation walker (bounds checked)
  • Import repair that reads INT/ILT and writes IAT
  • Optional IAT-level interception of command-line/CRT/exit APIs
  • TLS callback runner
  • x64 exception/unwind support by registering .pdata
  • Export resolver with forwarder handling

How-To

Note

If you compile MochiMapper and run it, the loader will launch mimikatz.exe which is put as a "demo" binary. Replace the content of the .rsrc section with something else.

Utility

ObfusX is also included as a utility tool to encrypt PEs/shellcode in various formats.

python3 obfusX.py -p <TARGET PE> -enc aes-128 -o encrypted_pe

Place the generated file in the .rsrc section of MochiMapper. Change the AES KEY/IV (located in the main function) in the code aswell.

CMD-Line Argument Support

MochiMapper supports command line arguments. You can define them in the "structs.h" header. Leave blank if not needed.

image

Exported Function Support (DLL)

If your target PE is a DLL AND the entrypoint is not DllMain but an exported function, you can specify this in the "structs.h" header. Leave blank if not needed.

image

IAT hooks (optional)

Note

In the current implementation of MochiMapper, you do NOT need to enable this. There are no command line arguments per se since the PE is read from the .rsrc section. However, in case you want to change MochiMappers behavior and read the PE file from disk, you will need some kind of command line argument "obfuscation". This is your (potential) solution to it.

Enable command-line hiding/spoofing without touching the PEB:

  • GetCommandLineA/W → return synthetic strings
  • __getmainargs/__wgetmainargs → supply argc/argv or just pass env from the real CRT
  • __p___argv/__p___wargv/__p___argc → return stable pointers
  • ExitProcess / exit family → observe or suppress termination
  • GetModuleFileNameA/W(NULL, …) → return a fake name

Just pass CmdlineHookCB to the IAT repair function (already placed, but remove if you don't want to use this feature). Hooks store originals and swap IAT slots to your hook functions.

Demo

image

OPSEC

Static analysis will likely catch this in the current state. For better OPSEC, consider adding:

  • API Hashing
  • (indirect) Syscalls
  • Better KEY/IV retrieval (maybe remotely ?)
  • Build it CRT Free for better entropy
  • Convert this into a reflective DLL loader

About

Minimal in-memory PE loader

Topics

pe-loader malware-development antivirus-evasion malware-res

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages