pePolymorpher

A tool implementing process hollowing making your PE polymorphic

Description

This tool uses the XOR operator as well as a RunPE (public) to make any PE polymorphic. No dependency is required.

Running pePolymorpherBuilder.exe will allow you to make your PE polymorphic :

You must enter a x64 PE which is not using .NET Framework.

We will use putty.exe as an example. Openning "polymorphic.exe" will show that windows :

Every 20secs, all these steps happens:

calc.exe will get closed
Your PE will get XORed with a random key
XORed-PE will be injected in a new fresh generated stub
Stub will get runned
XORed-PE will get unxored
UnXOR-ed PE will be loaded in memory then injected to C:\\Windows\\system32\\calc.exe (you can change the host in Program.cs:89)

All of these steps are making your PE polymorphic since self md5-sum is always different.

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
pePolymorpher		pePolymorpher
pePolymorpherBuilder		pePolymorpherBuilder
README.md		README.md
pePolymorpher.sln		pePolymorpher.sln
pePolymorpherBuilder.sln		pePolymorpherBuilder.sln