A tool implementing process hollowing making your PE polymorphic
This tool uses the XOR operator as well as a RunPE (public) to make any PE polymorphic. No dependency is required.
Running pePolymorpherBuilder.exe will allow you to make your PE polymorphic :
You must enter a x64 PE which is not using .NET Framework.
We will use putty.exe as an example.
Openning "polymorphic.exe" will show that windows :
Every 20secs, all these steps happens:
calc.exewill get closed- Your PE will get XORed with a random key
- XORed-PE will be injected in a new fresh generated stub
- Stub will get runned
- XORed-PE will get unxored
- UnXOR-ed PE will be loaded in memory then injected to
C:\\Windows\\system32\\calc.exe(you can change the host inProgram.cs:89)
All of these steps are making your PE polymorphic since self md5-sum is always different.
