MsfMania is an advanced Python-based payload obfuscation framework designed to evade EDR/AV detection on Windows systems. It generates highly polymorphic executables through dynamic code generation, multi-layer encryption (RC4), and binary metadata spoofing.
⚠️ Educational Purpose Only - This tool is designed for authorized security testing and research purposes.
- Polymorphic C stub with variable/function obfuscation
- Local memory injection (RWX)
- RC4 variant using 4‑table S‑box & modified KSA/PRGA with configurable key size (1-3 bytes)
- Payload integrity verification using djb2 hash with random salt
- zlib compression before encryption
- Base64 encoding for obfuscation
- Recursive key bruteforce in stub
- Binary metadata spoofing (version info, company, description, icon, etc...)
- Dynamic junkcode injection for C
- Executable stripping for reduced file size
- Cross-compilation with MinGW
- Electricity
- Internet
- Personal Computer or Server
- Operating System (any)
- Docker
- Git clone this repository:
git clone https://github.com/lepotekil/MsfMania.git - cd into the MsfMania folder:
cd MsfMania - Build the MsfMania docker image:
docker build -t msfmania:latest .
# docker run --rm -v "$(pwd):/app/output" msfmania:latest
███╗ ███╗███████╗███████╗███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗
████╗ ████║██╔════╝██╔════╝████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗
██╔████╔██║███████╗█████╗ ██╔████╔██║███████║██╔██╗ ██║██║███████║
██║╚██╔╝██║╚════██║██╔══╝ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║
██║ ╚═╝ ██║███████║██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝
Version : 3.0.1 - Author : Killian CASAROTTO - Updated : 10/14/2025
usage: main.py [-h] -p PAYLOAD -o OUTPUT [-k {1,2,3}] [-s]
[--spoof-bin TARGET_EXE] [-j JUNKCODES]
options:
-h, --help show this help message and exit
-p, --payload PAYLOAD
Select the payload file to use (ex: cobalt64.bin)
-o, --output OUTPUT Output path including filename (ex:
/path/to/output/payload)
-k, --keysize {1,2,3}
RC4 key size in bytes (1-3)
-s, --strip Strip the executable
--spoof-bin TARGET_EXE
Spoof binary metadata from target executable (ex:
assets/bins/bitsadmin_11-21H2_KB5032192.exe)
-j, --junkcodes JUNKCODES
Number of junkcodes to inject (default: 0)# docker run --rm -v "$(pwd):/app/output" msfmania:latest python3 main.py -p msfmania/assets/bins/win_x64_msgbox_msfvenom_20251010.bin -o output/payload_test_$(date +%s) --keysize 3 --spoof-bin assets/bins/explorer_11-24H2_KB5065789.exe --junkcodes 1000
███╗ ███╗███████╗███████╗███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗
████╗ ████║██╔════╝██╔════╝████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗
██╔████╔██║███████╗█████╗ ██╔████╔██║███████║██╔██╗ ██║██║███████║
██║╚██╔╝██║╚════██║██╔══╝ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║
██║ ╚═╝ ██║███████║██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝
Version : 3.0.1 - Author : Killian CASAROTTO - Updated : 10/14/2025
[~] Starting shellcode encryption (key size: 3)
[~] Compressing shellcode (303 bytes)
[+] Shellcode compressed to 284 bytes
[~] Encrypting with modified RC4
[+] Encryption completed: 284 bytes (b64: 380 bytes)
[~] Injecting 1000 junkcodes...
[~] Found 27 injection points in main()
[~] Created 973 additional injection points
[+] Inserted 1000/1000 function calls
[+] 1000 junkcodes injected successfully
[+] Successfully injected 1000 junkcodes
[~] Applying obfuscation...
[+] Obfuscated 145 identifiers
[~] Extracting metadata from: assets/bins/explorer_11-24H2_KB5065789.exe
[+] Extracted metadata:
Description: Windows Explorer
Version: 10.0.26100.6725 (WinBuild.160101.0800)
Company: Microsoft Corporation
Product: Microsoft® Windows® Operating System
[~] Found 23 icon groups with 181 icons
[+] Extracted 26 unique icon(s) from 181 total
[+] Extracted 26 icon(s)
[~] Compiling to: /app/output/output/payload_test_1760467840.exe
[~] Compiling resource file: /tmp/payload_test_1760467840.rc
[+] Resource file compiled: /tmp/payload_test_1760467840.res
[+] Compilation successful: /app/output/output/payload_test_1760467840.exe
[+] Binary size: 405ko
[+] C source copied to: /app/output/examples/main.c
[*] Deploying to remote server...
[+] Payload deployed successfully- Use this tool only on systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The authors are not responsible for misuse or damage caused by this tool
- Always comply with local laws and regulations
This project is licensed under the MIT License - see the LICENSE file for details.