MsfMania
Python AV Evasion Tools
Install / Use
/learn @lepotekil/MsfManiaREADME
MsfMania
<div align="center">
MsfMania is an advanced Python-based payload obfuscation framework designed to evade EDR/AV detection on Windows systems. It generates highly polymorphic executables through dynamic code generation, multi-layer encryption (RC4), and binary metadata spoofing.
⚠️ Educational Purpose Only - This tool is designed for authorized security testing and research purposes.
Table of Contents
<div align="center">
Screenshots
<table> <tr> <td align="center"> <img src="https://github.com/lepotekil/MsfMania/blob/master/assets/images/msfmania-2025.png" alt="MsfMania" width="400"/> <br/> <sub><b>MsfMania</b></sub> </td> <td align="center"> <img src="https://github.com/lepotekil/MsfMania/blob/master/assets/images/payload-2025.png" alt="Payload Execution Logs" width="400"/> <br/> <sub><b>Payload Execution Logs</b></sub> </td> </tr> <tr> <td align="center" colspan="2"> <img src="https://github.com/lepotekil/MsfMania/blob/master/assets/images/virustotal-2021.png" alt="VirusTotal Detection Results" width="600"/> <br/> <sub><b>VirusTotal Detection Results</b></sub> </td> </tr> </table> </div>Features
- Polymorphic C stub with variable/function obfuscation
- Local memory injection (RWX)
- RC4 variant using 4‑table S‑box & modified KSA/PRGA with configurable key size (1-3 bytes)
- Payload integrity verification using djb2 hash with random salt
- zlib compression before encryption
- Base64 encoding for obfuscation
- Recursive key bruteforce in stub
- Binary metadata spoofing (version info, company, description, icon, etc...)
- Dynamic junkcode injection for C
- Executable stripping for reduced file size
- Cross-compilation with MinGW
Requirements
- Electricity
- Internet
- Personal Computer or Server
- Operating System (any)
- Docker
Installation
- Git clone this repository:
git clone https://github.com/lepotekil/MsfMania.git - cd into the MsfMania folder:
cd MsfMania - Build the MsfMania docker image:
docker build -t msfmania:latest .
Usage
Basic Help
# docker run --rm -v "$(pwd):/app/output" msfmania:latest
███╗ ███╗███████╗███████╗███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗
████╗ ████║██╔════╝██╔════╝████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗
██╔████╔██║███████╗█████╗ ██╔████╔██║███████║██╔██╗ ██║██║███████║
██║╚██╔╝██║╚════██║██╔══╝ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║
██║ ╚═╝ ██║███████║██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝
Version : 3.0.1 - Author : Killian CASAROTTO - Updated : 10/14/2025
usage: main.py [-h] -p PAYLOAD -o OUTPUT [-k {1,2,3}] [-s]
[--spoof-bin TARGET_EXE] [-j JUNKCODES]
options:
-h, --help show this help message and exit
-p, --payload PAYLOAD
Select the payload file to use (ex: cobalt64.bin)
-o, --output OUTPUT Output path including filename (ex:
/path/to/output/payload)
-k, --keysize {1,2,3}
RC4 key size in bytes (1-3)
-s, --strip Strip the executable
--spoof-bin TARGET_EXE
Spoof binary metadata from target executable (ex:
assets/bins/bitsadmin_11-21H2_KB5032192.exe)
-j, --junkcodes JUNKCODES
Number of junkcodes to inject (default: 0)
Complete example
# docker run --rm -v "$(pwd):/app/output" msfmania:latest python3 main.py -p msfmania/assets/bins/win_x64_msgbox_msfvenom_20251010.bin -o output/payload_test_$(date +%s) --keysize 3 --spoof-bin assets/bins/explorer_11-24H2_KB5065789.exe --junkcodes 1000
███╗ ███╗███████╗███████╗███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗
████╗ ████║██╔════╝██╔════╝████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗
██╔████╔██║███████╗█████╗ ██╔████╔██║███████║██╔██╗ ██║██║███████║
██║╚██╔╝██║╚════██║██╔══╝ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║
██║ ╚═╝ ██║███████║██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝
Version : 3.0.1 - Author : Killian CASAROTTO - Updated : 10/14/2025
[~] Starting shellcode encryption (key size: 3)
[~] Compressing shellcode (303 bytes)
[+] Shellcode compressed to 284 bytes
[~] Encrypting with modified RC4
[+] Encryption completed: 284 bytes (b64: 380 bytes)
[~] Injecting 1000 junkcodes...
[~] Found 27 injection points in main()
[~] Created 973 additional injection points
[+] Inserted 1000/1000 function calls
[+] 1000 junkcodes injected successfully
[+] Successfully injected 1000 junkcodes
[~] Applying obfuscation...
[+] Obfuscated 145 identifiers
[~] Extracting metadata from: assets/bins/explorer_11-24H2_KB5065789.exe
[+] Extracted metadata:
Description: Windows Explorer
Version: 10.0.26100.6725 (WinBuild.160101.0800)
Company: Microsoft Corporation
Product: Microsoft® Windows® Operating System
[~] Found 23 icon groups with 181 icons
[+] Extracted 26 unique icon(s) from 181 total
[+] Extracted 26 icon(s)
[~] Compiling to: /app/output/output/payload_test_1760467840.exe
[~] Compiling resource file: /tmp/payload_test_1760467840.rc
[+] Resource file compiled: /tmp/payload_test_1760467840.res
[+] Compilation successful: /app/output/output/payload_test_1760467840.exe
[+] Binary size: 405ko
[+] C source copied to: /app/output/examples/main.c
[*] Deploying to remote server...
[+] Payload deployed successfully
Disclaimer
⚠️ IMPORTANT: This project is for educational and authorized security testing purposes only.
- Use this tool only on systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The authors are not responsible for misuse or damage caused by this tool
- Always comply with local laws and regulations
License
This project is licensed under the MIT License - see the LICENSE file for details.
Related Skills
node-connect
325.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
325.9kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
80.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
sonoscli
325.9kControl Sonos speakers (discover/status/play/volume/group).
