[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-11240":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":13,"stars7d":16,"stars30d":12,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":13,"lastSyncTime":27,"discoverSource":28},11240,"morphkatz","0xMohammedHassan\u002Fmorphkatz","0xMohammedHassan","Polymorphic PE rewriter for Windows x64 , rewrites binaries into semantically identical but byte-different variants",null,"C++",182,31,2,1,0,4,6,4.52,"GNU Affero General Public License v3.0",false,"main",true,[],"2026-06-12 02:02:30","\u003Cp align=\"center\">\n \u003Cimg src=\"assets\u002Fmorphkatz-logo.png\" alt=\"MorphKatz logo — three cat heads, one body\" width=\"420\">\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">MorphKatz\u003C\u002Fh1>\n\n\u003Cp align=\"center\">\n \u003Cb>Windows x64 polymorphic machine-code rewriter.\u003C\u002Fb>\u003Cbr>\n \u003Ci>N faces, one body.\u003C\u002Fi> One static \u003Ccode>morphkatz.exe\u003C\u002Fcode> that rewrites\n PE binaries into semantically identical but byte-different variants.\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"#who-its-for\">Who it's for\u003C\u002Fa> ·\n \u003Ca href=\"#quick-start\">Quick start\u003C\u002Fa> ·\n \u003Ca href=\"#architecture--benchmarks\">Architecture\u003C\u002Fa> ·\n \u003Ca href=\"#writing-your-own-rewrite-rules\">Rule schema\u003C\u002Fa> ·\n \u003Ca href=\"#responsible-use\">Responsible use\u003C\u002Fa> ·\n \u003Ca href=\"#licensing\">Licensing\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"CONTRIBUTING.md\">Contributing\u003C\u002Fa> ·\n \u003Ca href=\"SECURITY.md\">Security\u003C\u002Fa> ·\n \u003Ca href=\"TELEMETRY.md\">Zero telemetry\u003C\u002Fa> ·\n \u003Ca href=\"TRADEMARK.md\">Trademark\u003C\u002Fa>\n\u003C\u002Fp>\n\n---\n\nMorphKatz rewrites x86-64 machine code inside PE executables and raw shellcode\ninto **semantically identical but byte-different** equivalents. Same arithmetic,\nsame observable EFLAGS effects, same control-flow — different bytes. That\nbreaks byte-pattern detection (YARA rules, Defender signatures, Elastic rules,\nSigma detection content) without changing what the code actually does.\n\n## Live Demo\n\n\u003Cp align=\"center\">\n \u003Cimg src=\"assets\u002FMorphKatz_Test.gif\" alt=\"MorphKatz live demo — scan detected, morph, scan clean, run works\" width=\"800\">\n\u003C\u002Fp>\n\n> Scan → **detected** (`HackTool:Win32\u002FAmDisable!MTB`) → morph with `--data-morph on` → scan again → **clean** → run → bypass still works at runtime.\n\n## Who it's for\n\nMorphKatz is built for **two complementary audiences**, and we treat both as\nfirst-class:\n\n### 🛡️ Detection engineers \u002F Blue team\n\nIf your job is to write YARA rules, Defender custom indicators, Elastic\ndetection content, or Sigma rules, MorphKatz tells you **how durable each rule\nactually is**. Pipe one of your malware samples through MorphKatz with\n`--variants 50` and `--target your-yara\u002F*.yar` and you get back, per rule, the\npercentage of variants on which it still triggers. Rules that fall off a\ncliff under polymorphic mutation are the ones an evolving threat actor will\nsilence first; you want to harden those before the actor does.\n\nSpecific Blue-team workflows:\n\n- **Detection-engineering coverage testing** — quantify \"what % of my rules\n are one equivalent-swap away from silence?\".\n- **Signature triage** — see exactly which bytes in a PE drove a Defender\n detection (`morphkatz scan --bisect`), and use that to harden or generalise\n the rule.\n- **Polymorphic-robust classifier training** — generate diverse but\n semantically identical training data for ML malware classifiers.\n- **Binary-similarity research** — generate evaluation corpora with known\n ground truth (every variant shares the same source semantics).\n\n### 🗡️ Red team \u002F Authorised offensive research\n\nIf you're testing detection coverage from the offensive side under a clear\nrules-of-engagement paper trail, MorphKatz turns \"manually rewrite five\ngadgets and recompile\" into a rules-of-engagement-friendly automation:\n\n- **Rules-of-engagement-friendly evasion** — every mutation is rule-cited from\n the Intel SDM, every run is reproducible from `--seed`, every change lands\n in a JSON \u002F HTML diff report you can drop into the engagement deliverable.\n- **Reproducibility for your write-up** — same seed, same input, byte-for-byte\n identical output, on any machine.\n- **Author-audited rules only** — MorphKatz refuses to ship pop-malware-of-\n the-month rule packs. Every rule has a cited semantic-equivalence proof in\n its YAML.\n\nWhat MorphKatz is **not**:\n\n- ❌ A live-malware obfuscator. We deliberately do not target the\n pop-malware-of-the-month list — see [`RESPONSIBLE_USE.md`](RESPONSIBLE_USE.md).\n- ❌ A behavioural \u002F ML-evasion tool. MorphKatz mutates *bytes* with\n preserved semantics; ML detections (anything ending in `!ml`) evaluate\n global behaviour and won't budge — that class of evasion is out of\n scope.\n- ❌ A black box. Every rule's equivalence proof, every diff report's\n metric, every byte changed is yours to audit.\n\n## Features\n\n- **CFG-aware disassembly** — Zydis-powered recursive descent with\n jump-table recovery; data-in-code regions are never accidentally\n decoded.\n- **In-process encoding** — Zydis encoder generates patched\n instructions in the same address space, zero IPC overhead.\n- **YAML rule packs** — every rewrite rule lives under `rules\u002Fx64\u002F`,\n reviewable and hot-swappable. Add your own without recompiling.\n- **Typed intermediate representation** — `ir::Instruction` carries\n full Zydis operand metadata through the entire rewrite pipeline.\n- **EFLAGS liveness** — full effect model (AF\u002FCF\u002FOF\u002FPF\u002FSF\u002FZF) with\n per-basic-block dataflow so rewrites never corrupt flag state.\n- **Seeded polymorphism** — `xoshiro256**` RNG; `--seed N` gives\n byte-for-byte reproducible output on any machine.\n- **Intel SDM NOP padding** — 1..9-byte multi-byte NOP rotation drawn\n from the Intel Optimization Reference Manual.\n- **Semantic verification** — re-disassembly check by default;\n optional Unicorn basic-block emulation (`--verify unicorn`).\n- **YARA-aware targeting** — `--target rules.yar` prioritises rewrites\n that break specified signature atoms.\n- **Defender feedback loop** — `--target-defender` runs MpCmdRun,\n bisects anchors, and feeds them into the priority queue automatically.\n- **Data-section morphing** — `--data-morph on` XOR-encodes\n signature-bearing byte sequences in `.rdata` \u002F `.data` and decodes\n them at runtime via a polymorphic stub with an anti-emulation gate.\n- **JSON + HTML reports** — per-offset before\u002Fafter diffs, rule IDs,\n and detection-coverage metrics.\n- **PE hygiene** — `CheckSumMappedFile`, Authenticode strip,\n reproducible timestamp, Rich-header `preserve|strip|randomize`.\n- **Single static binary** — one `morphkatz.exe`, no runtime\n dependencies.\n\n## Quick start\n\n### Prerequisites\n\n- **Windows 10+** \u002F Windows Server 2019+, x64.\n- **Visual Studio 2022 17.8+** with \"Desktop development with C++\" and the\n MSVC v143 toolset.\n- **CMake 3.27+** (bundled with recent VS installers).\n- **[vcpkg](https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fvcpkg)**:\n ```powershell\n git clone https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fvcpkg\n .\\vcpkg\\bootstrap-vcpkg.bat\n [Environment]::SetEnvironmentVariable('VCPKG_ROOT', (Resolve-Path .\\vcpkg), 'User')\n ```\n\n### Build — classic Visual Studio `.sln` (one-click)\n\nMorphKatz does **not** commit `.sln` \u002F `.vcxproj` files — they are generated\nfrom `CMakeLists.txt` on demand so target wiring, include dirs, and vcpkg\nlinkage stay authoritative in one place. For the classic \"double-click the\n.sln\" experience:\n\n```powershell\n.\\Open-in-VS.cmd # default: preset vs2022-x64\n.\\Open-in-VS.cmd -Preset vs2022-x64-asan # ASan build\n.\\Open-in-VS.cmd -Fresh # nuke CMake cache first\n.\\Open-in-VS.cmd -NoOpen # configure only; for CI \u002F scripting\n```\n\n`Open-in-VS.cmd` (a thin wrapper over `scripts\\open-in-vs.ps1`) checks\n`VCPKG_ROOT`, runs the CMake VS generator, and launches the generated\n`build\\\u003Cpreset>\\MorphKatz.sln` in the matching Visual Studio install\n(located via `vswhere`). Once open, set `morphkatz` as the startup project\nand hit F5.\n\nEquivalent manual flow:\n\n```powershell\ncmake --preset vs2022-x64\nstart build\\vs2022-x64\\MorphKatz.sln\n```\n\n### Build — VS 2022 \"Open Folder\" \u002F CMake mode\n\n```powershell\n# In Visual Studio: File > Open > Folder... -> (this repo)\n# Select the vs2022-x64 configuration, hit F5.\n# `.vs\\launch.vs.json` is pre-wired with --version \u002F --help \u002F dry-run targets.\n```\n\n### Build — CLI only (Ninja)\n\n```powershell\ncmake --preset ninja-x64-release\ncmake --build --preset ninja-x64-release\nctest --preset ninja-x64-release --output-on-failure\n\n.\\build\\ninja-x64-release\\morphkatz.exe --version\n```\n\n### Presets\n\n| Preset | Purpose |\n|---------------------|--------------------------------------------------------|\n| `vs2022-x64` | Emits `MorphKatz.sln` + `.vcxproj`. Default developer workflow. |\n| `vs2022-x64-asan` | Same, with MSVC `\u002Ffsanitize=address`. |\n| `ninja-x64-release` | CLI Release build. CI-fast. |\n| `ninja-x64-debug` | CLI Debug build. |\n| `clang-cl-asan` | `clang-cl` with ASan + UBSan. CI fuzzing. |\n\n## Usage\n\n### First-run \u002F bare-invocation\n\nDouble-clicking `morphkatz.exe` or running it with no arguments prints\na compact banner and the top five examples — no silent crash, no empty\nhelp dump:\n\n```text\n \u002F\\_\u002F\\ \u002F\\_\u002F\\ \u002F\\_\u002F\\\n ( o.o ) ( -.- ) ( ^.^ )\n > ^ \u003C > ^ \u003C > ^ \u003C\n \\_________|_________\u002F\n |\n [ PE ]\n\n M o r p h K a t z\n\n N faces, one body - polymorphic PE rewriter (Windows x64)\n Coded by Mohammed Abuhassan\n\nUsage: morphkatz \u003Cinput> [options]\n morphkatz compare \u003Ca> \u003Cb> [more...] [--report out.json]\n morphkatz scan \u003Cinput> [--bisect] [--report out.html]\n\nQuick start:\n morphkatz payload.exe --seed 42 --report report.html\n morphkatz payload.exe --seed 1 --variants 8 --report batch.json\n morphkatz target.exe --target yara\u002F*.yar -vv\n morphkatz target.exe --target-defender target.exe --report run.html\n morphkatz compare v0.exe v1.exe --report cmp.html\n morphkatz scan suspect.exe --bisect --report scan.json\n\nRun 'morphkatz --help' for all options.\nRun 'morphkatz compare --help' for the comparison subcommand.\nRun 'morphkatz scan --help' for Defender scanning options.\nRun 'morphkatz --version' for build info.\n```\n\n### Full option surface\n\n```text\nmorphkatz \u003Cinput.exe|input.bin> [options]\n\nInput\u002Foutput:\n -o, --output \u003Cpath> Default: \u003Cinput>.patched.\u003Cext> (foo.exe -> foo.patched.exe)\n --backup Write \u003Cinput>.bak (default on)\n --in-place Overwrite input (requires --no-backup)\n\nModes:\n --profile {safe,normal,aggressive} Default: normal\n --target \u003Crules.yar> Prioritise rewrites that break these YARA rules\n --rules \u003Cdir|file> Load custom YAML rule packs\n\nPolymorphism:\n --seed \u003Cu64> Reproducible run\n --mutation-budget \u003CN> Max rewrites per basic block\n --variants \u003CN> Emit N deterministic morphs (1..1000);\n outputs go to \u003Coutput>_v\u003Ci>.\u003Cext> plus a\n rolled-up \u003Creport>.summary.json\n\nVerification:\n --verify {none,redisasm,unicorn} Default: redisasm\n --verify-timeout-ms \u003CN> Default: 5000\n\nPE options:\n --fix-checksum Default on\n --strip-signature Default off, warn if present\n --reproducible-timestamp \u003Cunix> Default: keep original\n --rich-header {preserve,strip,randomize} Default: preserve\n\nReporting:\n --report \u003Cpath.json|path.html>\n --dry-run No file write; report-only\n --stats Print aggregate counts\n -v, --verbose Repeatable (-v, -vv, -vvv)\n --log-file \u003Cpath>\n\nDetection feedback:\n --target-defender \u003Creference.exe>\n Run the deployed Microsoft Defender\n against \u003Creference.exe> (Tier-1, via\n MpCmdRun.exe), peel every byte\n anchor with multi-anchor bisection,\n and feed them into the rule matcher\n priority alongside --target. Adds a\n `defender:` block to the report.\n See docs\u002Fscan.md.\n --auto-yara,--no-auto-yara\n When --target-defender flags a\n known family (e.g. Mimikatz), auto-\n load the bundled YARA hint pack at\n rules\u002Fyara\u002Fx64\u002F\u003Cfamily>.yar so the\n rule matcher can boost candidates\n that touch family-specific bytes.\n Default: on. Ignored when --target\n is set explicitly. See\n rules\u002Fyara\u002FREADME.md.\n\nData-section morphing:\n --data-morph {off|plan|on}\n Mutate signature-bearing byte\n sequences in .rdata \u002F .data by\n XOR-encoding them on disk and\n decoding them at runtime via an\n appended .morph section. Default\n off; 'plan' is a read-only dry\n run that lists the atoms in the\n report. See docs\u002Fdata-morph.md.\n --target-defender auto-escalates\n to 'on' when bisect anchors land\n in .rdata or .data and --data-morph\n wasn't pinned by the user.\n --decoder-placement {auto|ep-thunk|tls-callback}\n Where the runtime decoder lives.\n 'auto' (default) prefers TLS\n callbacks when feasible, falls back\n to an entry-point thunk otherwise.\n --data-morph-min-len \u003Cbytes> Default 4\n --data-morph-max-len \u003Cbytes> Default 4096\n Length filter on candidate atoms.\n\nSubcommands:\n morphkatz compare \u003Ca> \u003Cb> [c...] [--report out.json|out.html]\n Pairwise diff of 2+ binaries: aligned Hamming %, byte-histogram\n cosine, alphabet Jaccard, SHA-256, entropy. Useful for checking\n that --variants actually produced diverse outputs.\n\n morphkatz scan \u003Cinput> [--bisect] [--bisect-mode {single|all}] \\\n [--bisect-scope {sections|sections-all|code|data|raw}] \\\n [--report out.json|out.html]\n Run Microsoft Defender (Tier-1, MpCmdRun-backed) against a\n single file. With --bisect, isolate the offending byte\n window(s); --bisect-mode all peels every anchor via\n multi-anchor bisection so signatures like Mimikatz!pz that\n span multiple regions are fully enumerated. --bisect-scope\n controls the PE-aware mask: 'sections' (default) keeps the\n buffer parseable on every iteration by masking only inside\n section payloads minus data-directory windows. See docs\u002Fscan.md.\n```\n\n### Batch + compare example\n\n```powershell\n# Emit 8 deterministic morphs and roll up a summary.\nmorphkatz.exe payload.exe --seed 1 --variants 8 --report batch.json\n\n# Inspect pairwise diversity.\nmorphkatz.exe compare payload_v0.exe payload_v1.exe payload_v2.exe\n```\n\n## Writing your own rewrite rules\n\nRules are YAML under `rules\u002F`. See [`docs\u002Frule-schema.md`](docs\u002Frule-schema.md)\nfor the full schema. Minimal example:\n\n```yaml\nversion: 1\nrules:\n - id: x64.zero.xor_to_sub\n match:\n mnemonic: XOR\n operand_count: 2\n constraints:\n - { op: 0, kind: register, class: gpr }\n - { op: 1, kind: register, class: gpr }\n - { same_register: [0, 1] }\n - { register_blacklist: [RSP] }\n rewrite:\n mnemonic: SUB\n operands:\n - { copy_from: 0 }\n - { copy_from: 1 }\n flags_effect: equivalent\n size_delta: 0\n weight: 1.0\n```\n\nDrop your rule into `rules\u002Fx64\u002Fequivalence\u002F` or pass `--rules path\u002Fto\u002Fmy.yaml`.\n\n## Architecture & benchmarks\n\n- [`docs\u002Farchitecture.md`](docs\u002Farchitecture.md) — module map, end-to-end flow,\n design rationale.\n- [`docs\u002Fbenchmarks.md`](docs\u002Fbenchmarks.md) — measurement plan; real\n numbers land when the MalwareBazaar-backed harness in\n [`docs\u002Fevasion_bench.md`](docs\u002Fevasion_bench.md) runs end-to-end.\n- [`docs\u002Froadmap.md`](docs\u002Froadmap.md) — what's coming in v1.1\n (Auto-Discover) and v1.2.\n\n## Private research\n\nMorphKatz's data-section morphing and anti-emulation gate are backed by\noriginal reverse-engineering research into Microsoft Defender's\n`mpengine.dll` emulator internals and heuristic scoring model. This\nresearch — covering emulator instruction budgets, heuristic trigger\nconditions, and evasion-gate design — is maintained privately and is\n**not included in this repository**.\n\nIf you are a security researcher interested in the technical details,\nreach out via GitHub Issues or Discussions. We selectively share the\nfull research notes with verified security professionals, detection\nengineers, and academic researchers on a case-by-case basis.\n\n## Responsible use\n\nMorphKatz is a defensive-security research tool for red-team engagements,\nmalware analysis training, and AV\u002FEDR product evaluation. Use only on\nbinaries you own or are authorised to test. Read\n[`RESPONSIBLE_USE.md`](RESPONSIBLE_USE.md) before shipping MorphKatz output at\nanyone.\n\n## Licensing\n\nMorphKatz is licensed under the [GNU Affero General Public License v3.0\nor later](LICENSE). Use it freely in research, open-source projects,\ninternal tooling, or on your own laptop. If you expose MorphKatz\nbehaviour as a network service, AGPL-3.0 §13 requires you to publish\nyour modifications.\n\nProject-wide policy documents:\n\n- [`CONTRIBUTING.md`](CONTRIBUTING.md) — DCO sign-off; CI enforces it\n on every PR.\n- [`TELEMETRY.md`](TELEMETRY.md) — zero telemetry, documented and\n enforced.\n- [`TRADEMARK.md`](TRADEMARK.md) — name and logo policy.\n- [`SECURITY.md`](SECURITY.md) — coordinated disclosure, supported\n versions.\n- [`NOTICE`](NOTICE) — third-party component licences (Zydis, LIEF,\n Unicorn, libyara, etc.).\n\n## Contributing\n\nPull requests welcome — read [`CONTRIBUTING.md`](CONTRIBUTING.md) first.\nIn short: DCO sign-off on every commit (`git commit -s`), tests for new\nrules, no `using namespace` in headers, `\u002FW4 \u002Fpermissive-` warnings are\nerrors.\n\n## Security\n\nFor security vulnerabilities, use GitHub Security Advisories. **Do not**\nfile a public issue. See [`SECURITY.md`](SECURITY.md) for the\ncoordinated-disclosure timeline.\n\n## Third-party libraries\n\nMorphKatz stands on the shoulders of:\n\n- **[Zydis](https:\u002F\u002Fgithub.com\u002Fzyantific\u002Fzydis)** — disassembler +\n encoder fast enough to run on every instruction of a 10 MB binary.\n- **[LIEF](https:\u002F\u002Fgithub.com\u002Flief-project\u002FLIEF)** — PE parser that\n doesn't pretend the Windows loader is simple.\n- **[libyara](https:\u002F\u002Fgithub.com\u002FVirusTotal\u002Fyara)** — rule engine whose\n AST is introspectable at compile time.\n- **[Unicorn Engine](https:\u002F\u002Fgithub.com\u002Funicorn-engine\u002Funicorn)** — the\n semantic-verification backend.\n- **[vcpkg](https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fvcpkg)** — dependency\n management on Windows.\n\nSee [`NOTICE`](NOTICE) for the formal attribution manifest and full\nthird-party licence list.\n\n---\n\n\u003Csub>This codebase grew out of an earlier Python research prototype\n([Beatrice.py](https:\u002F\u002Fgithub.com\u002Fraskolnikov90\u002FBeatrice.py)). MorphKatz\nis an independent C++20 reimplementation — different disassembler,\ndifferent encoder, different IR, external YAML rule packs, and many\nengines (CFG recovery, EFLAGS liveness, Unicorn verify, YARA targeting,\ndata-section morphing, Defender feedback loop) that have no Python\ncounterpart. The targeted byte-pattern packs under\n`rules\u002Fx64\u002Ftargeted\u002F` were ported from the prototype with the original\nauthor's permission under MorphKatz's AGPL-3.0 licence.\u003C\u002Fsub>\n","MorphKatz 是一个针对 Windows x64 平台的多态 PE 重写工具,能够将二进制文件转换为语义相同但字节不同的变体。其核心功能在于通过静态执行的 `morphkatz.exe` 对 PE 文件或原始 shellcode 进行重写,生成在逻辑上一致但在字节序列上有所差异的新版本,以此来规避基于字节模式的检测手段(如 YARA 规则、Defender 签名等)。该项目采用 C++ 编程语言开发,并遵循 GNU Affero General Public License v3.0 许可协议。MorphKatz 适用于网络安全领域的蓝队成员进行检测规则的有效性测试及优化,以及红队人员或授权的研究者在模拟攻击场景时提高对抗检测系统的成功率。","2026-06-11 03:31:31","CREATED_QUERY"]