← All tools

PolyEngine

https://github.com/LongWayHomie/PolyEngine

Free

Categories

Evasion Exploitation

Description

PolyEngine is an evasive PE packer designed for CTF challenges and low-level Windows security education. It focuses on bypassing EDR and AV heuristics through a layered stack of in-memory execution and obfuscation techniques.

Keywords

evasion maldev malware-development pe-packer red-team windows-security c

Example Usage

Builder.exe <input> <output> [OPTIONS]

  <input>   Target PE (.exe/.dll) or raw shellcode (.bin)
            Payload type is auto-detected from the MZ header — no flag needed.
  <output>  Output executable

Loader:
  --stub <path>              Path to stub.bin  [default: ./stub.bin]
  --preset PRINT|MEDIA|NETWORK|RANDOM
                             Module stomping DLL preset  [default: PRINT]
  --overload                 Module overloading instead of stomping
                             (NtCreateSection/NtMapViewOfSection, not in PEB LDR)
  --keep-alive               ExitThread(0) instead of ExitProcess
                             (required for C2 implants that spawn their own threads)
  --unhook                   Restore original .text bytes in ntdll/kernel32/
                             kernelbase from \KnownDlls\ clean copies
                             (overwrites EDR inline hooks before any payload syscall)

Payload  (PE/DLL only, silently ignored for shellcode):
  --export <name>            DLL export to invoke after DllMain
  --arg <string>             Argument passed to the export  [max 127 chars]

Evasion  (all ON by default):
  --spoof-name <exe>         Process name