mkPIVM
Generate polymorphic, position-independent virtual machines (PIVMs) from arbitrary x86/x64 shellcode.
Offensive-security research tool that wraps x86 and x64 Windows shellcode in a per-build polymorphic virtual machine with a per-run cipher, reducing signature-based detection.
mkPIVM is a C++ tool for Windows that takes a piece of raw machine code and wraps it in a tiny custom virtual machine. The README describes it as a polymorphic position-independent shellcode virtualizer for x86 and x64 Windows. The author frames the project as offensive security research, and an attached PDF research paper is linked at the top. Topic tags name antivirus and endpoint-protection products such as Cobalt Strike, Metasploit, and Havoc, signalling that the intended audience is red teamers and malware researchers rather than general developers. The README explains the idea like this: the input is a raw blob of code, and the output is another raw blob that contains a small interpreter plus a lifted, encrypted copy of the original instructions. Because every build is keyed by a per-run seed, two outputs from the same input share fewer than a hundred coincidental bytes, which makes signature-based detection harder. The author argues that ordinary shellcode is easy to fingerprint, and that running it through a per-instance VM with a per-instance cipher removes useful patterns from the file on disk. Usage is shown in one line: "mkpivm.exe shellcode.bin --arch x64 -o out.bin". The README then lists several modes selected by flags. Default mode lifts the whole input. Packer mode wraps the input as encrypted data that is decrypted at runtime. Hybrid mode lifts only specified byte ranges. Stacked mode combines the two. Detour mode embeds a prebuilt blob into an existing PE file and patches a jump. Scan mode prints which byte ranges would be eligible for lifting. A showcase section links to a demo video and shows VirusTotal screenshots for an example sample. An entropy table compares the output to common Windows system DLLs such as ntdll.dll and kernel32.dll, arguing that the tool keeps file entropy close to that of normal system libraries. The rest of the README is two Mermaid diagrams: one of the build pipeline (CFG building, IR lifting, obfuscation passes, codec encoding, encryption) and one of the runtime flow inside the emitted blob (prologue, decryption of internal tables, dispatcher loop, handler execution, and termination paths).
Where it fits
- Wrap a piece of x64 Windows shellcode in a per-run virtual machine for malware research and red-team training.
- Use packer mode to ship a payload as encrypted data that is decrypted at runtime by an embedded interpreter.
- Embed a virtualized blob into an existing PE file with detour mode and patch a jump to the new entry.
- Use scan mode to see which byte ranges of an input are eligible for virtualization before running a full lift.