Mutant¶
malefic-mutant is the workspace tool for configuration generation, Cargo build orchestration, and binary post-processing. In the IoM ecosystem, it is the equivalent of MSF venom: it bridges high-level YAML configuration to compiled artifacts without manual intervention.
This page covers Mutant's design philosophy, architecture, and command model. Detailed usage for each subsystem lives in dedicated subpages:
- Generate & build — per-component build flows and
implant.yamlfield reference (see index below) - Binary tools — post-build manipulation tools (encode, patch, sigforge, etc.) (see index below)
What Mutant Does¶
Mutant handles the entire lifecycle from configuration to binary:
- Configure — parse
implant.yamland validate againstconfig_lint.json - Generate — write generated code, update
Cargo.tomlfeatures, and encrypt the runtime config blob - Build — invoke Cargo with the correct toolchain, target triple, and OLLVM settings
- Transform — post-process the binary (strip paths, patch config, sign, encode, etc.)
| Phase | Command | Output |
|---|---|---|
| Generate | malefic-mutant generate beacon |
Rust source + Cargo.toml features + encrypted config blob |
| Build | malefic-mutant build malefic |
Compiled binary or shared library |
| Transform | malefic-mutant tool patch |
Modified binary with new runtime config |
Design Philosophy¶
Schema-Driven Feature Resolution¶
Instead of hardcoding feature mappings, Mutant uses config_lint.json (a JSON Schema with Cargo-specific annotations) to drive feature selection. The resolver walks the YAML tree and applies annotations:
bool_flag— whentrue, add listed featuresenum_map— map string values to features (*as wildcard)non_empty— when string is non-empty, add listed featurespresence_fields/default_when_absent— for array items, detect field presence
After resolution, Mutant validates every feature against the actual [features] table in malefic/Cargo.toml. Unknown features emit warnings. This keeps the feature system declarative and self-documenting.
Code Generation Over Template Substitution¶
Mutant does not use string templates. Instead, it writes structured Rust source (e.g., blob_obf.rs, malefic-proxydll/src/lib.rs) and modifies Cargo.toml via toml_edit. This means generated code is always syntactically valid Rust and type-checked by the compiler.
Compile-Time Configuration¶
Sensitive configuration (targets, keys, cron intervals) is encrypted into a runtime config blob at build time. The blob is written to malefic-crates/config/src/generated/blob_obf.rs and compiled into the binary. There is no external config file at runtime — everything needed to connect back is inside the binary.
Command Model¶
malefic-mutant
├── generate — from YAML to generated code and feature flags
│ ├── beacon
│ ├── bind
│ ├── prelude
│ ├── modules
│ ├── pulse
│ └── loader proxydll
├── build — from generated config to compiled binary
│ ├── malefic
│ ├── prelude
│ ├── modules
│ ├── 3rd
│ ├── pulse
│ ├── proxy-dll
│ └── reactor
└── tool — post-build binary manipulation
├── srdi
├── strip
├── objcopy
├── sigforge
├── patch
├── obf
├── encode
├── entropy
├── watermark
├── binder
└── icon
Global Options¶
Generation:
malefic-mutant generate \
-c implant.yaml # config file (default: implant.yaml)
-E community # edition: community / professional
-s true # source / prebuild runtime
beacon
Build:
malefic-mutant build \
-c implant.yaml # config file
-t x86_64-pc-windows-gnu # target triple
--lib # build as shared library
malefic
Generate & Build Index¶
| Command | Package | Kind | Detail |
|---|---|---|---|
generate beacon / build malefic |
malefic |
bin (default) / lib (--lib) |
malefic build |
generate bind / build malefic |
malefic |
same as beacon, mod=bind |
malefic build |
generate prelude / build prelude |
malefic-prelude |
bin | prelude build |
generate pulse / build pulse |
malefic-pulse |
bin / lib / shellcode (--shellcode) |
pulse build |
generate modules / build modules |
malefic-modules |
feature 配置 / shared library | modules build |
generate loader proxydll / build proxy-dll |
malefic-proxydll |
shared library | proxydll build |
build 3rd |
malefic-3rd |
shared library | modules build |
build reactor |
malefic-reactor |
shared library (always) | reactor build |
Windows-only gates are enforced for pulse, modules, 3rd, and proxy-dll.
Binary Tools Index¶
| Tool | Purpose | Detail |
|---|---|---|
tool encode |
Payload encoding (12 algorithms) | Transform |
tool objcopy |
Binary section extraction | Transform |
tool srdi |
Shellcode Reflective DLL Injection | Transform |
tool patch |
Runtime config hot-patch | Patch |
tool sigforge |
PE signature manipulation | SigForge |
tool strip |
Path stripping from binaries | PE Modify |
tool obf |
Source-level obfuscation | Obfuscate (Pro) |
tool entropy |
Entropy measurement / reduction | PE Modify |
tool watermark |
PE watermark embedding | PE Modify |
tool binder |
PE binding / embedding | PE Modify |
tool icon |
Icon replacement / extraction | PE Modify |
generate loader template |
Template loader generation | Loader |
generate loader proxydll |
ProxyDLL generation | Loader |
tool bdf |
PE shellcode injection (Pro) | BDF (Pro) |
tool relink |
PE post-link randomization (Pro) | Relink (Pro) |
tool mutate |
Polymorphic variant generation (Pro) | Mutate (Pro) |
tool lnk |
LNK weaponization (Pro) | LNK (Pro) |
implant.yaml¶
implant.yaml is the single source of truth for generate and build commands that need project configuration. Mutant validates only the sections relevant to the selected command. basic.obf_seed is required by generation paths that produce the main implant runtime config; commands such as generate pulse only load their own active section.
| Section | Used by | Detail |
|---|---|---|
basic |
beacon, bind, modules, patch | malefic build |
implants |
beacon, bind, modules | malefic build |
build |
all build commands | malefic build |
pulse |
generate pulse |
pulse build |
loader.proxydll |
generate loader proxydll |
proxydll build |