explaingit

zumiyumi/refractionmirage

23PythonAudience · developerComplexity · 4/5Setup · hard

TLDR

A Python tool that patches Windows security monitoring at runtime and generates an encrypted C# dropper that fetches and executes shellcode in memory, designed for offensive security testing.

Mindmap

mindmap
  root((repo))
    What it does
      AMSI patching
      ETW patching
      Shellcode encryption
    Workflow
      Convert exe with Donut
      Generate C# dropper
      Host payload remotely
    Execution
      Fetch over HTTP
      Decrypt in memory
      Run without disk write
    Tech
      Python
      C# dotnet
      Windows API
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Convert a Windows executable to shellcode with Donut and wrap it in an encrypted in-memory dropper for authorized penetration tests.

USE CASE 2

Bypass AMSI and ETW security monitoring on a Windows target during a red team engagement.

USE CASE 3

Generate a C# dropper that fetches an encrypted payload from a remote server and executes it without touching disk.

Tech stack

PythonC#.NET

Getting it running

Difficulty · hard Time to first run · 1h+

Requires Donut for shellcode conversion, a remote HTTP server to host the encrypted payload, and a Windows target with .NET framework installed.

In plain English

RefractionMirage is an offensive security tool written in Python that is designed to help bypass Windows Defender's detection mechanisms. It targets two specific Windows security components: AMSI (the Antimalware Scan Interface, which allows security software to inspect code before it runs) and ETW (Event Tracing for Windows, which logs system activity for monitoring tools). The tool patches both of these at runtime to prevent them from reporting malicious activity. In practical terms, the workflow involves converting an existing Windows executable into shellcode using a separate tool called Donut, then passing that shellcode through RefractionMirage to encrypt it and generate a C# dropper file. The encrypted shellcode is hosted on a remote server, when the compiled dropper runs on a target machine, it fetches the encrypted payload over HTTP, decrypts it in memory, and executes it without writing anything to disk. This in-memory execution is intended to avoid file-based antivirus scanning. The README example uses Rubeus, a tool commonly used in penetration testing and in adversarial attacks against Active Directory environments, as the payload. The compiled output is a Windows executable that accepts a randomly generated trigger argument to activate the payload. This is an offensive security tool designed for evading endpoint protection software on Windows systems. The README does not describe any defensive, research, or authorized testing context. The code is Python and the generated dropper is C#, compiled with the .NET framework compiler included with Windows.

Copy-paste prompts

Prompt 1
Walk me through using RefractionMirage to convert a Windows executable to shellcode with Donut and generate a C# dropper for an authorized pentest.
Prompt 2
Explain how AMSI and ETW work in Windows security and how RefractionMirage patches them at runtime during a red team exercise.
Prompt 3
I have a RefractionMirage-generated C# dropper that requires a trigger argument. How do I compile it with .NET and pass the correct argument at runtime?
Open on GitHub → Explain another repo

← zumiyumi on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.