ccelikanil

ccelikanil / DFMI

Public

Another FAFO project: Weaponizing MSI installers for fileless code execution

cybersecurity evasion evasion-techniques malware offensive-security
17
4
69% credibility
Found Apr 16, 2026 at 17 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

A suite of tools for modifying Windows installer files to execute custom payloads during installation for authorized red teaming and security research.

How It Works

1
🔍 Discover DFMI

You stumble upon this security testing tool on a code sharing site while looking for ways to check installer safety.

2
💻 Set it up

You download the program and run it on your Windows or Linux computer with a few simple preparations.

3
Pick your testing style
📦
Sneak into existing installer

Hide your test action inside a real software setup file.

🔄
Add-on for trusted installer

Create a small extra file that works with a signed setup without changing it.

🆕
Build fake updater

Make a standalone setup that looks like a normal software update.

4
🔗 Add your test task

Point it to your practice server or script so it knows what secret action to perform during the test.

5
Generate sneaky installer

With one command, it creates a modified setup file that runs your test perfectly while looking innocent.

6
🧪 Run the test

Double-click or launch the installer on a test machine, watching it install normally.

🎉 Test succeeds

Your hidden test action fires silently with no files left behind, helping you spot security gaps.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 17 to 17 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is DFMI?

DFMI turns legit Windows MSI installers into stealthy payload droppers for red teaming, executing code filelessly during installation without traces. Point it at any MSI—signed or not—and it embeds your C2 URL (PS1 or EXE) to fire via cmd.exe before files land on disk, all while the software installs normally. Python CLI works cross-platform, generating backdoored MSIs, signature-safe transforms, or fake standalone stubs with custom metadata like "Windows Update Helper."

Why is it gaining traction?

It nails fileless execution on signed MSIs via transforms, bypassing cache and preserving Authenticode—key for evading SmartScreen in enterprise deploys. FAFO vibes shine in PoC vids showing revshells from 7-Zip installs, another acronym for fafo in pentesting. Cross-platform payload gen (Linux/Windows) and artifact-free rollback hooks red teamers fast.

Who should use this?

Red team operators crafting initial access via software updates or MSI-heavy environments like DFMI Huntsville sims. Pentesters targeting Windows fleets with strict AV/EDR, needing covert C2 callbacks during "updates." Blue teams dissecting MSI abuse in threat hunts.

Verdict

Solid PoC for MSI weaponization—CLI deploys payloads in seconds with great docs and vids—but 17 stars and 0.7% credibility score scream early stage; validate in labs first. Worth forking if red teaming MSIs.

(187 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.