TinyLoad is an pe crypter/packer for x64 executables it packs an input exe with varying protection layers to prevent it from being reverse engineered. Its 1 single .cpp file and does not have any external dependencies.
TinyLoad appends your payload to a copy of itself. when the packed exe runs it extracts the payload, decrypts it, and executes it directly in memory without ever writing the original to disk. every time you pack something the VM opcodes are randomly changed and put into 4 independently keyed subtables so no 2 builds are the same.
grab a precompiled binary from releases or build it yourself.
you need MinGW (g++). just run:
g++ -o TinyLoad.exe TinyLoad.cpp -static -O2 -s
or use build.bat.
TinyLoad.exe --i <input> [--o <output>] [--vm] [--c] [--veh]
| flag | what it does |
|---|---|
--i <file> |
input exe to pack |
--o <file> |
output path (default: input_packed.exe) |
--vm |
VM encryption |
--c |
LZ77 compression |
--veh |
VEH page fault decryption |
you need at least 1 of --vm, --c, or --veh.
TinyLoad.exe --i myapp.exe --c
TinyLoad.exe --i myapp.exe --o packed.exe --vm --c
TinyLoad.exe --i myapp.exe --vm --c --veh
custom LZ77 compression with hash chain matching and a 64KB sliding window. compression runs first, then VM encryption goes on top so any patterns in the compressed data get hidden too.
custom 28 opcode virtual machine that runs inside the stub. the opcodes get randomly placed into 4 subtables of 8 each and every subtable is XOR encrypted with a different key derived from the payload data. cracking 1 subtable reveals at most 8 opcodes out of 28. the cipher itself is a 128 bit stream cipher using rotl and rotr key mixing run entirely inside the VM interpreter.
with --veh enabled, all PE section pages get mapped as PAGE_NOACCESS. when the program tries to access a page it triggers an exception, a vectored exception handler decrypts just that 1 page and sets the correct protection. a watchdog thread runs in the background and re-encrypts any page that hasnt been touched in 200ms. at any given moment most of your program is still encrypted in memory so memory dumps only capture whatever was recently accessed.
the 4 most critical APIs (GetModuleHandleA, GetProcAddress, ExitProcess, VirtualAlloc) get redirected through wrapper functions inside the stub. after the payload is loaded the entire import directory gets zeroed so memory dumps cannot reconstruct the import table.
Graph:
MIT
- this works on most files ive tested, if it breaks on yours open an issue and ill look into it
- suggestions and feature ideas go in issues too
- if you use it a star helps alot <3
- check the blog at https://iamsopotatoe-coder.github.io/TinyLoad/#blog for future updates
- yes AVs flag packers, thats expected. (Currently has 9 detections on virustotal, any file you pack with it gets 9 detections, the content doesnt matter)
- pls dont pack malware with this, its intended for legitimate use
- Star history: