• Stars
    star
    1,911
  • Rank 24,257 (Top 0.5 %)
  • Language
    C++
  • License
    BSD 2-Clause "Sim...
  • Created over 6 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Converts PE into a shellcode

pe_to_shellcode

Build status GitHub release Github All Releases Github Latest Release

Converts PE so that it can be then injected just like a normal shellcode.
(At the same time, the output file remains to be a valid PE).
Supports both 32 and 64 bit PEs

Authors: @hasherezade & @hh86

Objective

The goal of this project is to provide a possibility to generate PE files that can be injected with minimal effort. It is inspired by Stephen Fewer's ReflectiveDLLInjection - but the difference is that with pe2shc you can add the reflective loading stub post-compilation. Also, the header of the PE file is modified in such a way, that you can start executing the injected buffer from the very beginning - just like you would do with a shellcode. It will automatically find the stub, and continue loading the full PE.

Scope of the project

🟒 The stub supports only basic structures of PE format, such as:

  • relocations
  • imports
  • TLS callbacks (called once, before the Entry Point is executed)

Please keep in mind, that although for the majority of PE files this is sufficient, some executables you encounter may be using other, more complex aspects of the PE format. It means, not every PE can be successfuly converted to a shellcode.

🚫 Examples of currently not supported elements:

  • exceptions (if the executable you converted will be run as a shellcode, and throw the exception, the appropriate exception handler will not be found, and the application will crash)
  • Delay Load Imports (only the basic Import Table support is implemented)
  • MUI files (if the executable you converted expects some elements of the GUI have to be loaded from a MUI file, it won't work)

Builds

πŸ“¦ βš™οΈ Download the latest release.

Clone

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/pe_to_shellcode.git

How to use it

  1. Use pe2shc.exe to convert a PE of your choice:
pe2shc.exe <path to your PE> [output path*]
* - optional

If the PE was successfuly converted, pe2shc will let you know where the output was saved:

[+] Saved to file: <converted file>

i.e.

[+] Saved to file: test_file.shc.exe
  1. Use runshc.exe(*) to run the output file and check if the conversion went fine.
runshc.exe <converted file>

(*)Warning: remember to use the version of runshc with a bitness appropriate to your converted application (32 or 64 bit) - otherwise the application will crash!

  1. If the file runs as the original PE, it confirms that the conversion was successful!
    Now you can use the converted PE just like you would use a shellcode: inject it to a target and execute from the beginning of the buffer. No additional PE loaders are required.
    At the same time, you can keep using the converted file as a regular PE.

More Repositories

1

pe-bear

Portable Executable reversing tool with a friendly GUI
C++
1,976
star
2

malware_training_vol1

Materials for Windows Malware Analysis training (volume 1)
Assembly
1,806
star
3

hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
C
1,659
star
4

libpeconv

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl
C++
917
star
5

tiny_tracer

A Pin Tool for tracing API calls etc
C++
880
star
6

demos

Demos of various injection techniques found in malware
C
771
star
7

pe-bear-releases

PE-bear (builds only)
762
star
8

dll_to_exe

Converts a DLL into EXE
C++
726
star
9

exe_to_dll

Converts a EXE into DLL
C++
657
star
10

bearparser

Portable Executable parsing library (from PE-bear)
C++
608
star
11

process_ghosting

Process Ghosting - a PE injection technique, similar to Process DoppelgΓ€nging, but using a delete-pending file instead of a transacted file
C
551
star
12

mal_unpack

Dynamic unpacker based on PE-sieve
C
543
star
13

process_doppelganging

My implementation of enSilo's Process Doppelganging (PE injection technique)
C
489
star
14

transacted_hollowing

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgΓ€nging
C
457
star
15

malware_analysis

Various snippets created during malware analysis
Python
447
star
16

ida_ifl

IFL - Interactive Functions List (plugin for IDA Pro)
Python
392
star
17

module_overloading

A more stealthy variant of "DLL hollowing"
C
318
star
18

process_overwriting

Yet another variant of Process Hollowing
C++
313
star
19

IAT_patcher

Persistent IAT hooking application - based on bearparser
C++
236
star
20

persistence_demos

Demos of various (also non standard) persistence methods used by malware
C++
214
star
21

chimera_pe

ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side
C
208
star
22

shellconv

Small tool for disassembling shellcode (using objdump)
Python
144
star
23

masm_shc

A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
C++
136
star
24

antianalysis_demos

Set of antianalysis techniques found in malware
C++
119
star
25

password_scrambler

Password scrambler - a deterministic password re-generator (alternative to a password manager)
Python
118
star
26

dll_injector

A simple commandline injector using classic DLL injection
C++
114
star
27

funky_malware_formats

Parsers for custom malware formats ("Funky malware formats")
C++
94
star
28

process_chameleon

A process overwriting its own PEB to make an illusion that it has been loaded from a different path.
C
93
star
29

mal_unpack_drv

MalUnpack companion driver
C++
82
star
30

crypto_utils

Set of my small utils related to cryptography, encoding, decoding etc
Python
76
star
31

ViDi

ViDi Visual Disassembler (experimental)
C++
76
star
32

pe2pic

Small visualizator for PE files
Python
63
star
33

pin_n_sieve

An experimental dynamic malware unpacker based on Intel Pin and PE-sieve
C++
54
star
34

paramkit

A small library helping to parse commandline parameters (for C/C++)
C++
52
star
35

petya_recovery

Application for cracking Red Petya key based on genetic algorithms.
C++
50
star
36

petya_key

A decoder for Petya victim keys, using the Janus' masterkey.
C++
43
star
37

libpeconv_tpl

A ready-made template for a project based on libpeconv.
C++
40
star
38

pe_unmapper

Small tool to convert beteween the PE alignments (raw and virtual).
C++
39
star
39

flareon2019

Flare-On solutions
C
36
star
40

mal_sort

Various scripts helpful in sorting collections of malware samples.
Python
36
star
41

pesieve-go

Golang bindings for PE-sieve
Go
35
star
42

IAT_patcher_samples

Sample libraries to be used with IAT Patcher
C++
32
star
43

pe_utils

A set of small utilities, helpers for PIN tracers
C++
31
star
44

hidden_bee_tools

Parser for a custom executable format from Hidden Bee malware (first stage)
C
31
star
45

mal_unpack_py

Python wrappers for mal_unpack
Python
29
star
46

decryptors_archive

Archive of ransomware decryptors
C++
28
star
47

flareon2022

JavaScript
27
star
48

asm16_projects

My small projects writen in 16 bit asm (NOTE: those are my practice projects that I wrote when I was 15, I give no warranty for this code!)
Assembly
23
star
49

tag_converter

C++
22
star
50

petya_green

Application for random attack on Green Petya's key
C++
22
star
51

bootldr_demo

Demo bootloaders - created just for fun
Assembly
21
star
52

metasploit_modules

My metasploit modules
Ruby
19
star
53

loaderine

A demo implementation of a well-known technique used by some malware to evade userland hooking, using my library: libpeconv.
C
19
star
54

jpassword_scrambler

Small utility to generate complicated passwords - version with GUI
Java
17
star
55

bunitu_tests

Scripts for communication with Bunitu Trojan C&Cs
Python
16
star
56

7ev3n_decoders

Decoders for 7ev3n ransomware
Assembly
14
star
57

libpeconv_and_detours_tpl

A template for projects using both libPeConv and MS Detours
C++
14
star
58

sig_finder

Signature finder (from PE-bear)
C++
13
star
59

detours_cmake_tpl

A CMake template for projects using MS Detours
CMake
13
star
60

passcrambler

https://hasherezade.github.io/passcrambler/
JavaScript
11
star
61

challs

My solutions for random crackmes and other challenges
C++
11
star
62

wke_exercises

My solutions for HackSys Extreme Vulnerable Driver
C++
10
star
63

drawings

Some of my drawings
9
star
64

pe_recovery_tools

A placeholder repository
9
star
65

hasherezade.github.io

My projects' homepage
HTML
8
star
66

mastercoder2014

My solutions
C++
8
star
67

libpeconv_demo

Demo projects and utilities made with the help of libPeConv
C++
8
star
68

bearparser_tests

External tests for bearparser
Assembly
7
star
69

libpeconv_wrappers

A ready-made template for a new project based on libPeConv library
C++
7
star
70

hasherezade

6
star
71

paramkit_tpl

A template for a project using ParamKit
C++
5
star
72

pesieve_tests

External tests for PE-sieve
4
star