pe_to_shellcode v1.1 releases: Converts PE into a shellcode
pe_to_shellcode
Converts PE so that it can be then injected just like a normal shellcode.
(At the same time, the output file remains to be a valid PE).
Supports both 32 and 64-bit PEs
Objective:
The goal of this project is to provide a possibility to generate PE files that can be injected with minimal effort. It is inspired by Stephen Fewer’s ReflectiveDLLInjection – but the difference is that with pe2shc you can add the reflective loading stub post-compilation. Also, the header of the PE file is modified in such a way, that you can start executing the injected buffer from the very beginning – just like you would do with a shellcode. It will automatically find the stub and continue loading the full PE.
Changelog v1.1
BUGFIX
- Stub cleanup: do not clobber RBX/EBX registers
REFACT
- Removed some useless instructions from 32 bit stub
- Small cleanup in the loader v2
The package contains:
- pe2shc.exe – PE to shellcode converter (supports both 32 and 64 bit PEs)
- a utility to run/test shellcode (loads and deploys):
- runshc32.exe – for 32-bit shellcodes
- runshc64.exe – for 64-bit shellcodes
- a utility to inject shellcode into a given process:
- injector32.exe – for 32-bit shellcodes
- injector64.exe – for 64-bit shellcodes
Download
Use
- Use pe2shc.exe to convert a PE of your choice:
pe2shc.exe <path to your PE> [output path*] * - optional
If the PE was successfully converted, pe2shc will let you know where the output was saved:
[+] Saved to file: <converted file>
i.e.
[+] Saved to file: test_file.shc.exe
- Use runshc.exe(*) to run the output file and check if the conversion went fine.
runshc.exe <converted file>
(*)Warning: remember to use the version of runshc with a bitness appropriate to your converted application (32 or 64 bit) – otherwise the application will crash!
- If the file runs as the original PE, it confirms that the conversion was successful!
Now you can use the converted PE just like you would use a shellcode: inject it to a target and execute from the beginning of the buffer. No additional PE loaders are required.
At the same time, you can keep using the converted file as a regular PE.
Demo
Source: https://github.com/hasherezade/