Convert Exe To Shellcode -
donut -f payload.exe -a 2 -o shellcode.bin
This article is for educational purposes only. Unauthorized conversion or execution of shellcode against systems you do not own is illegal.
Converting a standard .exe file into shellcode is not as simple as renaming the file or copying its bytes. A typical executable relies on the Operating System (OS) loader to handle complex tasks like memory allocation, resolving imports (DLLs), and base relocations. For an .exe to run as "shellcode," it must be converted into Position-Independent Code (PIC) that can execute from any memory address without these external OS dependencies. Common Tools for Conversion
Several specialized tools can automate the wrapping of an .exe into a shellcode-ready format:
Donut: This is the industry-standard tool for converting VBScript, JScript, EXE, DLL, and .NET assemblies into position-independent shellcode for x86 and x64 systems.
Pe2shc: A popular tool that makes a PE (Portable Executable) file act as a shellcode. It prepends a small stub that handles the necessary loading and relocation tasks at runtime.
exec2shell: A utility used to extract the .text (executable code) section of a PE or ELF file and output it as a raw binary or C-style array.
msfvenom: Part of the Metasploit framework, it can generate various payloads and encode existing executables into shellcode formats. Manual Method: Extracting the .text Section
If you only need the raw machine instructions from the executable code section, you can use a Python script with the pefile library to extract the .text segment.
import pefile import sys # Load the EXE file pe = pefile.PE(sys.argv[1]) # Function to grab executable code from the .text section def grab_executable_code(): ops = "" for section in pe.sections: # Looking for the primary executable section if b'.text' in section.Name: for item in bytearray(section.get_data()): # Format bytes as \x00 for shellcode strings ops += f"\\xitem:02x" return ops print(grab_executable_code()) Use code with caution. Copied to clipboard Key Technical Challenges
Embedding Shellcode in .text and .data section. | by Irfan Farooq
Converting a Windows executable (.exe) into shellcode involves transforming a standard Portable Executable (PE) Position-Independent Code (PIC)
that can run in memory without being loaded by the standard OS loader Popular Tools for Conversion
Several automated tools can wrap an existing EXE or DLL into a shellcode loader:
: A widely used generator that creates PIC from .NET assemblies, EXE files, and DLLs. It wraps the payload in a loader that handles memory decryption and execution. donut -f payload.exe -o payload.bin PE to Shellcode (pe2shc)
: Specifically designed to make a PE file runnable as shellcode by adding a specialized stub to the front. pe2shc.exe input.exe output.shc
: A multi-language tool (Python and Rust versions available) that converts EXEs to shellcode arrays for use in loaders. Manual Extraction Methods
If you are developing your own code specifically to be used as shellcode, you can extract it manually: hasherezade/pe_to_shellcode: Converts PE into a shellcode
Clone. Use recursive clone to get the repo together with all the submodules: git clone --recursive https://github.com/hasherezade/
mrd0x/pe2shc-to-cdb: Convert shellcode generated ... - GitHub
Converting an EXE to shellcode transforms complex applications into position-independent payloads. Tools like Donut have made this process frighteningly simple. Whether you are a red teamer automating post-exploitation or a blue teamer building detections, understanding the "PE to shellcode" pipeline is essential in 2025. convert exe to shellcode
Remember: With great power comes great responsibility. Test only on your own infrastructure.
Want to dive deeper? Read the source code of Donut's loader stub – it's a masterclass in position-independent assembly for Windows.
Converting an executable (EXE) to position-independent shellcode is a complex task because standard EXEs rely on specific memory layouts and external library imports (like DLLs) that don't exist when code is injected as a raw blob.
The most authoritative paper on the underlying mechanics of Windows shellcode and how to structure code for this purpose is Understanding Windows Shellcode Essential Reading Understanding Windows Shellcode
(skape, 2003): This is the foundational paper for the field. It explains how to write code that finds its own location in memory, resolves function addresses from the Process Environment Block (PEB), and executes without the standard Windows loader. Specialized Academic Papers English Shellcode
: Discusses the constraints of shellcode (like character-set limits) and how machine code can be transformed into payloads that mimic legitimate text to evade detection.
A Method for Shellcode Extraction from Malicious Document Files
: Focuses on the reverse process—identifying and extracting shellcode from files using entropy and emulation. UMD Department of Computer Science Technical Implementations & Guides
If you are looking for tools or modern walkthroughs on how this conversion is done today: pe_to_shellcode
: A popular tool by researcher hasherezade that converts a Portable Executable (PE) into a shellcode-like blob by adding a custom loader stub. From a C Project to Shellcode
: A step-by-step technical guide on taking a high-level C project and stripping it down into raw shellcode. Writing and Compiling Shellcode in C : A practical guide from Red Team Notes
that covers the compilation flags and code adjustments needed to prevent the compiler from adding dependencies. specific code requirements
(like avoiding global variables) needed for a successful conversion? Writing and Compiling Shellcode in C - Red Team Notes
To convert a Portable Executable (PE/EXE) to shellcode, you must transform the machine code into a position-independent format that can execute regardless of where it is loaded in memory. Quick Methods to Convert EXE to Shellcode
The most effective way to handle this conversion is through specialized tools that wrap the original executable with a custom loader. Donut (Highly Recommended)
: This is the industry standard for creating position-independent shellcode payloads from .NET assemblies, PEs, and DLLs. donut.exe -i
: Specifically designed to convert a 32-bit or 64-bit EXE into a shellcode blob that remains a valid PE but can be executed like shellcode. pe2shc.exe
: A simpler Python/Rust-based utility for basic conversions. python3 exe2shell.py
Converting a standard EXE to shellcode is not as simple as copying bytes; the resulting code must satisfy several technical conditions to run successfully: Stack Overflow Generating Shellcode from an exe? [closed] - Stack Overflow
Converting a Windows executable (EXE) into shellcode is a fundamental technique in offensive security, primarily used to enable position-independent execution of complex payloads. Unlike standard executables, shellcode does not rely on the OS loader to resolve memory addresses or dependencies, making it ideal for process injection and fileless malware delivery. 1. Understanding Position-Independent Code (PIC) donut -f payload
Standard EXEs are typically compiled with hardcoded memory addresses and an Import Address Table (IAT) that requires the Windows Loader (ntdll!LdrLoadDll) to function. To convert an EXE to shellcode, the code must be transformed into Position-Independent Code (PIC). PIC can execute correctly regardless of its absolute address in memory by using relative addressing (RIP-relative in x64) and manually locating required functions in memory via the Process Environment Block (PEB). 2. Common Conversion Techniques
There are several established methods for performing this conversion:
Reflective DLL Injection: This technique involves adding a custom loader to a DLL that allows it to map itself into memory. Tools like the Metasploit Framework use this to inject payloads without touching the disk.
Donut: This is currently the industry standard for converting PE files (EXE, DLL, .NET) into position-independent shellcode. According to researchers at TheWover/donut, it works by creating a VBS/JS/EXE bootstrap that decrypts and loads the original payload directly into memory.
Manual PE Parsing: For custom implementations, developers write a "stub" in assembly or C. This stub parses the PE headers of the embedded EXE, allocates memory using VirtualAlloc, maps the sections, and resolves imports before jumping to the EntryPoint. 3. Implementation Workflow
A typical workflow for converting an EXE into a usable shellcode payload, as outlined by security labs like r19.io, follows these steps:
Generate the Payload: Create the target executable (e.g., a simple calc.exe launcher). Conversion: Use a tool like Donut to wrap the EXE. donut -i payload.exe -f 1 -o payload.bin Use code with caution. Copied to clipboard
Obfuscation: To bypass EDR/Antivirus, the resulting .bin file is often XOR-encoded or encrypted.
Formatting: Convert the binary data into a C-style array (using tools like xxd) for inclusion in a loader.
Execution: A loader is written to inject this shellcode into a target process (like explorer.exe) using APIs such as WriteProcessMemory and CreateRemoteThread. 4. Security Implications and EDR Bypass
The primary reason for EXE-to-shellcode conversion is evasion. Traditional antivirus software often scans files on the disk. By converting an EXE to shellcode, an attacker can: Execute the payload entirely in memory (Fileless). Bypass static signature-based detection.
Utilize Indirect Syscalls to hide the origin of memory allocation and thread creation from EDR hooks. 5. Conclusion
Converting an EXE to shellcode bridges the gap between high-level application development and low-level exploit delivery. While tools like Donut have automated the process, understanding the underlying PE structure and memory management is crucial for developing resilient and stealthy security tools.
Converting an executable (EXE) into shellcode is a critical skill in offensive security, red teaming, and exploit development. While a standard EXE file relies on the operating system’s loader to manage memory and resolve dependencies, shellcode must be position-independent, meaning it can execute from any memory address without such assistance.
This guide explores the methods, tools, and technical challenges of transforming a standalone executable into functional shellcode. Understanding the Difference: EXE vs. Shellcode
To convert an EXE effectively, you must understand why a simple copy-paste of bytes won't work:
The OS Loader: A standard EXE (Portable Executable or PE) contains headers that tell Windows where to load code sections and how to find external functions in DLLs.
Dependency Resolution: EXE files use an Import Address Table (IAT) to link to system functions like CreateProcess. Shellcode, however, must manually locate these functions in memory by traversing structures like the Process Environment Block (PEB).
Position Independence: Standard binaries often use absolute memory addresses. Shellcode must use relative addressing to ensure it runs correctly regardless of where it is injected. Popular Tools for Conversion
Several automated tools simplify this complex process by prepending a "loader stub" to your EXE that handles the necessary memory mapping at runtime. This article is for educational purposes only
Converting an EXE file to shellcode is not as simple as copying its raw bytes. A standard EXE (Portable Executable) file contains headers, section tables, and external dependencies that require an operating system loader to function. Shellcode, by contrast, must be Position Independent Code (PIC)—it must be able to run from any memory address without relying on fixed offsets or pre-loaded libraries. Core Challenges
The OS Loader: Standard EXEs rely on the OS to set up memory sections and resolve imports (like DLLs).
Hardcoded Addresses: Most compiled EXEs use absolute memory addresses that break if the code is moved.
External Dependencies: Functions like printf or WinExec must be manually located by the shellcode at runtime. Methods for Conversion 1. Using Automated Tools (Recommended)
The most reliable way to convert an existing EXE into shellcode is using tools that wrap the EXE in a "loader stub." This stub acts as a mini-OS loader to handle memory allocation and dependency resolution.
Donut: A popular tool that creates position-independent shellcode payloads from Windows VBScript, JScript, EXE, DLL files, and .NET assemblies.
Pe2sh: Converts a standard PE file into shellcode by prepending a custom loader.
Exe2shell: A utility specifically designed to extract and convert executable segments into usable shellcode. 2. Manual C/C++ Extraction
You can write code specifically designed to be extracted as shellcode.
Write PIC Code: Use only local variables and avoid global strings. Manually locate functions using the Process Environment Block (PEB) to find kernel32.dll and GetProcAddress.
Extract the .text Section: Once compiled, use a debugger or tools like objcopy to dump the raw machine instructions from the .text section (the code segment).
Visual Studio Disassembly: Compile your function, set a breakpoint, and use the "Disassembly" view to copy the raw hex bytes. 3. Assembly Language (The Traditional Way)
For absolute control and the smallest size, shellcode is often written directly in Assembly. [IT432] Class 12: Shellcode
A shellcode is just the assembly version of the code calling execve("/bin/sh", ...) as above. United States Naval Academy How to - Convert Quasar RAT into Shellcode with Donut.exe
Let's walk through a practical example using Donut.
In the world of cybersecurity, red teaming, and exploit development, the term "shellcode" conjures images of compact, hex-string blobs that spawn a shell or execute a remote access tool. Traditionally, shellcode is written directly in assembly, painstakingly optimized to be position-independent and free of null bytes. However, modern offensive operations often require complex functionality—file uploads, keylogging, C2 communication over HTTPS, or bypassing specific EDR hooks.
Writing a multi-stage beacon from scratch in assembly is impractical. Enter the technique of converting an existing Windows executable (.exe) into shellcode. This process allows attackers to leverage fully-featured compiled binaries (e.g., a custom messenger.exe or beacon.exe) and inject them directly into memory without touching the disk.
But how does one transform a Portable Executable (PE) into a raw block of position-independent code? This article explores the theory, methods, tooling, and limitations of this conversion.
For this example, let's assume you have a simple EXE file called example.exe. You can create one using a basic C program:
#include <stdio.h>
int main()
printf("Hello, World!\n");
return 0;
Compile it using:
gcc -o example.exe example.c
To convert an EXE, we essentially have to write a custom loader in assembly and prepend it to the raw binary data. This technique is often called Reflective Loading.
Here is the high-level logic required to make an EXE run as shellcode: