Convert Exe To Shellcode May 2026
Converting a Windows executable (EXE) into shellcode is a fundamental technique in offensive security, primarily used to enable position-independent execution of complex payloads. Unlike standard executables, shellcode does not rely on the OS loader to resolve memory addresses or dependencies, making it ideal for process injection and fileless malware delivery. 1. Understanding Position-Independent Code (PIC)
Standard EXEs are typically compiled with hardcoded memory addresses and an Import Address Table (IAT) that requires the Windows Loader (ntdll!LdrLoadDll) to function. To convert an EXE to shellcode, the code must be transformed into Position-Independent Code (PIC). PIC can execute correctly regardless of its absolute address in memory by using relative addressing (RIP-relative in x64) and manually locating required functions in memory via the Process Environment Block (PEB). 2. Common Conversion Techniques
There are several established methods for performing this conversion:
Reflective DLL Injection: This technique involves adding a custom loader to a DLL that allows it to map itself into memory. Tools like the Metasploit Framework use this to inject payloads without touching the disk.
Donut: This is currently the industry standard for converting PE files (EXE, DLL, .NET) into position-independent shellcode. According to researchers at TheWover/donut, it works by creating a VBS/JS/EXE bootstrap that decrypts and loads the original payload directly into memory.
Manual PE Parsing: For custom implementations, developers write a "stub" in assembly or C. This stub parses the PE headers of the embedded EXE, allocates memory using VirtualAlloc, maps the sections, and resolves imports before jumping to the EntryPoint. 3. Implementation Workflow
A typical workflow for converting an EXE into a usable shellcode payload, as outlined by security labs like r19.io, follows these steps:
Generate the Payload: Create the target executable (e.g., a simple calc.exe launcher). Conversion: Use a tool like Donut to wrap the EXE. donut -i payload.exe -f 1 -o payload.bin Use code with caution. Copied to clipboard
Obfuscation: To bypass EDR/Antivirus, the resulting .bin file is often XOR-encoded or encrypted.
Formatting: Convert the binary data into a C-style array (using tools like xxd) for inclusion in a loader.
Execution: A loader is written to inject this shellcode into a target process (like explorer.exe) using APIs such as WriteProcessMemory and CreateRemoteThread. 4. Security Implications and EDR Bypass
The primary reason for EXE-to-shellcode conversion is evasion. Traditional antivirus software often scans files on the disk. By converting an EXE to shellcode, an attacker can: Execute the payload entirely in memory (Fileless). Bypass static signature-based detection.
Utilize Indirect Syscalls to hide the origin of memory allocation and thread creation from EDR hooks. 5. Conclusion
Converting an EXE to shellcode bridges the gap between high-level application development and low-level exploit delivery. While tools like Donut have automated the process, understanding the underlying PE structure and memory management is crucial for developing resilient and stealthy security tools. convert exe to shellcode
Converting an executable (EXE) file into shellcode is a common requirement for security researchers and penetration testers. Shellcode is a payload of machine code that is executed by an exploit to perform a specific task, such as spawning a shell or establishing a reverse connection. Unlike standard executables, shellcode must be position-independent, meaning it can run regardless of where it is loaded in memory. Understanding the Conversion Process
A standard Windows EXE file relies on the Portable Executable (PE) format. This format includes headers, section tables, and import address tables (IAT) that tell the Windows Loader how to map the file into memory and resolve dependencies like kernel32.dll.
Shellcode does not have the luxury of a loader. When you convert an EXE to shellcode, you are essentially extracting the raw machine instructions and ensuring that any external functions the code needs are located manually at runtime, usually through techniques like parsing the Process Environment Block (PEB). Popular Methods to Convert EXE to Shellcode
There are several ways to approach this conversion, ranging from automated tools to manual extraction. 1. Using Donut
Donut is currently the industry standard for this task. It is a position-independent code generator that creates shellcode payloads from PE files, .NET assemblies, and even VBScript.
How it works: Donut wraps the EXE in a "loader" stub. When the shellcode executes, the stub decrypts the EXE, maps it into memory, and executes it.
Key Feature: It supports both x64 and x86 architectures and can bypass many AMSI/ETW security checks. 2. Using PE2SHC
PE2SHC (PE to Shellcode) is a tool designed specifically to make a PE file "self-running" as shellcode.
How it works: It adds a small bootstrap at the beginning of the EXE. When you jump to the start of the file, this bootstrap relocates the rest of the PE structure in memory.
Benefit: It is very lightweight and preserves the original structure of the EXE, making it useful for researchers analyzing malware behavior. 3. Manual Extraction via Hex Editor
For very simple, self-contained programs written in C or Assembly, you can extract the .text section directly.
Process: Compile your code with all optimizations off and no external dependencies. Use a tool like objcopy or a Hex Editor to copy the bytes from the executable's code section.
Limitation: This only works if your code does not use any global variables or external DLL calls, as those addresses will be broken once moved. Key Challenges Converting a Windows executable (EXE) into shellcode is
Size Constraints: Shellcode is often injected into small memory buffers. Large EXEs may not fit.
Null Bytes: Many exploits fail if the shellcode contains null bytes (0x00), as they act as string terminators. You may need to encode your shellcode using tools like Shikata Ga Nai.
Architecture Mismatch: You must ensure the architecture (x86 vs x64) of your shellcode matches the target process you are injecting into. Step-by-Step Guide with Donut If you want the most reliable result, follow these steps: Prepare your EXE: Ensure it is a standalone executable.
Run Donut: Use the command line: donut.exe -i yourfile.exe -o payload.bin.
Test the Output: Use a simple C++ shellcode runner to load payload.bin into memory and execute it to verify functionality. If you'd like to dive deeper, let me know: Are you working with C++ or .NET? Do you need to bypass antivirus (AV) or EDR?
What is the target environment (Windows version, architecture)?
I can provide a specific code snippet for a shellcode runner or explain how to obfuscate the output.
Converting an EXE file to shellcode is not as simple as copying its raw bytes. A standard EXE (Portable Executable) file contains headers, section tables, and external dependencies that require an operating system loader to function. Shellcode, by contrast, must be Position Independent Code (PIC)—it must be able to run from any memory address without relying on fixed offsets or pre-loaded libraries. Core Challenges
The OS Loader: Standard EXEs rely on the OS to set up memory sections and resolve imports (like DLLs).
Hardcoded Addresses: Most compiled EXEs use absolute memory addresses that break if the code is moved.
External Dependencies: Functions like printf or WinExec must be manually located by the shellcode at runtime. Methods for Conversion 1. Using Automated Tools (Recommended)
The most reliable way to convert an existing EXE into shellcode is using tools that wrap the EXE in a "loader stub." This stub acts as a mini-OS loader to handle memory allocation and dependency resolution.
Donut: A popular tool that creates position-independent shellcode payloads from Windows VBScript, JScript, EXE, DLL files, and .NET assemblies. Parameter breakdown:
Pe2sh: Converts a standard PE file into shellcode by prepending a custom loader.
Exe2shell: A utility specifically designed to extract and convert executable segments into usable shellcode. 2. Manual C/C++ Extraction
You can write code specifically designed to be extracted as shellcode.
Write PIC Code: Use only local variables and avoid global strings. Manually locate functions using the Process Environment Block (PEB) to find kernel32.dll and GetProcAddress.
Extract the .text Section: Once compiled, use a debugger or tools like objcopy to dump the raw machine instructions from the .text section (the code segment).
Visual Studio Disassembly: Compile your function, set a breakpoint, and use the "Disassembly" view to copy the raw hex bytes. 3. Assembly Language (The Traditional Way)
For absolute control and the smallest size, shellcode is often written directly in Assembly. [IT432] Class 12: Shellcode
A shellcode is just the assembly version of the code calling execve("/bin/sh", ...) as above. United States Naval Academy How to - Convert Quasar RAT into Shellcode with Donut.exe
Step-by-Step Conversion with Donut
Prerequisites: Download donut.exe from the GitHub releases or compile it yourself.
Command:
donut -f my_payload.exe -o shellcode.bin -a 2 -z 2 -x 1
Parameter breakdown:
-f: Input EXE file.-o: Output raw shellcode file.-a 2: Architecture –1= x86,2= x64,3= x86+x64 (any).-z 2: Compression –1= aPLib,2= LZNT1 (Windows native),0= none.-x 1: Exit method –1= callExitThread,2=ExitProcess, etc.
Example:
donut -f my_beacon.exe -o beacon.bin -a 2 -z 2
After execution, you get beacon.bin – pure shellcode. You can now:
- Inject it using a custom loader (
CreateRemoteThread,QueueUserAPC, etc.). - Embed it in an exploit (e.g., CVE-2021-44228).
- Execute via
shellcodein C2 frameworks like Cobalt Strike.
Prerequisites
- A Windows EXE you want to convert (e.g.,
messagebox.exe). - Donut tool: github.com/TheWover/donut
2. Size Bloat
Donut-compressed shellcode is usually smaller than the original EXE (thanks to LZNT1). However, it can still be 100KB–2MB. Most injection targets (e.g., small buffer overflows) cannot host such large payloads. Consider staged payloads instead.