finds.dev← search

// the find

hasherezade/pe_to_shellcode

★ 2,779 · C++ · BSD-2-Clause · updated Aug 2025

Converts PE into a shellcode

pe_to_shellcode converts a Windows PE binary into position-independent shellcode by prepending a reflective loader stub, while keeping the output valid as a standard PE. It's a post-compilation alternative to ReflectiveDLLInjection aimed at red teamers and malware researchers who need to inject executables without a separate PE loader. Supports both 32-bit and 64-bit targets.

The dual-valid-output trick is genuinely clever — the converted file runs normally as a PE and also executes correctly when injected as raw shellcode, so you don't need two separate build artifacts. Two loader stubs (v1 in MASM, v2 in C++) give you options depending on your build environment. Built on hasherezade's libpeconv, which is well-tested PE manipulation code rather than a hand-rolled parser. CMake build with AppVeyor CI means it actually builds reproducibly, which is more than most tools in this space bother with.

No exception directory support is a hard wall — any non-trivial C++ binary that uses SEH or C++ exceptions will crash at runtime, silently, which wastes a lot of time during testing. Delay-load imports are also unsupported, and those show up more often than you'd expect in modern Windows binaries. There's no automated test coverage for the conversion correctness itself — the tests directory has cases for specific behaviors but nothing that validates a broad corpus of real-world PEs. Documentation on what exactly gets patched in the PE header is thin; you have to read the stub source to understand what assumptions the loader makes about memory layout.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →