https://github.com/sammwyy/memdrop
In-memory PE loader and executor
https://github.com/sammwyy/memdrop
loader pe pe-file pe-loader pe64
Last synced: 5 months ago
JSON representation
In-memory PE loader and executor
- Host: GitHub
- URL: https://github.com/sammwyy/memdrop
- Owner: sammwyy
- License: mit
- Created: 2025-04-07T13:55:43.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2025-04-07T13:55:51.000Z (9 months ago)
- Last Synced: 2025-05-10T23:32:21.575Z (8 months ago)
- Topics: loader, pe, pe-file, pe-loader, pe64
- Language: C++
- Homepage:
- Size: 20.5 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# 🧠 memdrop
A C++ project for loading and executing Windows `.exe` binaries directly from memory using PE header parsing and in-memory relocation. This tool is ideal for experimentation with fileless binary execution and studying Windows PE internals.
---
## 📦 Features
- Load `.exe` binaries from a C++ array (no file on disk)
- Parse and handle PE headers
- Support for relocations and imports
- Executes the entry point of the loaded executable
- Works with GUI and console applications
- Cross-compilation support with `MinGW` (for Windows)
---
## 🛠 How It Works
1. Use the Python script `exe_to_array.py` to convert your `.exe` file into a C++ `unsigned char[]`.
2. The resulting array is saved to `bindata.cpp` as `unsigned char exeBinary[]`.
3. In `memdrop.cpp`, the array is loaded and parsed as a PE image.
4. Sections and headers are copied into memory using `VirtualAlloc`.
5. The binary is relocated, imports resolved, and memory protection adjusted.
6. The executable is run directly from memory.
---
## ⚠️ Disclaimer
This tool is provided for educational purposes only. Do not use this in real environments without permission. Memory execution can be considered suspicious or malicious behavior by antivirus software.
## 📄 License
MIT License. See [LICENSE](LICENSE) file for details.