Both Donut and sRDI handle this by encoding the embedded PE as raw bytes and referencing them via offsets from the bootstrap code.
Convert the EXE into a Reflective Loader that loads itself. You produce a shellcode that, when executed, reconstructs the original PE in memory and runs it.
Manual conversion is complex, so most practitioners use specialized tools that wrap the EXE with a "stub" (a small piece of code) that acts as a custom loader. convert exe to shellcode
Thus, converting an EXE to shellcode means: extracting the code and data, embedding a custom bootstrap loader, and eliminating header dependencies.
: Compiled C code often uses absolute memory addresses for strings and global variables. Shellcode must use "delta offsets" or relative addressing to find its own data. How to Manually Prepare Code for Shellcode Both Donut and sRDI handle this by encoding
Converting an executable file to shellcode involves disassembling the executable file, modifying the code to create a shellcode, and then assembling the shellcode into a machine code format that can be injected into a process. The goal of this conversion is to create a small, efficient, and stealthy piece of code that can be executed on a vulnerable system.
: Standard EXEs use an IAT to call external functions (like MessageBoxA ). In shellcode, you must find these addresses yourself by parsing the Process Environment Block (PEB) and export tables of DLLs like kernel32.dll . Manual conversion is complex, so most practitioners use
Let’s walk through a realistic example: converting mimikatz.exe to shellcode and injecting it.