Exe2Mem is a next-generation C++23 framework designed for transforming standard Windows Portable Executable (PE) files into memory-native executable blobs. It provides a robust pipeline for decoupling executables from the disk, enabling direct memory execution through advanced transformation and loader engineering.
- Dual Architecture Support: Seamlessly parses both x86 and x64 Windows binaries.
- Deep Structure Validation: Security-focused validation against section overlaps, malformed headers, and OOB data.
- Rich Metadata Extraction: Automated parsing of Imports (ILT/IAT), Relocations, and TLS Callbacks.
- Memory Image Synthesis: Reconstructs the PE layout into a functional memory-mapped state.
- Intelligent Relocation: Advanced engine supporting
DIR64,HIGHLOW,HIGH, andLOWbase relocation types. - Metadata Serialization: Structured serialization of import requirements for the runtime loader.
- Entry Point Virtualization: CLI-driven redirection of image entry points.
- Custom API Resolution: Modular
GetProcAddressandGetModuleHandleabstractions for stealth. - On-the-fly IAT Patching: Dynamic Import Address Table resolution at execution time.
- Environment Orchestration: Handles TLS initialization and secure entry point dispatching.
The following diagram illustrates the data flow from a raw PE file to a memory-native execution blob.
graph TD
A[Raw PE File] --> B[PeParser Engine]
B --> C[PeValidator]
C --> D{Transformation Pipeline}
subgraph "Transformation Pipeline"
D --> E[MemoryLayoutBuilder]
D --> F[RelocationEngine]
D --> G[ImportResolver]
D --> H[EntryPointRewriter]
end
E & F & G & H --> I[ExecutionBlobGenerator]
I --> J[Final Execution Blob]
subgraph "Runtime Execution"
J --> K[RuntimeStub]
K --> L[ApiResolver]
L --> M[IAT Patching]
M --> N[EntryDispatcher]
N --> O[Active Memory Image]
end
- Compiler: C++23 compatible compiler (Visual Studio 2022, Clang 17+, or GCC 13+)
- Build System: CMake 3.20 or later
# Clone the repository
git clone https://github.com/ismailtsdln/Exe2Mem.git
cd Exe2Mem
# Create build directory
mkdir build && cd build
# Configure and build
cmake ..
cmake --build . --config ReleaseThe Exe2Mem CLI is the primary interface for transforming binaries.
Transform a standard EXE into a memory blob:
./exe2mem_cli target.exe output.binRedirect the image entry point to a specific RVA:
./exe2mem_cli target.exe output.bin --entry 0x1234| Directory | Description |
|---|---|
core/ |
Core PE analysis engine and validation logic. |
transform/ |
Transformation pipeline and blob generation. |
loader/ |
Runtime loader stubs and API resolution. |
cli/ |
Command-line interface implementation. |
tests/ |
Comprehensive unit and E2E verification tests. |
Warning
Exe2Mem is intended for authorized security research, red team simulations, and educational purposes only. Using this tool against targets without prior explicit authorization is illegal and unethical. The authors assume no liability for misuse of this project.
Distributed under the MIT License. See LICENSE for more information.
Developed with ❤️ by Ismail Tasdelen