ExeMorph is a next-generation security tool designed to transform Windows DLLs into fully functional, standalone EXE binaries. Unlike simple header patchers, ExeMorph employs deep PE analysis to intelligently select export candidates, generate custom bootstrap loaders, and seamlessly reconstruct the execution flow.
Built for malware analysts, red teamers, and reverse engineers, it turns static libraries into dynamic executables for easier debugging, behavioral analysis, and payload weaponization.
- 🔍 Intelligent Analysis: Automatically parses PE headers and Export Tables to score and rank potential entry points (exports/DllMain).
- 🛠️ Seamless Conversion: Transforms a DLL into a valid EXE with a single command, handling all PE characteristic updates.
- 💉 Custom Loader Engine: Injects a robust, assembly-based bootstrap stub (x64) that initializes the CRT and resolves imports before execution.
- 🧩 Smart Header Manipulation: Dynamically adds PE sections (
.morph) and realigns virtual addresses to ensure stability. - 🛡️ Stealth & Precision: Operates with minimal artifacts, preserving the original specialized logic of the targeted DLL.
ExeMorph operates in a four-stage pipeline to ensure a stable transformation:
graph TD
A[Input DLL] -->|1. Parse & validate| B(Analysis Engine)
B -->|2. Score Exports| C{Entry Candidate}
C -->|3. Generate Stub| D[Loader Engineering]
D -->|4. Section Injection| E(Transformation)
E -->|5. Patch PE Header| F[Standalone EXE]
- Analysis: The engine inspects the DLL, identifying the architecture (x64/x86) and enumerating exported functions.
- Selection: Users (or the auto-scorer) select the best export to serve as the new main entry point.
- Loader Generation: A position-independent shellcode stub is generated to set up the stack, align registers, and call the target function.
- Transformation: The PE header is patched (stripping
IMAGE_FILE_DLL), a new.morphsection is injected with the loader, and the Entry Point (OEP) is redirected.
- Go 1.22+ installed on your machine.
- Mingw-w64 (optional, for compiling test DLLs locally).
Install the latest version directly via go install:
go install github.com/ismailtsdln/ExeMorph/cmd/exemorph@latestOr build from source:
git clone https://github.com/ismailtsdln/ExeMorph.git
cd ExeMorph
go build -o exemorph cmd/exemorph/main.goExeMorph features a modern, intuitive CLI.
Before converting, inspect the DLL to find suitable export functions.
exemorph analyze payload.dllOutput:
Analyzing payload.dll...
Architecture: x64
Is DLL: true
Execution Candidates:
TYPE NAME ADDRESS SCORE
Export RunPayload 0x1020 1.00
Export ReflectiveLdr 0x1540 0.85
Main DllMain 0x1000 0.50
Convert the DLL into an EXE, specifying the desired entry point.
exemorph build payload.dll --entry RunPayload -o payload.exe--entry: The name of the exported function to execute (optional).-o: (Optional) Output filename. Defaults to<input>.exe.
Run the resulting executable on a Windows machine (or Wine):
./payload.exeExeMorph is intended for educational purposes, security research, and authorized red teaming engagements only.
Misuse of this software to violate the law is strictly prohibited. The authors are not responsible for any illegal use of this tool. Always obtain proper authorization before testing on external systems.
Distributed under the MIT License. See LICENSE for more information.