Run In-Memory PE (Base64)

Description

Decodes a base64-encoded PE file and executes it reflectively in memory with optional command-line arguments.

Run In-Memory PE (Base64)

Decodes a base64 string into raw PE bytes and executes the resulting executable reflectively in memory using Invoke-InMemoryPE. No file is ever written to disk.

Arguments

Name Type Required Description
Base64PE string yes Base64-encoded PE file bytes (the entire EXE).
ArgumentList string[] no Arguments to pass on the PE’s command line.
Capture bool no Run on a background thread and capture stdout/stderr. Defaults to $true. Strongly recommended — direct mode does not intercept ExitProcess and will tear down the host if the PE exits.
Timeout int no Wait timeout in milliseconds. -1 = infinite (default). Only meaningful when Capture=$true.

Dependencies

  • lateral module (Invoke-InMemoryPE / RunPELoader).

OS Support

  • Windows only. Architecture of the PE must match the host process (x64 PE in x64 implant, x86 PE in x86 implant) or PEArchitectureMismatch is thrown.

Notes

  • Capture=$true returns a PEExecutionResult with ExitCode and captured Output. Use this for console tools.
  • Capture=$false runs the PE inline on the host thread. Faster, but unsafe for any PE that calls ExitProcess.
  • For very large payloads, prefer staging the bytes via a dedicated transport rather than embedding them in the script argument.

Example

$b64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\tools\whoami.exe'))
# Pass $b64 as Base64PE, ArgumentList = @('/all')

Example output (Capture mode)

ExitCode : 0
Output   : USER INFORMATION
           ----------------
           DEV\helpdesk ...
TimedOut : False
Scroll to Top