IronPE is a minimal, low-level Windows PE manual loader written in Rust. It serves as a manual mapping implementation that allows for the execution of Portable Executables directly from memory, bypassing traditional disk-based loading mechanisms and mimicking the behavior of the native Windows loader.
Key Features
- Supports both x86 and x64 architecture PE files for versatile manual mapping.
- Implements manual section mapping and handles complex base relocations.
- Resolves imports dynamically using LoadLibrary and GetProcAddress to prepare the binary for execution.
- Transfers execution flow directly to the Original Entry Point (OEP) from memory.
- Developed in Rust to provide memory safety while maintaining low-level system access.
Use Cases
- Red team operations requiring fileless execution of offensive binaries to evade disk-based detection.
- Development of custom loaders and staging payloads to bypass EDR/AV monitoring of standard process creation.
- Educational research into Windows PE internals and manual mapping techniques for malware analysis.
- Post-exploitation workflows where loading tools like Mimikatz directly into memory is required.
