[Tools] IronPE—Minimal Windows PE manual loader written in Rust

First Post:

Last Update:

Word Count:
308

Read Time:
1 min

Introduction

IronPE is a minimal Windows PE manual loader written in Rust for both x86 and x64 PE files.

This project is a Rust reimplementation of my previous project dotNetPELoader, which implemented a manual PE loader in C#.

The goal of IronPE is to explore how Windows loads Portable Executables internally and to demonstrate how this process can be implemented in Rust.


Waaaahhhhhhh!

If you find this project useful or informative, a ⭐ would be appreciated!

GitHub: https://github.com/iss4cf0ng/IronPE

Disclaimer

This project is intended for educational and research purposes only.

It is designed to help understand:

  • Windows PE internals
  • Manual loading techniques
  • Reverse engineering concepts

Features

  • Manual PE loading
  • Section mapping
  • Base relocations
  • Import resolution
  • Execute PE from memory
  • x86 and x64 PE support

Background

This project was inspired by my previous implementation:

In that project, I implemented a PE loader using .NET and WinAPI.
IronPE rewrites the same concept in Rust, which provides better memory safety while still allowing low-level Windows API access.

The purpose of this project is educational, to better understand:

  • PE file structure
  • Windows loader behavior
  • Manual PE mapping techniques

How It Works

IronPE performs the following steps to execute a PE file from memory:

  1. Read PE file into memory
  2. Parse PE headers
  3. Allocate memory using VirtualAlloc
  4. Copy PE headers and sections
  5. Apply base relocations
  6. Resolve imports using LoadLibrary and GetProcAddress
  7. Transfer execution to the Original Entry Point (OEP)

This process mimics the behavior of the Windows PE loader.

An x64 PE cannot be loaded by an x86 loader, and vice versa.

Build

Requirements:

  • Rust (cargo, rustc)
  • Windows

Build the project:

1
2
cd IronPE
build.bat

Usage

1
2
3
IronPE.exe --coffee
IronPE.exe --x86 <x86_pe_file>
IronPE.exe --x64 <x64_pe_file>

Example:

1
2
IronPE.exe --x86 Win32\mimikatz.exe
IronPE.exe --x64 x64\mimikatz.exe

Demo (Running mimikatz)

x86

x64

Unmatched Loader and PE Architecture (Error)

THANKS FOR READING