├── README.md
├── go.mod
├── go.sum
├── main.go
└── rdi
    ├── KaynLdr.x64.dll
    └── reflective_dll.x64.dll


/README.md:
--------------------------------------------------------------------------------
 1 | # Doge-RL
 2 | Reflective DLL injection Execute
 3 | 
 4 | ### Usage
 5 | ```
 6 | go build
 7 | 
 8 | .\Doge-RL.exe .\rdi\KaynLdr.x64.dll KaynLoader
 9 | 
10 | .\Doge-RL.exe .\rdi\reflective_dll.x64.dll ReflectiveLoader
11 | 
12 | ```
13 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/timwhitez/Doge-RL
2 | 
3 | go 1.19
4 | 
5 | require github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee
6 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee h1:neBp9wDYVY4Uu1gGlrL+IL4JeZslz+hGEAjBXGAPWak=
2 | github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ=
3 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"fmt"
  6 | 	"github.com/Binject/debug/pe"
  7 | 	"os"
  8 | 	"strings"
  9 | 	"syscall"
 10 | 	"unsafe"
 11 | )
 12 | 
 13 | func main() {
 14 | 	fileName := os.Args[1]
 15 | 	function0 := os.Args[2]
 16 | 	buf, e := os.ReadFile(fileName)
 17 | 	if e != nil {
 18 | 		panic(e)
 19 | 	}
 20 | 
 21 | 	Ldr1(fileName, function0)
 22 | 	Ldr2(buf, function0)
 23 | }
 24 | 
 25 | func Ldr1(fn, funcn string) {
 26 | 	p, e := pe.Open(fn)
 27 | 	if e != nil {
 28 | 		panic(e)
 29 | 	}
 30 | 
 31 | 	//funcN := "ReflectiveLoader"
 32 | 	funcN := funcn
 33 | 
 34 | 	ex, e := p.Exports()
 35 | 	if e != nil {
 36 | 		panic(e)
 37 | 	}
 38 | 	var RDIOffset uintptr
 39 | 	for _, exp := range ex {
 40 | 		if strings.Contains(strings.ToLower(exp.Name), strings.ToLower(funcN)) {
 41 | 			RDIOffset = uintptr(rvaToOffset(p, exp.VirtualAddress))
 42 | 		}
 43 | 	}
 44 | 	fmt.Printf("Offset: 0x%x\n", RDIOffset)
 45 | 
 46 | 	buf, e := p.Bytes()
 47 | 	if e != nil {
 48 | 		panic(e)
 49 | 	}
 50 | 
 51 | 	va := syscall.NewLazyDLL("kernel32").NewProc("VirtualAlloc").Addr()
 52 | 	ba, _, _ := syscall.SyscallN(va, 0, uintptr(len(buf)), 0x1000|0x2000, syscall.PAGE_EXECUTE_READWRITE)
 53 | 	if ba == 0 {
 54 | 		panic("VirtualAlloc")
 55 | 	}
 56 | 	writeMem(ba, buf)
 57 | 
 58 | 	Ldr := ba + RDIOffset
 59 | 
 60 | 	syscall.SyscallN(Ldr)
 61 | }
 62 | 
 63 | func Ldr2(buf []byte, funcn string) {
 64 | 
 65 | 	p, e := pe.NewFile(bytes.NewReader(buf))
 66 | 	if e != nil {
 67 | 		panic(e)
 68 | 	}
 69 | 
 70 | 	//funcN := "ReflectiveLoader"
 71 | 	funcN := funcn
 72 | 
 73 | 	ex, e := p.Exports()
 74 | 	if e != nil {
 75 | 		panic(e)
 76 | 	}
 77 | 	var RDIOffset uintptr
 78 | 	for _, exp := range ex {
 79 | 		if strings.Contains(strings.ToLower(exp.Name), strings.ToLower(funcN)) {
 80 | 			RDIOffset = uintptr(rvaToOffset(p, exp.VirtualAddress))
 81 | 		}
 82 | 	}
 83 | 	fmt.Printf("Offset: 0x%x\n", RDIOffset)
 84 | 
 85 | 	va := syscall.NewLazyDLL("kernel32").NewProc("VirtualAlloc").Addr()
 86 | 	ba, _, _ := syscall.SyscallN(va, 0, uintptr(len(buf)), 0x1000|0x2000, syscall.PAGE_EXECUTE_READWRITE)
 87 | 	if ba == 0 {
 88 | 		panic("VirtualAlloc")
 89 | 	}
 90 | 	writeMem(ba, buf)
 91 | 
 92 | 	Ldr := ba + RDIOffset
 93 | 
 94 | 	syscall.Syscall(Ldr, 0, 0, 0, 0)
 95 | 
 96 | }
 97 | 
 98 | // rvaToOffset converts an RVA value from a PE file into the file offset. When using binject/debug, this should work fine even with in-memory files.
 99 | func rvaToOffset(pefile *pe.File, rva uint32) uint32 {
100 | 	for _, hdr := range pefile.Sections {
101 | 		baseoffset := uint64(rva)
102 | 		if baseoffset > uint64(hdr.VirtualAddress) &&
103 | 			baseoffset < uint64(hdr.VirtualAddress+hdr.VirtualSize) {
104 | 			return rva - hdr.VirtualAddress + hdr.Offset
105 | 		}
106 | 	}
107 | 	return rva
108 | }
109 | 
110 | func writeMem(destination uintptr, inbuf []byte) {
111 | 	for index := uint32(0); index < uint32(len(inbuf)); index++ {
112 | 		writePtr := unsafe.Pointer(destination + uintptr(index))
113 | 		v := (*byte)(writePtr)
114 | 		*v = inbuf[index]
115 | 	}
116 | }
117 | 


--------------------------------------------------------------------------------
/rdi/KaynLdr.x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/timwhitez/Doge-RL/d74772bb74951ffceb921737d87567fdb522e297/rdi/KaynLdr.x64.dll


--------------------------------------------------------------------------------
/rdi/reflective_dll.x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/timwhitez/Doge-RL/d74772bb74951ffceb921737d87567fdb522e297/rdi/reflective_dll.x64.dll


--------------------------------------------------------------------------------