# Shellcode reflective DLL injection in Rust For a more comprehensive view into the implementation, check out [this blog post](https://golfed.xyz/posts/understanding-srdi/). ### Project Structure ```shell . ├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data) ├── injector # PoC injector (CreateRemoteThread) ├── payload # PoC payload (calc.exe or MessageBoxW based on generator's flag) ├── reflective_loader # sRDI implementation └── common # Common XOR and hashing functions ``` ### Features - ~14 kB reflective loader - Hashed import names & indirect function calls - XOR encrypted payload shellcode - Shuffled and delayed IDT iteration (during IAT patching) ### Usage The following command compiles the DLLs and executables into `target/release/`: ```shell $ cargo build --release ``` 1. Generate shellcode containing the loader and the payload: ``` Usage: generator.exe [OPTIONS] --loader --payload --function --parameter --output Options: -l, --loader Path to the sRDI loader DLL -p, --payload Path to the payload DLL -f, --function Name of the function to call in the payload DLL -n, --parameter Parameter to pass to the function -o, --output Path to the output file --flag Flag to pass to the loader (by default DllMain is called) [default: 0] -h, --help Print help -V, --version Print version ``` 2. Inject the created shellcode into target: ``` Usage: poc-injector.exe -p -s -k ``` 3. Depending on the flag passed to the generator, either `DllMain` with `DLL_PROCESS_ATTACH` or user function with custom parameter is called:

Payload's DllMain execution with the default flag (0)

Payload's user defined function execution with the modified flag (1)

### Credits - Stephen Fewer ([@stephenfewer](https://github.com/stephenfewer)) for reflective DLL injection - Nick Landers ([@monoxgas](https://github.com/monoxgas)) for shellcode generator - [@memN0ps](https://github.com/memN0ps) for bootstrap shellcode