{
	"id": "706fe755-48c7-4d19-a1b4-a0f2c74e47ad",
	"created_at": "2026-04-06T00:08:59.467772Z",
	"updated_at": "2026-04-10T03:21:55.180432Z",
	"deleted_at": null,
	"sha1_hash": "a5f6f71447fc2495ec8f71b75295f802c593e4dd",
	"title": "GitHub - monoxgas/sRDI: Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65779,
	"plain_text": "GitHub - monoxgas/sRDI: Shellcode implementation of Reflective\r\nDLL Injection. Convert DLLs to position independent shellcode\r\nBy monoxgas\r\nArchived: 2026-04-05 15:40:45 UTC\r\nsRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional\r\nPE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a\r\nshellcode PE loader strapped to a packed DLL.\r\nFunctionality is accomplished via two components:\r\nC project which compiles a PE loader implementation (RDI) to shellcode\r\nConversion code which attaches the DLL, RDI, and user data together with a bootstrap\r\nThis project is comprised of the following elements:\r\nShellcodeRDI: Compiles shellcode for the DLL loader\r\nNativeLoader: Converts DLL to shellcode if neccesarry, then injects into memory\r\nDotNetLoader: C# implementation of NativeLoader\r\nPython\\ConvertToShellcode.py: Convert DLL to shellcode in place\r\nPython\\EncodeBlobs.py: Encodes compiled sRDI blobs for static embedding\r\nPowerShell\\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in place\r\nFunctionTest: Imports sRDI C function for debug testing\r\nTestDLL: Example DLL that includes two exported functions for call on Load and after\r\nThe DLL does not need to be compiled with RDI, however the technique is cross compatiable.\r\nUse Cases / Examples\r\nBefore use, I recommend you become familiar with Reflective DLL Injection and it's purpose.\r\nConvert DLL to shellcode using python\r\nfrom ShellcodeRDI import *\r\ndll = open(\"TestDLL_x86.dll\", 'rb').read()\r\nshellcode = ConvertToShellcode(dll)\r\nLoad DLL into memory using C# loader\r\nhttps://github.com/monoxgas/sRDI\r\nPage 1 of 4\n\nDotNetLoader.exe TestDLL_x64.dll\r\nConvert DLL with python script and load with Native EXE\r\npython ConvertToShellcode.py TestDLL_x64.dll\r\nNativeLoader.exe TestDLL_x64.bin\r\nConvert DLL with powershell and load with Invoke-Shellcode\r\nImport-Module .\\Invoke-Shellcode.ps1\r\nImport-Module .\\ConvertTo-Shellcode.ps1\r\nInvoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)\r\nFlags\r\nThe PE loader code uses flags argument to control the various options of loading logic:\r\nSRDI_CLEARHEADER [0x1]: The DOS Header and DOS Stub for the target DLL are completley wiped with\r\nnull bytes on load (Except for e_lfanew). This might cause issues with stock windows APIs when\r\nsupplying the base address as a psuedo HMODULE .\r\nSRDI_CLEARMEMORY [0x2]: After calling functions in the loaded module ( DllMain and any exports), the\r\nDLL data will be cleared from memory. This is dangerous if you expect to continue executing code out of\r\nthe module (Threads / GetProcAddressR ).\r\nSRDI_OBFUSCATEIMPORTS [0x4]: The order of imports in the module will be randomized before starting\r\nIAT patching. Additionally, the high 16 bits of the flag can be used to store the number of seconds to pause\r\nbefore processing the next import. For example, flags | (3 \u003c\u003c 16) will pause 3 seconds between every\r\nimport.\r\nSRDI_PASS_SHELLCODE_BASE [0x8]: As opposed to passing supplied user data to the exported function,\r\nsRDI will instead pass the base address of the currently executing shellcode block. This can be useful for\r\nself-cleanup inside more advanced modules.\r\nBuilding\r\nThis project is built using Visual Studio 2019 (v142) and Windows SDK 10. The python script is written using\r\nPython 3.\r\nThe Python and Powershell scripts are located at:\r\nPython\\ConvertToShellcode.py\r\nPowerShell\\ConvertTo-Shellcode.ps1\r\nAfter building the project, the other binaries will be located at:\r\nhttps://github.com/monoxgas/sRDI\r\nPage 2 of 4\n\nbin\\NativeLoader.exe\r\nbin\\DotNetLoader.exe\r\nbin\\TestDLL_\u003carch\u003e.dll\r\nbin\\ShellcodeRDI_\u003carch\u003e.bin\r\nIf you would like to update the static blobs inside any of the tools:\r\n\u003e python .\\lib\\Python\\EncodeBlobs.py -h\r\nusage: EncodeBlobs.py [-h] solution_dir\r\nsRDI Blob Encoder\r\npositional arguments:\r\n solution_dir Solution Directory\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n\u003e python lib\\Python\\EncodeBlobs.py C:\\code\\srdi\r\n[+] Updated C:\\code\\srdi\\Native/Loader.cpp\r\n[+] Updated C:\\code\\srdi\\DotNet/Program.cs\r\n[+] Updated C:\\code\\srdi\\Python/ShellcodeRDI.py\r\n[+] Updated C:\\code\\srdi\\PowerShell/ConvertTo-Shellcode.ps1\r\nAlternatives\r\nIf you find my code disgusting, or just looking for an alternative memory-PE loader project, check out some of\r\nthese:\r\nhttps://github.com/fancycode/MemoryModule - Probably one of the cleanest PE loaders out there, great\r\nreference.\r\nhttps://github.com/TheWover/donut - Want to convert .NET assemblies? Or how about JScript?\r\nhttps://github.com/hasherezade/pe_to_shellcode - Generates a polymorphic PE+shellcode hybrids.\r\nhttps://github.com/DarthTon/Blackbone - Large library with many memory hacking/hooking primitives.\r\nCredits\r\nThe basis of this project is derived from \"Improved Reflective DLL Injection\" from Dan Staples which itself is\r\nderived from the original project by Stephen Fewer.\r\nThe project framework for compiling C code as shellcode is taken from Mathew Graeber's reasearch\r\n\"PIC_BindShell\"\r\nhttps://github.com/monoxgas/sRDI\r\nPage 3 of 4\n\nSource: https://github.com/monoxgas/sRDI\r\nhttps://github.com/monoxgas/sRDI\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://github.com/monoxgas/sRDI"
	],
	"report_names": [
		"sRDI"
	],
	"threat_actors": [],
	"ts_created_at": 1775434139,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5f6f71447fc2495ec8f71b75295f802c593e4dd.pdf",
		"text": "https://archive.orkl.eu/a5f6f71447fc2495ec8f71b75295f802c593e4dd.txt",
		"img": "https://archive.orkl.eu/a5f6f71447fc2495ec8f71b75295f802c593e4dd.jpg"
	}
}