Description
Per-build obfuscated Zig-native x64 EXE that XOR-encodes and executes the sRDI shellcode payload in-memory.
Overview
Generates a fresh Windows x64 EXE on each payload request by:
- Reading the sRDI x64 shellcode (
srdi_x64) - XOR-encoding the bytes with a random per-build key
- Generating Zig source that decodes and executes the shellcode at runtime via
VirtualAlloc+ call - Shuffling function layout (
Shuffle-ZigFunctions) to randomize.textsection placement - Injecting per-function stack-frame jitter (
Inject-ZigStackJitter) to shift all local variable offsets - Applying comment and string obfuscation
- Compiling with Zig 0.16.0 targeting
x86_64-windows-gnu
The sRDI shellcode reflectively loads the .NET implant in-memory. An AMSI bypass is applied before execution.
Parameters
| Name | Type | Description |
|---|---|---|
| Optimization | ZigOptimization | Optimization/build mode. Default: ReleaseSmall. |
| Subsystem | ZigSubsystem | Windows PE subsystem (Console or Windows). Default: Console. |
| Architecture | ZigArchitecture | Target processor architecture (x86, x86_64, aarch64). Default: x86_64. |
| BuildId | string | The build to embed. Defaults to the current build. |