Description
Zig-native x64 EXE staged loader: downloads sRDI shellcode from the C2 at runtime and executes it in-memory.
Overview
Generates a small Zig-native Windows x64 EXE containing no embedded payload. At runtime it:
- Downloads the
srdi_x64sRDI shellcode from the C2 server over HTTP(S) using WinHTTP - Bypasses AMSI
- Allocates RWX memory, copies the shellcode, and calls the sRDI entry point
The sRDI shellcode reflectively loads the .NET implant in-memory. SSL certificate validation is skipped when ValidateCertificateChain = false. Server hostname, port, path, and user agent are embedded as compile-time constants obfuscated by Obfuscate-ZigStrings. Applies Shuffle-ZigFunctions and Inject-ZigStackJitter before compiling to diversify the binary on every build.
Parameters
| Name | Type | Description |
|---|---|---|
| Optimization | ZigOptimization | Optimization/build mode. Default: ReleaseSmall. |
| Subsystem | ZigSubsystem | Windows PE subsystem (Console or Windows). Default: Console. |
| Architecture | ZigArchitecture | Target processor architecture (x86, x86_64, aarch64). Default: x86_64. |
| BuildId | string | The build whose payload URL is embedded. Defaults to the current build. |