Two types of SRDI implemented in MASM assembly—front-style RDI and post-tyle RDI—can convert EXE/DLL into position-independent shellcode.
An embedded RDI (improved variant) only supports DLL-to-shellcode conversion. This DLL must export a loader function (e.g., ReflectiveLoader or custom names like HahaLoader). While challenging for practitioners unfamiliar with RDI, its simplicity has led to wide adoption by C2 frameworks.
Current SRDI Limitations:
- EXE's
mainorwmaincan have parameters. - DLL's
DllMainmust adhere to Microsoft's official specifications. - EXEs/DLLs written in C# are unsupported.
- x64 architecture only.
Embedded RDI Specifics:
- DLL-exclusive conversion.
- Requires an exported loader function (name flexibility exists, e.g.,
HahaLoader).
Convert2Shellcode
Convert2Shellcode_embed.cpp:C++ version, uses improved RDI (embedded) to convert DLL to shellcodeConvert2Shellcode_embed.go:Go version, uses improved RDI (embedded) to convert DLL to shellcodeConvert2Shellcode_front.cpp:C++ version, uses front-style RDI to convert EXE/DLL to shellcodeConvert2Shellcode_front.go:Go version, uses front-style RDI to convert EXE/DLL to shellcodeConvert2Shellcode_post.cpp:C++ version, uses post-style RDI to convert EXE/DLL to shellcodeConvert2Shellcode_post.go:Go version, uses post-style RDI to convert EXE/DLL to shellcode
Debug
DebugForRDI.asm:ASM file created for debugging and developing RDI, verified for functionalitySever.py:Python-written TCP server used withDebugForRDI.asm
SRDI Asm
RDI_front.asm:Front-style RDI shellcodeRDI_post.asm:Post-style RDI shellcode
Test
ReflectiveDLL.cpp:DLL source code with exportedReflectiveLoaderfunctionReflectiveDLL.dll:Compiled DLL binary with exportedReflectiveLoaderfunctionstager_x64_reverseTcp.asm:Cobalt Strike-like stager; executeSever.pyto start server, then run this ASM to fetch/execute payloadTest_for_dll.cpp:Test DLL source codeTest_for_dll.dll:Test DLL binaryTest_for_exe.cpp:Test EXE source codeTest_for_exe.exe:Test EXE binary
1.Convert2Shellcode_post.exe <DLL/EXE Path> [Output File Path]
2.Convert2Shellcode_post.exe <DLL/EXE Path> [Output File Path]
3.Convert2Shellcode_embed.exe <DLL Path> [Output File Path] [The Export Function Name of Loader]
Example
PS C:\Users\Xxxxxxxx\Desktop\Convert2Shellcode_v1.0> .\Convert2Shellcode_front.exe .\mimikatz.exe
╔══════════════════════════════════════════════════════════════════════════════════════╗
║ Convert2Shellcode_front ║
║------------------------------------------------------------------------------------- ║
║ Function: Use front-style RDI to convert EXE/DLL into position-independent shellcode ║
║ Author:oneday ║
║ Compilation Date:Jun 12 2025 21:29:52 ║
╚══════════════════════════════════════════════════════════════════════════════════════╝
[+] Successfully opened .
[*] File size is 1355264
[+] Memory allocation successful, address is 0x4bc9b040
[*] 1355264 bytes read into memory
[+] Memory allocation successful, address is 0x4bdf9040
[+] Successfully generated shellcode file: s (Size: 1356147 bytes)
Use runshc64.exe with pe2shellcode for verification:hasherezade/pe_to_shellcode: Converts PE into a shellcode, or you can write your own loader.
If you are interested in the implementation details, you can check out this article I wrote:从SRDI原理剖析再到PE2Shellcode的实现-先知社区
My blog:关于这个博客 | onedaybook
I will maintain this project, focusing on the following key points:
- Add x86 support
- Introduce advanced features, such as supporting user data, obfuscating PE headers, etc.
- Add support for .NET assemblies
- Enhance RDI functionalities, including deferred imports, export conversion, etc.
- Further reduce the size of the srdi shellcode
- Fix bugs and address issues raised by community members
This tool is provided for educational and research purposes only. It is intended for use by security professionals in legally authorized engagements. The author is not responsible for any misuse of this software. Users must ensure that they have proper authorization before using this tool on any system.
One more thing, I am no longer working in security, don't trace me.