{"id":29308627,"url":"https://github.com/unkvolism/raigeki","last_synced_at":"2025-07-07T07:14:36.102Z","repository":{"id":302303961,"uuid":"1011967675","full_name":"unkvolism/Raigeki","owner":"unkvolism","description":"Raigeki is a Rust-based shellcode loader that writes memory via APCs using NtQueueApcThread and RtlFillMemory.","archived":false,"fork":false,"pushed_at":"2025-07-01T16:31:24.000Z","size":22,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-01T16:52:17.082Z","etag":null,"topics":["redteam","rust","shellcode-loader"],"latest_commit_sha":null,"homepage":"https://github.com/unkvolism/Raigeki/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unkvolism.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-01T15:47:57.000Z","updated_at":"2025-07-01T16:31:28.000Z","dependencies_parsed_at":"2025-07-01T17:04:23.872Z","dependency_job_id":null,"html_url":"https://github.com/unkvolism/Raigeki","commit_stats":null,"previous_names":["unkvolism/raigeki"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/unkvolism/Raigeki","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkvolism%2FRaigeki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkvolism%2FRaigeki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkvolism%2FRaigeki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkvolism%2FRaigeki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unkvolism","download_url":"https://codeload.github.com/unkvolism/Raigeki/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkvolism%2FRaigeki/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264032346,"owners_count":23546811,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["redteam","rust","shellcode-loader"],"created_at":"2025-07-07T07:14:25.204Z","updated_at":"2025-07-07T07:14:36.093Z","avatar_url":"https://github.com/unkvolism.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Raigeki\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://static.wikia.nocookie.net/yugioh/images/1/11/Raigeki-TF04-JP-VG.png/revision/latest?cb=20161225202122\" alt=\"Raigeki\" width=\"300\"/\u003e\n\u003c/p\u003e\n\n**Raigeki** is a shellcode loader written in **Rust**, implementing a custom memory writing technique using **Asynchronous Procedure Calls (APCs)** with `NtQueueApcThread` and `RtlFillMemory`.\n\nThis project is a **Rust reimplementation** of the technique originally demonstrated in C by [x86matthew](https://www.x86matthew.com/view_post?id=writeprocessmemory_apc).  \nFull credit for the concept and original implementation goes to him.\n\n---\n\n## Technique Overview\n\nNormally, the Windows API function `QueueUserAPC` only allows queuing APCs with a **single argument**, which limits its usefulness for tasks like arbitrary memory writing. Internally, however, it calls the undocumented function `NtQueueApcThread`, which supports **three arguments** for the callback.\n\nThis gives us the ability to call functions such as `RtlFillMemory(ptr, len, value)` directly from an APC and allows for writing data byte-by-byte without relying on `WriteProcessMemory`.\n\n### How it works:\n\n1. **Resolve the address of `RtlFillMemory`** dynamically.\n2. **Create a suspended thread** in the target process using `NtCreateThreadEx`, with a safe or dummy entry point.\n3. **Queue APCs** to the thread using `NtQueueApcThread`, each pointing to `RtlFillMemory`, specifying the destination address, size (`1`), and value (byte).\n4. **Resume the thread**, allowing it to process the APC queue and execute each `RtlFillMemory` call to perform the write.\n\nThis results in a full buffer being written byte-by-byte through APCs, offering an alternative to traditional `WriteProcessMemory` that may bypass basic memory write detections.\n\n---\n\n## What Raigeki Does\n\nRaigeki is a simple proof-of-concept shellcode loader that:\n\n- Reads shellcode from a binary file.\n- Allocates memory with `VirtualAlloc`.\n- Uses the custom `WriteProcessMemoryAPC` function to write the shellcode into memory, byte-by-byte via `RtlFillMemory`.\n- Changes memory protection to `PAGE_EXECUTE_READWRITE`.\n- Creates a local thread to execute the shellcode.\n\n---\n\n\n## Build Instructions\n\n```bash\n# Clone the repository\ngit clone https://github.com/unkvolism/raigeki.git\ncd raigeki\n\n# Build in release mode\ncargo build --release\n\n# Run with the path to your shellcode binary\ncargo run --release -- ./shellcode.bin\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funkvolism%2Fraigeki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funkvolism%2Fraigeki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funkvolism%2Fraigeki/lists"}