https://github.com/unkvolism/raigeki
Raigeki is a Rust-based shellcode loader that writes memory via APCs using NtQueueApcThread and RtlFillMemory.
https://github.com/unkvolism/raigeki
redteam rust shellcode-loader
Last synced: 6 months ago
JSON representation
Raigeki is a Rust-based shellcode loader that writes memory via APCs using NtQueueApcThread and RtlFillMemory.
- Host: GitHub
- URL: https://github.com/unkvolism/raigeki
- Owner: unkvolism
- Created: 2025-07-01T15:47:57.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2025-07-01T16:31:24.000Z (6 months ago)
- Last Synced: 2025-07-01T16:52:17.082Z (6 months ago)
- Topics: redteam, rust, shellcode-loader
- Language: Rust
- Homepage: https://github.com/unkvolism/Raigeki/
- Size: 21.5 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Raigeki
**Raigeki** is a shellcode loader written in **Rust**, implementing a custom memory writing technique using **Asynchronous Procedure Calls (APCs)** with `NtQueueApcThread` and `RtlFillMemory`.
This project is a **Rust reimplementation** of the technique originally demonstrated in C by [x86matthew](https://www.x86matthew.com/view_post?id=writeprocessmemory_apc).
Full credit for the concept and original implementation goes to him.
---
## Technique Overview
Normally, the Windows API function `QueueUserAPC` only allows queuing APCs with a **single argument**, which limits its usefulness for tasks like arbitrary memory writing. Internally, however, it calls the undocumented function `NtQueueApcThread`, which supports **three arguments** for the callback.
This gives us the ability to call functions such as `RtlFillMemory(ptr, len, value)` directly from an APC and allows for writing data byte-by-byte without relying on `WriteProcessMemory`.
### How it works:
1. **Resolve the address of `RtlFillMemory`** dynamically.
2. **Create a suspended thread** in the target process using `NtCreateThreadEx`, with a safe or dummy entry point.
3. **Queue APCs** to the thread using `NtQueueApcThread`, each pointing to `RtlFillMemory`, specifying the destination address, size (`1`), and value (byte).
4. **Resume the thread**, allowing it to process the APC queue and execute each `RtlFillMemory` call to perform the write.
This results in a full buffer being written byte-by-byte through APCs, offering an alternative to traditional `WriteProcessMemory` that may bypass basic memory write detections.
---
## What Raigeki Does
Raigeki is a simple proof-of-concept shellcode loader that:
- Reads shellcode from a binary file.
- Allocates memory with `VirtualAlloc`.
- Uses the custom `WriteProcessMemoryAPC` function to write the shellcode into memory, byte-by-byte via `RtlFillMemory`.
- Changes memory protection to `PAGE_EXECUTE_READWRITE`.
- Creates a local thread to execute the shellcode.
---
## Build Instructions
```bash
# Clone the repository
git clone https://github.com/unkvolism/raigeki.git
cd raigeki
# Build in release mode
cargo build --release
# Run with the path to your shellcode binary
cargo run --release -- ./shellcode.bin