add Custom Reflective Loader support for #228

[dbghex]

Summary

Add Custom Reflective Loader support for #228, enabling in-memory reflective DLL loading.
The loader compiles to a standalone position-independent shellcode stub, which is prepended to the RC4-encrypted beacon payload. Inspired by BokuLoader and KaynLdr.

Features

Custom Reflective Loader

• Custom ASM/C reflective loader, compiles to position-independent shellcode stub (stub.x64.bin / stub.x86.bin)
• RC4 payload encryption with random 2-byte key — encrypts the beacon DLL at build time to evade static analysis by AV/EDR
• PE section mapping, base relocation, and import resolution — all done in-memory without disk writes
• Hash-based API resolution (DJB2) — avoids plain-text function name strings
• Native NT API calls: NtAllocateVirtualMemory, NtProtectVirtualMemory, NtFreeVirtualMemory, LdrLoadDll
• Dual mapping mode controlled by DOS header e_oemid flag:
  • e_oemid == 0: CRT-compatible mode (maps PE headers)
  • e_oemid == 1: IAT Hiding mode (skips PE headers, first 0x1000 bytes are zeroed)
• Stub memory cleanup in DllMain — frees the reflective loader stub and DLL copy via NtFreeVirtualMemory after loading, preventing memory forensics and in-memory scanning by AV/EDR
• Supports all output formats: Shellcode, Exe, Service Exe, DLL
• Supports x64 and x86 architectures
• Compatible with existing IAT Hiding feature

Shellcode Entry Point Refactoring

• Unified AgentMain(LPVOID) entry point, accepts KAYN_ARGS context from reflective loader
• KaynFree() cleanup in shellcode mode — frees loader and DLL copy memory via NtFreeVirtualMemory

Payload Format (Shellcode Mode)

[Stub .text section][RC4 Key (2 bytes)][Encrypted Size (4 bytes)][Encrypted PE DLL]

Loading Flow:

1. Shellcode stub entry (start.asm) → calls Entry()
2. RC4 decrypt payload using embedded 2-byte key
3. Restore MZ signature
4. Check e_oemid for mapping mode (CRT-compatible / IAT Hiding)
5. NtAllocateVirtualMemory — allocate image memory
6. Copy PE sections to allocated memory
7. Apply base relocations
8. Resolve imports via PEB walk + DJB2 hash lookup
9. NtProtectVirtualMemory — set per-section page protections
10. Call DllMain with KAYN_ARGS context (loader address, DLL copy, text base/size)

New Files

File	Description
shellcode/asm/x64/start.asm	x64 shellcode entry point
shellcode/asm/x86/start.asm	x86 shellcode entry point
shellcode/src/Entry.c	Main reflective loader (decrypt, map, relocate, resolve)
shellcode/src/Import.c	Import table resolution with forwarded export support
shellcode/src/Utils.c	DJB2 hash, utility functions
shellcode/src/Win32.c	PEB-based module/function lookup
shellcode/include/Core.h	Loader structures, API pointers, hash constants
shellcode/include/Macro.h	PEB access macros (GS/FS), section attributes
shellcode/scripts/extract.py	Extracts .text section, patches stub size marker, aligns to 256 bytes
shellcode/scripts/Linker.ld	Custom linker script for minimal PE layout
shellcode/Makefile	Builds x64/x86 stubs (NASM + GCC → objcopy .text)

Build

Prerequisites: install nasm

# Ubuntu/Debian
apt install nasm

# Then use official build commands
make server-ext
# or
make extenders

Shellcode stubs are built automatically as part of the standard build process.

Credits / References

• https://github.com/stephenfewer/ReflectiveDLLInjection
• https://github.com/boku7/BokuLoader
• https://github.com/Cracked5pider/KaynLdr