added a bunch of polymorphism improvements.
added --rx. produces a blob that runs from PAGE_EXECUTE_READ memory, no
RWX needed. data island stays encrypted at rest and gets decrypted in-place
at state_init via VirtualProtect-RW/decrypt/VirtualProtect-RX.
two ways to get the VirtualProtect pointer, see /examples for basic example loaders:
- default: in-blob PEB walker resolves it,
gs:[0x60]-> Ldr -> kernel32 by
BaseDllName hash, then EAT walk for VirtualProtect by name hash. per-seed
salt on the hash so the embedded constants vary per build. --rx-loader-vp: loader passes it in as the blob's first arg.rcxon x64,
__cdecl [esp+4]on x86. smaller blob, no PEB-walk fingerprint.
still no linux tests, will do later in 2.1.0.