Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mobdk/Upsilon
Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
https://github.com/mobdk/Upsilon
Last synced: 21 days ago
JSON representation
Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
- Host: GitHub
- URL: https://github.com/mobdk/Upsilon
- Owner: mobdk
- Created: 2021-08-26T13:31:52.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-08-26T16:09:08.000Z (over 3 years ago)
- Last Synced: 2024-08-05T17:26:18.745Z (4 months ago)
- Language: C#
- Size: 1.03 MB
- Stars: 92
- Watchers: 2
- Forks: 20
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - mobdk/Upsilon - Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used (C# #)
README
# Upsilon
Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is usedNtProtectVirtualMemory is used in many PoC to change allocated memory with RWX, this PoC do not use any API calls but create a MemoryMappedFile
to execute our shellcode with syscalls.Resolver function is just a "sinkhole" for the Mimikatz payload, Mimikatz is converted to shellcode and then converted to 3 digits numeric format,
the final code is pasted in the compiled Upsilon.exe with a hex editor, this technique breaks the string logic in C# string and makes it hard for
AV/EDR to analyse the contex both before execution and at execution.Windows version is obtained from shared KUSER_SHARED_DATA structure:
```
IntPtr KUSER_SHARED_DATA = new IntPtr(0x7FFE0000);
IntPtr ptrMajorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x026C);
info.dwMajorVersion = *(int*)(ptrMajorVersion);
IntPtr ptrMinorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x0270);
info.dwMinorVersion = *(int*)(ptrMinorVersion);
IntPtr ptrBuildNumber = (IntPtr)(KUSER_SHARED_DATA + 0x0260);
info.dwBuildNumber = *(int*)(ptrBuildNumber);
```
Two syscalls is used: NtCreateSection/0x004A and NtMapViewOfSection/0x0028This is tested on Windows 10 build 20H2 64 bit only.
Compile: csc.exe /platform:x64 /target:exe /unsafe Upsilon.cs
Upsilon.exe is compiled version with Mimikatz embedded and ready to test