Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mobdk/Upsilon

Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
https://github.com/mobdk/Upsilon

Last synced: 3 months ago
JSON representation

Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used

Awesome Lists containing this project

README 

        
# Upsilon

Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used



NtProtectVirtualMemory is used in many PoC to change allocated memory with RWX, this PoC do not use any API calls but create a MemoryMappedFile

to execute our shellcode with syscalls.



Resolver function is just a "sinkhole" for the Mimikatz payload, Mimikatz is converted to shellcode and then converted to 3 digits numeric format, 

the final code is pasted in the compiled Upsilon.exe with a hex editor, this technique breaks the string logic in C# string and makes it hard for

AV/EDR to analyse the contex both before execution and at execution.



Windows version is obtained from shared KUSER_SHARED_DATA structure:

```

IntPtr KUSER_SHARED_DATA = new IntPtr(0x7FFE0000);

IntPtr ptrMajorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x026C);

info.dwMajorVersion = *(int*)(ptrMajorVersion);

IntPtr ptrMinorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x0270);

info.dwMinorVersion = *(int*)(ptrMinorVersion);

IntPtr ptrBuildNumber = (IntPtr)(KUSER_SHARED_DATA + 0x0260);

info.dwBuildNumber = *(int*)(ptrBuildNumber);

```

Two syscalls is used: NtCreateSection/0x004A and NtMapViewOfSection/0x0028



This is tested on Windows 10 build 20H2 64 bit only.



Compile: csc.exe /platform:x64 /target:exe /unsafe Upsilon.cs



Upsilon.exe is compiled version with Mimikatz embedded and ready to test