Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mobdk/Upsilon

Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
https://github.com/mobdk/Upsilon

Last synced: 21 days ago
JSON representation

Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used

Awesome Lists containing this project

README

        

# Upsilon
Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used

NtProtectVirtualMemory is used in many PoC to change allocated memory with RWX, this PoC do not use any API calls but create a MemoryMappedFile
to execute our shellcode with syscalls.

Resolver function is just a "sinkhole" for the Mimikatz payload, Mimikatz is converted to shellcode and then converted to 3 digits numeric format,
the final code is pasted in the compiled Upsilon.exe with a hex editor, this technique breaks the string logic in C# string and makes it hard for
AV/EDR to analyse the contex both before execution and at execution.

Windows version is obtained from shared KUSER_SHARED_DATA structure:
```
IntPtr KUSER_SHARED_DATA = new IntPtr(0x7FFE0000);
IntPtr ptrMajorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x026C);
info.dwMajorVersion = *(int*)(ptrMajorVersion);
IntPtr ptrMinorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x0270);
info.dwMinorVersion = *(int*)(ptrMinorVersion);
IntPtr ptrBuildNumber = (IntPtr)(KUSER_SHARED_DATA + 0x0260);
info.dwBuildNumber = *(int*)(ptrBuildNumber);
```
Two syscalls is used: NtCreateSection/0x004A and NtMapViewOfSection/0x0028

This is tested on Windows 10 build 20H2 64 bit only.

Compile: csc.exe /platform:x64 /target:exe /unsafe Upsilon.cs

Upsilon.exe is compiled version with Mimikatz embedded and ready to test