Awesome

UrbanBishopLocal

Description

A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop

• NtCreateSection is used to create a section object
• NtMapViewOfSection creates a section view with RW permissions we can write shellcode to
• Shellcode is written to the section view
• A second call to NtMapViewOfSection creates a section view with RX permissions
• A pointer to the base address of the shellcode is converted to a delegate and executed

Usage

1. Base64 encode XOR encrypted 64 bit shellcode with PowerShell
   • [Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$PSScriptRoot\encrypted_shellcode.bin")) | clip
2. Copy base64 string into Program.cs
3. Replace your XOR key within Program.cs
4. Build the project for x64