Awesome
UrbanBishopLocal
Description
A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop
NtCreateSection
is used to create a section objectNtMapViewOfSection
creates a section view with RW permissions we can write shellcode to- Shellcode is written to the section view
- A second call to
NtMapViewOfSection
creates a section view with RX permissions - A pointer to the base address of the shellcode is converted to a delegate and executed
Usage
- Base64 encode XOR encrypted 64 bit shellcode with PowerShell
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$PSScriptRoot\encrypted_shellcode.bin")) | clip
- Copy base64 string into
Program.cs
- Replace your XOR key within
Program.cs
- Build the project for x64