Skip to content
/ UrbanBishopLocal Public

A port of FuzzySecurity's UrbanBishop project for inline shellcode execution

115 stars 22 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

slyd0g/UrbanBishopLocal

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
UrbanBishopLocal
UrbanBishopLocal
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
UrbanBishopLocal.sln
UrbanBishopLocal.sln
 
 
example.png
example.png
 
 

Repository files navigation

UrbanBishopLocal

UrbanBishopLocal

Description

A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop

  • NtCreateSection is used to create a section object
  • NtMapViewOfSection creates a section view with RW permissions we can write shellcode to
  • Shellcode is written to the section view
  • A second call to NtMapViewOfSection creates a section view with RX permissions
  • A pointer to the base address of the shellcode is converted to a delegate and executed

Usage

  1. Base64 encode XOR encrypted 64 bit shellcode with PowerShell
    • [Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$PSScriptRoot\encrypted_shellcode.bin")) | clip
  2. Copy base64 string into Program.cs
  3. Replace your XOR key within Program.cs
  4. Build the project for x64

About

A port of FuzzySecurity's UrbanBishop project for inline shellcode execution

Resources

Readme
Activity

Stars

115 stars

Watchers

4 watching

Forks

22 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages