Tuesday, October 19, 2021

Upsilon execute shellcode with syscalls – no API like NtProtectVirtualMemory is used

Upsilon

Upsilon execute shellcode with syscalls – no API like NtProtectVirtualMemory is used

NtProtectVirtualMemory is used in many PoC to change allocated memory with RWX, this PoC do not use any API calls but create a MemoryMappedFile to execute our shellcode with syscalls.

Resolver function is just a “sinkhole” for the Mimikatz payload, Mimikatz is converted to shellcode and then converted to 3 digits numeric format, the final code is pasted in the compiled Upsilon.exe with a hex editor, t…

Read More

Latest news
Related news