├── README.md
├── Upsilon.cs
└── Upsilon.exe


/README.md:
--------------------------------------------------------------------------------
 1 | # Upsilon
 2 | Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
 3 | 
 4 | NtProtectVirtualMemory is used in many PoC to change allocated memory with RWX, this PoC do not use any API calls but create a MemoryMappedFile
 5 | to execute our shellcode with syscalls.
 6 | 
 7 | Resolver function is just a "sinkhole" for the Mimikatz payload, Mimikatz is converted to shellcode and then converted to 3 digits numeric format, 
 8 | the final code is pasted in the compiled Upsilon.exe with a hex editor, this technique breaks the string logic in C# string and makes it hard for
 9 | AV/EDR to analyse the contex both before execution and at execution.
10 | 
11 | Windows version is obtained from shared KUSER_SHARED_DATA structure:
12 | ```
13 | IntPtr KUSER_SHARED_DATA = new IntPtr(0x7FFE0000);
14 | IntPtr ptrMajorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x026C);
15 | info.dwMajorVersion = *(int*)(ptrMajorVersion);
16 | IntPtr ptrMinorVersion = (IntPtr)(KUSER_SHARED_DATA + 0x0270);
17 | info.dwMinorVersion = *(int*)(ptrMinorVersion);
18 | IntPtr ptrBuildNumber = (IntPtr)(KUSER_SHARED_DATA + 0x0260);
19 | info.dwBuildNumber = *(int*)(ptrBuildNumber);
20 | ```
21 | Two syscalls is used: NtCreateSection/0x004A and NtMapViewOfSection/0x0028
22 | 
23 | This is tested on Windows 10 build 20H2 64 bit only.
24 | 
25 | Compile: csc.exe /platform:x64 /target:exe /unsafe Upsilon.cs
26 | 
27 | Upsilon.exe is compiled version with Mimikatz embedded and ready to test
28 | 


--------------------------------------------------------------------------------
/Upsilon.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mobdk/Upsilon/f7dc3695356afce0ec19f3a311c2dbae97c9c198/Upsilon.exe


--------------------------------------------------------------------------------