In the beginning, there was UrbanBishop, part of @FuzzySec's Sharp-Suite. Then came RuralBishop by @_RastaMouse, which uses D/Invoke instead of P/Invoke. These C# tools perform the following remote process injection procedure:
- Open the target process
- Create a RWX memory section
- Map a RW view of the section in the local process
- Map a RX view of the section in the target process
- Copy payload to the local view of the section
- Create suspended thread in the target process at
RtlExitUserThread - Queue APC for the thread at the RX view mapped in step 4
- Resume the suspended thread, triggering the APC (i.e. payload)
NomadBishop is a C/C++ proof-of-concept that implements the same procedure and supports both x64 and x86 operation. The x64 version is designed to use system call macros generated by @Jackson_T's SysWhispers script. The x86 version statically links ntdll.lib and uses Native API functions. Thanks to NtCreateThreadEx, it is possible inject across desktop sessions. Cross-architecture injection is not currently implemented.
@SolomonSklash also has an implementation in C worth checking out: SeasideBishop. The associated blog post is a great breakdown of the technique.
The NomadBishop Visual Studio 2019 project, as provided, produces a console application (EXE). The path to the binary payload (i.e. shellcode) is specified in the Resource.rc file and the payload is packed into the PE's resource header at compile-time. The resulting NomadBishop executable takes a single argument specifying the name of the target process to attempt to inject into, e.g.:
PS C:\> .\NomadBishop.exe powershell.exe
[+] Located payload: 272 bytes at 0x00007FF6AF731070
[+] Located target PID: 2024
[+] Process handle: 0x0000000000000090
[+] Section handle: 0x0000000000000094
[+] Local view: 0x00000264F5AD0000
[+] Remote view: 0x0000018365FA0000
[+] Copied 272 bytes to section
[+] Thread handle: 0x0000000000000098
[+] Thread ID: 9688
[+] Queued APC at remote view (0x0000018365FA0000)
[+] Payload successfully injected into PID 2024
Syscall macros are not included, but can be quickly generated using the aforementioned SysWhispers script:
$ python3 syswhispers.py -v 8,10 \
-f NtQuerySystemInformation,NtWriteVirtualMemory,NtOpenProcess,NtCreateSection, \
NtMapViewOfSection,NtUnmapViewOfSection,NtQueueApcThread,NtAlertResumeThread, \
NtCreateThreadEx,NtClose -o whisper
The resulting whisper.asm file should be placed into the NomadBishop directory. The above example syswhispers.py command will create macros for both Windows 8 and Windows 10, but NomadBishop has only been tested on Windows 10. Please refer to the SysWhispers project for additional guidance as needed. Alternative methods of utilizing syscalls could also be integrated relatively easily. The x86 project configuration does not compile whisper.asm and instead statically links ntdll.lib. Preprocessor directives in NomadBishop.h ensure the Nt* functions are declared appropriately for the architecture at compile-time.