core-jmp

EarlyBird APC Injection: A Deep Technical Analysis

February 13, 2026

by oxfemale APC Bypassing EDR Injection shellcode winapi windows

The EarlyBird APC technique creates a trusted process in a suspended state, allocates memory for shellcode, and writes the payload. It then queues the shellcode as an Asynchronous Procedure Call (APC) to the suspended thread. Resuming the thread forces immediate, stealthy execution of the malicious code.

Process Injection via Component Object Model (COM) IRundown::DoCallback() for run cmd.exe from lsass.exe or other pids

February 6, 2026

by oxfemale Administrator Bypassing Callbacks cpp EDR Escalation Injection Loader shellcode winapi windows

A PoC/demo demonstrating code injection via COM (using the IRundown::DoCallback() mechanism) to execute a payload in the context of a selected process, including lsass.exe (or any other PID).

Abusing Microsoft Warbird for Shellcode Execution

February 4, 2026

by oxfemale Bypassing EDR shellcode Warbird windows

The article demonstrates an EDR bypass by using an undocumented Warbird interface to stealthily load shellcode.

Mastering Living off the Process in Offensive Security

February 2, 2026

by oxfemale ASM cpp Debug Gadgets ROP shellcode Uncategorized windows

No need for overusing WriteProcessMemory, VirtualAlloc, injecting a DLL, etc. This way, everything you need to manipulate the remote process is self-contained and already available to the process.

core-jmp

Posts tagged: shellcode

EarlyBird APC Injection: A Deep Technical Analysis

Process Injection via Component Object Model (COM) IRundown::DoCallback() for run cmd.exe from lsass.exe or other pids

Abusing Microsoft Warbird for Shellcode Execution

Mastering Living off the Process in Offensive Security

Recent Posts

Recent Comments

Archives

Categories