Stories from the Abyss - Early Bird Process Injection

As the journey continues through the various Layers of the Abyss we are still wandering around in the first layer "Edge of the Abyss". The third post of my Journey into the World of Offensive Development and Reverse Engineering, this time it's about the process injection Early Bird technique.
Posted on December 22, 2025

Introduction

After finishing the previous blog post about the Process Injection technique in its most simple form, I was thinking about where to go next. There’s so much fun stuff to do—so, which topic next?

I remember when I wrote the custom loader for the Ninja Hacker Academy writeup, I combined a few techniques, but I didn’t explicitly explain why or what their benefits are.

Let’s dive into one of those techniques that is still often used, called Early Bird, which is a technique that builds on the concepts of the vanilla process injection technique.

But what is Early Bird, and why is it an important technique to know?

Everything shared on this blog is purely for educational purposes and meant to spark ideas or help you learn. If you decide to try anything mentioned here, you’re doing so at your own risk. Please use your best judgment and do your own research before taking action.

Early Bird Process Injection (Sub)Technique The Early Bird Process Injection technique is a stealthy method used by malware to inject malicious code into a legitimate process during its early startup phase—before the process begins executing its main thread. This approach helps attackers evade detection by security software, as the injection occurs before many endpoint protection systems start monitoring the process.

The technique typically involves these steps:

The attacker starts a suspended process using CreateProcess with the CREATE_SUSPENDED flag. Malicious code is written into the target process’s memory using functions like WriteProcessMemory. The entry point of the legitimate process is redirected to the injected code, often by modifying the entry point address in the process’s PEB (Process Environment Block) or altering the thread context. The process is resumed using ResumeThread, which causes it to execute the attacker’s payload before any legitimate code runs. Because the injection happens before the process becomes active, and the malicious code runs first, it can bypass common detection mechanisms such as API monitoring or behavioral analysis. This makes Early Bird Injection a powerful technique to have in your arsenal.

Expanding the Process Injection technique In our previous blog, we didn’t particularly go deep into the Process Injection technique. We mentioned some of the functions we were going to use and why.

The big caveat of that technique is that you already need an existing, running process to inject your code into—which is why we needed to provide a Process ID (PID) for our previous injector. Let’s dive into some of the differences and inner workings of the vanilla injector technique and the early bird injector technique.

The previous injector The created injector from our previous blog was a very vanilla based Injector, it used and showed the fundamental principles needed to perform process injection.

This injector leveraged the OpenProcess API function, then we allocated some space in the process’s memory with VirtualAllocEx for our buffer containing the shellcode, and finally used WriteProcessMemory to put the bytes into memory that we could run by calling CreateRemoteThreadEx.

Recap of the functions used in the table below for these Win32 API functions:

Handle Description Reference OpenProcess Opens an existing local process object. Link VirtualAllocEx Reserves, commits, or changes the state of a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero. Link WriteProcessMemory Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails. Link CreateRemoteThreadEx Creates a thread that runs in the virtual address space of another process and optionally specifies extended attributes such as processor group affinity. Link

To put it in a more visual flow our previous Injector currently works like this:

The early bird injector Early Bird leverages a sub-technique within the Process Injection family called Asynchronous Procedure Call. Early Bird belongs to this family of sub-techniques because it involves creating a suspended process where malicious code can be written and executed before the process’s entry point (and potentially before any anti-malware hooks) via an APC.

The functions mentioned in the above table also change as the method changes. We no longer need OpenProcess and CreateRemoteThreadEx. Instead, we use CreateProcessA, VirtualProtectEx, QueueUserAPC, and ResumeThread.

Table of the new functions used now for the Early Bird Process Injection technique