321 words
2 minutes
Fibers for Offensive Security
2025-06-19
bypass
Windows
/
Evasion

Summary#

In the world of Windows development, most developers are familiar with threads, but fewer have explored fibers. Introduced in Windows 2000, fibers are a lesser-known concurrency mechanism that allows applications to manage their own scheduling, offering fine-grained control over execution.

What Are Windows Fibers?#

According to the MSDN Fibers are units of execution that must be manually scheduled by the application. Unlike threads, which are scheduled by the operating system, fibers are scheduled cooperatively meaning a fiber must explicitly yield control to allow another fiber to run. This makes fibers lightweight and potentially faster for specific high-performance scenarios.

Few Key Benefits#

  • Manual Scheduling: Ideal for applications like game engines or simulations where custom scheduling can boost performance.

  • Lower Overhead: Since they share the thread’s resources (like stack space), fibers can be more memory-efficient than threads.

  • Control: Fibers allow precise control over context switching, which can reduce synchronization overhead.

When to Use Them?#

Fibers are best suited for advanced use cases such as:

  • Task scheduling systems

  • Custom cooperative multitasking frameworks

How it works#

  • ConvertThreadToFiber() : Transforms the current thread into a fiber, allowing it to participate in fiber-based scheduling.

  • CreateFiber() : Initializes a new fiber with a defined stack size and a function that runs when the fiber starts.

  • SwitchToFiber() : Transfers execution control to the specified fiber.

  • DeleteFiber() : Releases the resources allocated to a fiber once it’s no longer needed.

Fibers for offensive security#

By utilizing the fibers, i was able to bypass the windows defender latest version recently, by the following techniques.

  • Create an MSF shellcode for revershell

  • implemented an Encryption technique and runtime decryption of the shellcode in the memory

  • Allocated memory for the shellcode

  • Converted the thread into fibers

  • Created a fiber for exeuting the decrypted shellcode

  • Switched the context into fiber with shellcode

  • Executed and cleaned up

Conclusion#

While Windows Fibers are niche and rarely used in modern development, and less monitored by edr and av compared to the system threads and process, an succesfull execution will give the revershell from the compromised machine.

Fibers for Offensive Security
https://blog.0xdhinu.com/posts/defender-bypass/
Author
Dhinu Ramachandran
Published at
2025-06-19
License
CC BY-NC-SA 4.0
Passing OSEP in 2025
contact@0xdhinu.com

© 2025 Dhinu Ramachandran. All Rights Reserved.