Microsoft Warbird

Microsoft Warbird is a code protection and obfuscation framework used internally by Microsoft, first introduced in 2012. Originally intended for exclusive use by Microsoft services, it is used for the digital rights management of Microsoft's intellectual property, protecting software code from reverse engineering by third parties.^[1] Microsoft does not provide public documentation for the framework.^[1]

Features

Warbird uses runtime code protection to allow execution of encrypted code blocks via a proprietary symmetric Feistel cipher. Decryption and allocation of the encrypted code occurs at the kernel level, allowing Warbird to be used even when the process is not permitted to allocate executable memory. When a user process executes encrypted code, it first locates the corresponding code within its own memory, and then passes it to the kernel, where it is decrypted, allocated a new executable memory region in the process heap, moved to the new memory region, and then marked as executable. Execution control is then passed back to the user process.^[1]

Warbird is built into key Windows system components such as ci.dll, clipsp.sys, and peauth.sys, in addition to Windows functionality responsible for licensing and security.^[2]

Leak

On 11 June 2024, a Microsoft engineer inadvertently leaked internal code related to PlayReady, which included the Warbird library and compiler stubs.^[3]

Use in malware

Chinese state-sponsored hacking group APT31 is believed to have the capability to use Warbird invocations to obfuscate malicious shellcode loading to avoid detection.^[4]^[5]

References

^ ^a ^b ^c "Abusing Microsoft Warbird for Shellcode Execution". Cirosec. 7 November 2024.
^ "A deep dive into Microsoft Warbird: MS's kernel-mode dynamic packer". WebSec. 14 October 2025.
^ Adam Gowdiak (6 April 2024). "Microsoft Warbird and PMP". Security Explorations.
^ Pierluigi Paganini (3 February 2026). "Notepad++ infrastructure hack likely tied to China-nexus APT Lotus Blossom". Security Affairs.
^ Ivan Feigl (3 February 2026). "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit". Rapid7. Archived from the original on 2 February 2026.

[cirosec-1] "Abusing Microsoft Warbird for Shellcode Execution". Cirosec. 7 November 2024.

[2] "A deep dive into Microsoft Warbird: MS's kernel-mode dynamic packer". WebSec. 14 October 2025.

[3] Adam Gowdiak (6 April 2024). "Microsoft Warbird and PMP". Security Explorations.

[4] Pierluigi Paganini (3 February 2026). "Notepad++ infrastructure hack likely tied to China-nexus APT Lotus Blossom". Security Affairs.

[5] Ivan Feigl (3 February 2026). "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit". Rapid7. Archived from the original on 2 February 2026.

[1]

[2]

[3]

[4]

[5]