Process Injection : Introduction

Inject code into running process memory to be stealthy and avoid detection

Here is my breakdown of MITRE definition for Process Injection, with some additions:

What is Process Injection?

Process injection is a method of executing arbitrary code in the address space of a separate live process.

Below is the diagram I found which defines Process Injection quite well:

https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740

What is it used for?

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

What are the type of Process Injection Techniques?

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

MITRE ID

Technique Name

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Proc Memory

Extra Window Memory Injection

Process Hollowing

Process Doppelgänging

VDSO Hijacking

Below are some more references to read more about Process Injection Techniques:

For Offensive Security:

For Defensive Security:

Important things to remember (Will update as I learn new):

  • We cannot load 32bit DLL from the 64-bit process and similarly 64bit DLL cannot be loaded into 32bit process. So we need 64-bit process to inject 64-bit DLL

  • Shellcodes are different for 32bit and 64bit

  • main or winmain function is not always the actual execution point for the malware. Some malware authors will inject code into C runtime, which actually occurs prior to jumping into the main entry point for the program. This is one of anti-analysis techniques.

Last updated

Was this helpful?