Process Injection : Introduction
Inject code into running process memory to be stealthy and avoid detection
Last updated
Inject code into running process memory to be stealthy and avoid detection
Last updated
Here is my breakdown of MITRE definition for Process Injection, with some additions:
What is Process Injection?
Process injection is a method of executing arbitrary code in the address space of a separate live process.
Below is the diagram I found which defines Process Injection quite well:
What is it used for?
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
What are the type of Process Injection Techniques?
There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
Below are some more references to read more about Process Injection Techniques:
For Offensive Security:
For Defensive Security:
Windows API calls such as CreateRemoteThread
, SuspendThread
/SetThreadContext
/ResumeThread
, QueueUserAPC
/NtQueueApcThread
, and those that can be used to modify memory within another process, such as VirtualAllocEx
/WriteProcessMemory
, may be used for this technique.
Important things to remember (Will update as I learn new):
We cannot load 32bit DLL from the 64-bit process and similarly 64bit DLL cannot be loaded into 32bit process. So we need 64-bit process to inject 64-bit DLL
Shellcodes are different for 32bit and 64bit
main or winmain function is not always the actual execution point for the malware. Some malware authors will inject code into C runtime, which actually occurs prior to jumping into the main entry point for the program. This is one of anti-analysis techniques.
MITRE ID
Technique Name
Portable Executable Injection
Thread Execution Hijacking
Asynchronous Procedure Call
Thread Local Storage
Ptrace System Calls
Proc Memory
Extra Window Memory Injection
Process Hollowing
Process Doppelgänging
VDSO Hijacking