# Process Injection : Introduction Here is my breakdown of MITRE definition for Process Injection, with some additions: **What is Process Injection?** Process injection is a method of executing arbitrary code in the address space of a separate live process. Below is the diagram I found which defines Process Injection quite well: ![https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740](https://4184808047-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHIKjDdgSdFUGKt4Xh3%2F-MHjaXexDIThkZGtGpTL%2F-MHjiwbdf7VIWjkxQ5_o%2FProcessInjection.png?alt=media\&token=3074946c-19f8-4f14-83cf-fe373c1abcd9) **What is it used for?** Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. **What are the type of Process Injection Techniques?** There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. | MITRE ID | Technique Name | | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | | [T1055.001](https://attack.mitre.org/techniques/T1055/001/) | [Dynamic-link Library Injection](https://ctfcracker.gitbook.io/process-injection/process-injection-part-2) | | [T1055.002](https://attack.mitre.org/techniques/T1055/002/) | Portable Executable Injection | | [T1055.003](https://attack.mitre.org/techniques/T1055/003/) | Thread Execution Hijacking | | [T1055.004](https://attack.mitre.org/techniques/T1055/004/) | Asynchronous Procedure Call | | [T1055.005](https://attack.mitre.org/techniques/T1055/005/) | Thread Local Storage | | [T1055.008](https://attack.mitre.org/techniques/T1055/008/) | Ptrace System Calls | | [T1055.009](https://attack.mitre.org/techniques/T1055/009/) | Proc Memory | | [T1055.011](https://attack.mitre.org/techniques/T1055/011/) | Extra Window Memory Injection | | [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | Process Hollowing | | [T1055.013](https://attack.mitre.org/techniques/T1055/013/) | Process Doppelgänging | | [T1055.014](https://attack.mitre.org/techniques/T1055/014/) | VDSO Hijacking | Below are some more references to read more about Process Injection Techniques: **For Offensive Security:** * * * * * **For Defensive Security:** * * * * * Windows API calls such as `CreateRemoteThread`, `SuspendThread`/`SetThreadContext`/`ResumeThread`, `QueueUserAPC`/`NtQueueApcThread`, and those that can be used to modify memory within another process, such as `VirtualAllocEx`/`WriteProcessMemory`, may be used for this technique. **Important things to remember (Will update as I learn new):** * We cannot load 32bit DLL from the 64-bit process and similarly 64bit DLL cannot be loaded into 32bit process. So we need 64-bit process to inject 64-bit DLL * Shellcodes are different for 32bit and 64bit * main or winmain function is not always the actual execution point for the malware. Some malware authors will inject code into C runtime, which actually occurs prior to jumping into the main entry point for the program. This is one of anti-analysis techniques.