# Process Injection : Introduction Here is my breakdown of MITRE definition for Process Injection, with some additions: **What is Process Injection?** Process injection is a method of executing arbitrary code in the address space of a separate live process. Below is the diagram I found which defines Process Injection quite well: ![https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740](/files/-MHjiwbdf7VIWjkxQ5_o) **What is it used for?** Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. **What are the type of Process Injection Techniques?** There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. | MITRE ID | Technique Name | | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | | [T1055.001](https://attack.mitre.org/techniques/T1055/001/) | [Dynamic-link Library Injection](https://ctfcracker.gitbook.io/process-injection/process-injection-part-2) | | [T1055.002](https://attack.mitre.org/techniques/T1055/002/) | Portable Executable Injection | | [T1055.003](https://attack.mitre.org/techniques/T1055/003/) | Thread Execution Hijacking | | [T1055.004](https://attack.mitre.org/techniques/T1055/004/) | Asynchronous Procedure Call | | [T1055.005](https://attack.mitre.org/techniques/T1055/005/) | Thread Local Storage | | [T1055.008](https://attack.mitre.org/techniques/T1055/008/) | Ptrace System Calls | | [T1055.009](https://attack.mitre.org/techniques/T1055/009/) | Proc Memory | | [T1055.011](https://attack.mitre.org/techniques/T1055/011/) | Extra Window Memory Injection | | [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | Process Hollowing | | [T1055.013](https://attack.mitre.org/techniques/T1055/013/) | Process Doppelgänging | | [T1055.014](https://attack.mitre.org/techniques/T1055/014/) | VDSO Hijacking | Below are some more references to read more about Process Injection Techniques: **For Offensive Security:** * * * * * **For Defensive Security:** * * * * * Windows API calls such as `CreateRemoteThread`, `SuspendThread`/`SetThreadContext`/`ResumeThread`, `QueueUserAPC`/`NtQueueApcThread`, and those that can be used to modify memory within another process, such as `VirtualAllocEx`/`WriteProcessMemory`, may be used for this technique. **Important things to remember (Will update as I learn new):** * We cannot load 32bit DLL from the 64-bit process and similarly 64bit DLL cannot be loaded into 32bit process. So we need 64-bit process to inject 64-bit DLL * Shellcodes are different for 32bit and 64bit * main or winmain function is not always the actual execution point for the malware. Some malware authors will inject code into C runtime, which actually occurs prior to jumping into the main entry point for the program. This is one of anti-analysis techniques. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctfcracker.gitbook.io/process-injection/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.