Process Injection : Introduction

Inject code into running process memory to be stealthy and avoid detection

Here is my breakdown of MITRE definition for Process Injection, with some additions:

What is Process Injection?

Process injection is a method of executing arbitrary code in the address space of a separate live process.

Below is the diagram I found which defines Process Injection quite well:

https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740

What is it used for?

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

What are the type of Process Injection Techniques?

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

MITRE ID	Technique Name
T1055.001	Dynamic-link Library Injection
T1055.002	Portable Executable Injection
T1055.003	Thread Execution Hijacking
T1055.004	Asynchronous Procedure Call
T1055.005	Thread Local Storage
T1055.008	Ptrace System Calls
T1055.009	Proc Memory
T1055.011	Extra Window Memory Injection
T1055.012	Process Hollowing
T1055.013	Process Doppelgänging
T1055.014	VDSO Hijacking

Below are some more references to read more about Process Injection Techniques:

For Offensive Security:

• https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
• https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
• https://safebreach.com/Post/The-Ultimate-Collection-of-Windows-Process-Injection-Techniques-Black-Hat-2019-In-Depth-Briefing
• https://attack.mitre.org/techniques/T1055/
• https://www.ired.team/offensive-security/code-injection-process-injection/process-injection

For Defensive Security:

• https://posts.specterops.io/engineering-process-injection-detections-part-1-research-951e96ad3c85
• https://github.com/jsecurity101/Detecting-Process-Injection-Techniques
• https://attack.mitre.org/techniques/T1055/
• https://attack.mitre.org/mitigations/M1040/
• Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.

Important things to remember (Will update as I learn new):

• We cannot load 32bit DLL from the 64-bit process and similarly 64bit DLL cannot be loaded into 32bit process. So we need 64-bit process to inject 64-bit DLL

• Shellcodes are different for 32bit and 64bit

• main or winmain function is not always the actual execution point for the malware. Some malware authors will inject code into C runtime, which actually occurs prior to jumping into the main entry point for the program. This is one of anti-analysis techniques.