Post

Process Injection Techniques

Process Injection Techniques

Identifying process injections by Windows API calls.

Classic DLL Injection

It involves injecting a Dynamic-Link Library (DLL) into a target process, allowing the injected code to execute within the context of that process. This technique can be used for various purposes, such as hooking API calls, modifying program behavior, or introducing malicious functionality.

  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • CreateRemoteThread

DLL Injection Using SetWindowsHookEx

It is a technique in which a Dynamic-Link Library (DLL) is injected into a target process by creating a hook using the SetWindowsHookEx function. This allows the injected DLL to monitor and intercept various events, such as keyboard or mouse input, system messages, or window-related activities.

  • LoadLibrary/LoadLibraryEx
  • GetProcAddress
  • SetWindowsHookEx

APC Injection

APC (Asynchronous Procedure Call) injection is a technique used in Windows operating systems to inject malicious code into a target process. It works by queuing an APC to a target thread—a function that will be executed asynchronously at a designated time. By leveraging this technique, an attacker can execute arbitrary code within the context of the target process, effectively bypassing traditional security mechanisms.

  • CreateToolhelp32Snapshot
  • Process32First
  • Thread32First
  • Thread32Next
  • Process32Next
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • QueueUserAPC/NtQueueApcThread
  • VirtualFreeEx
  • CloseHandle

Atom Bombing

Atom Bombing is a process injection technique that enables an attacker to inject malicious code into a target process while evading traditional security measures. By manipulating the Windows Atom table, the attacker can bypass security controls and execute arbitrary code, posing a serious threat to system integrity and data confidentiality.

  • CreateToolhelp32Snapshot
  • Thread32First
  • Thread32Next
  • OpenThread
  • CreateEvent
  • DuplicateHandle
  • NtQueueApcThread
  • QueueUserAPC
  • GetModuleHandle
  • GetProcAddress
  • SetEvent
  • GetCurrentProcess
  • SleepEx
  • WaitForMultipleObjectsEx
  • MsgWaitForMultipleObjectsEx
  • CloseHandle

ALPC Injection

ALPC injection involves creating a malicious thread or process that establishes a connection to the target process using the Advanced Local Procedure Call (ALPC) mechanism. Once the connection is established, the attacker can exploit vulnerabilities or abuse legitimate ALPC functionality to inject and execute their code within the target process. This technique allows attackers to bypass security measures and gain control over the target process.

  • NtQuerySystemlnformation
  • NtDuplicateObject/ZwDuplicateObject
  • GetCurrentProcess
  • NtQueryObject
  • NtClose
  • RtllnitUnicodeString
  • NtConnectPort
  • VirtualAllocEx
  • WriteProcessMemory
  • CopyMemory
  • ReadProcessMemory
  • VirtualFreeEx
  • VirtualQueryEx
  • GetMappedFileName
  • OpenProcess
  • CloseHandle
  • GetSystemlnfo

LockPos

The original executable loads a dropper executable, which injects a second-stage loader and the final LockPoS payload into explorer.exe. The loader within explorer.exe then loads the final LockPoS DLL.

  • CreateFileMappingW
  • MapViewOfFile
  • RtlAllocateHeap
  • NtlCreateSection
  • NtMapViewOfSection
  • NtCreateThreadEx

Process Hollowing

It involves creating a new instance of a legitimate process and replacing its executable image with malicious payload code. This technique enables the malware to run within the context of the legitimate process, making it more difficult for security solutions to detect and mitigate the malicious activity.

  • CreateProcess(“CREATE_SUSPENDED”)
  • NtQueryProcesslnformation
  • ReadProcessMemory
  • GetModuleHandle
  • GetProcAddress
  • ZwUnmapViewOfSection/NtUnmapViewOfSection
  • VirtualAllocEx
  • WriteProcessMemory
  • VirtualProtectEx
  • SetThreadContext
  • ResumeThread

Process DoppelGänging

It involves creating a process using transacted file operations and transactional NTFS to load and execute malicious code without leaving traces on the system. This technique manipulates the Windows loader and file system, making it challenging for traditional security solutions to detect or analyze the malicious activity.

  • CreateFileTransacted
  • WriteFile
  • NtCreateSection
  • RollbackTransaction
  • NtCreateProcessEx
  • RtlCreateProcessParametersEx
  • VirtualAllocEx
  • WriteProcessMemory
  • NtCreateThreadEx
  • NtResumeThread

Reflective PE Injection

It is a technique used to inject a Portable Executable (PE) file directly into a process’s memory without relying on external modules or files. This method enables the injected code to execute within the target process while avoiding traditional injection methods that might raise suspicion or trigger security defenses.

  • CreateFileA
  • HeapAlloc
  • OpenProcessToken
  • OpenProcess
  • VirtualAlloc
  • GetProcAddress
  • LoadRemoteLibraryR/LoadLibrary
  • HeapFree
  • CloseHandle

Thread Execution Hijacking

It is a technique that takes control of the execution flow of a running thread within a process. By hijacking the thread’s execution, an attacker can redirect it to their own malicious code or alter the behavior of the target process.

  • RtlAdjustPrivilege
  • OpenProcess
  • CreateToolHelp32Snapshot
  • Thread32First
  • Thread32Next
  • CloseHandle
  • VirtualAllocEx
  • OpenThread
  • VirtualFree/VirtualFreeEx
  • SuspendThread
  • GetThreadContext
  • VirtualAlloc
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread

Kernel Callback Table

It is a sophisticated technique employed by advanced attackers to manipulate the behavior of the Windows kernel by modifying or replacing entries in the kernel’s callback table. This table contains function pointers that the kernel invokes in response to specific events or conditions.

  • FindWindowA
  • GetWindowThreadProcessId
  • OpenProcess
  • NtQueryInformationProcess
  • ReadProcessMemory
  • VirtualAllocEx
  • WriteProcessMemory
  • SendMessage
  • VirtualFreeEx

CLIPBRDWNDCLASS/Clipboard Hijacking

It is a technique used to monitor and manipulate clipboard operations by injecting code into the CLIPBRDWNDCLASS window class, which is responsible for managing the Windows clipboard and handling clipboard-related events.

  • FindWindowEx(“CLIPBRDWNDCLASS”)
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • SetProp(“ClipboardDataObjectinterface”)
  • VirtualFreeEx

Propagate

  • FindWindow(“Progman”)
  • FindWindowEx(“SHELLDLL_DefView”)
  • GetProp(“UxSubclassinfo”)
  • GetWindowThreadProcessid
  • OpenProcess
  • ReadProcessMemory
  • VirtualAllocEx
  • WriteProcessMemory
  • SetProp(“UxSubclassinfo”)
  • PostMessage
  • VirtualFreeEx

Early Bird

  • CreateProcessA
  • VirtualAllocEx
  • WriteProcessMemory
  • QueueUserAPC
  • ResumeThread

CONSOLEWINDOWCLASS

This technique exploits the window class associated with console windows to manipulate their behavior and execute arbitrary code.

  • FindWindow(“ConsoleWindowClass”)
  • GetWindowThreadProcessId
  • OpenProcess
  • ReadProcessMemory
  • VirtualAllocEx
  • WriteProcessMemory
  • VirtualFreeEx

ToolTip Process Injection

This technique is used to inject and execute malicious code within the context of a tooltip window in Windows operating systems. It leverages the tooltip functionality to conceal and execute malicious code within a legitimate process.

  • FindWindow(“tooltips_class32”)
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • VirtualFreeEx
  • CloseHandle

DNS API

This technique is used to intercept and manipulate DNS (Domain Name System) queries and responses by injecting malicious code into the DNS API functions of an application or system.

  • GetWindowThreadProcessId
  • CreateThread
  • GetTickCount
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • VirtualFreeEx
  • TerminateThread
This post is licensed under CC BY 4.0 by the author.