Skip to content

Process Injection

What is Process Injection?

Process Injection is a technique used by attackers to execute malicious code within the address space of another process. This method allows the execution of the code to evade detection from security software by hiding its activities within legitimate processes. It is commonly used in malware attacks and can be leveraged for various purposes such as bypassing process-level security policies, accessing system resources illicitly, or performing actions with elevated privileges.

How does Process Injection work?

Process Injection can be implemented in several ways, each involving different methods to insert malicious code into running processes:

  1. DLL Injection: The attacker forces a process to load a dynamic-link library (DLL) that contains malicious code. This can be achieved using APIs like LoadLibrary, or more covertly through techniques such as thread hijacking.

  2. Code Injection (Classic): Involves writing code directly into the memory space of another process using functions like WriteProcessMemory, followed by remotely creating a thread from the injected code using CreateRemoteThread.

  3. Process Hollowing: This technique involves creating a new instance of a legitimate process in a suspended state, hollowing out its memory, and replacing it with malicious code before resuming its execution.

  4. Atom Bombing: A relatively newer technique that exploits the global atom table in Windows, allowing code injection by placing code into shared memory and forcing another process to retrieve and execute it.

  5. Asynchronous Procedure Call (APC) Queue Injection: Queues malicious functions to be executed asynchronously when the target thread issues an alertable wait state.

Each method has unique steps but generally follows this sequence:

  • Target selection: Identify a suitable target process.
  • Memory manipulation: Allocate memory within the target and write malicious content.
  • Execution transfer: Use various methods (e.g., remote threads, APCs) to execute the injected code.

Where is Process Injection used?

Process injection techniques are predominantly found in environments running Windows operating systems due to their rich API set and complex internals which provide multiple attack vectors. However, similar concepts exist for Unix-like systems involving different mechanisms like ptrace or manipulating ELF binaries.

Why use Process Injection?

  1. Stealth: Running malicious code inside another process helps evade detection tools that monitor for suspicious processes or standalone executable files.
  2. Privilege Escalation: By injecting into processes with higher privileges, attackers can perform actions they otherwise couldn’t under restricted permissions.
  3. Bypassing Defenses: Many security programs whitelist certain trusted processes. Injecting malicious code into these processes may allow malware to operate unimpeded.
  4. Persistence: Some injection techniques allow malware to persist across reboots even without creating or modifying files on disk.

In conclusion, understanding and defending against process injection is critical for maintaining system integrity and protecting against sophisticated malware threats in modern computing environments.