Open Source Security Research

Process
Injection
Techniques

Comprehensive process injection series covering 25 techniques used by adversaries — from classic shellcode injection to advanced syscall-based evasion methods for malware researchers and red teamers.

View on GitHub → Browse Techniques
25
Injection Techniques
25
Lab Writeups
Custom
Shellcode Payload
T1055
MITRE ATT&CK
bash — usman@offensive-panda:~/ProcessInjection
$ ./injector.exe --target explorer.exe --technique classic-remote
[*] Target PID: 2048 · Opening handle with OpenProcess...
[+] Handle obtained · Allocating RW memory with VirtualAllocEx...
[+] Memory @ 0x7FFF0000 · Writing shellcode with WriteProcessMemory...
[+] 1024 bytes written · Changing perms RW→RX with VirtualProtect...
[+] CreateRemoteThread · Thread ID: 0x3F8 → shellcode executing
$ ls ./techniques | wc -l
25 techniques indexed
$ _
Coverage Map

Process Injection Techniques Heatmap

25 techniques
01Classic Code Injection Local
02Classic Code Injection Remote
03API Obfuscation Injection
04VirtualProtect Injection
05Classic DLL Injection
06Reflective DLL Injection
07Unhook NTDLL (Lagos Island)
08Process Hollowing
09PE Injection
10AddressOfEntryPoint Injection
11APC Injection
12Early Bird Injection
13RWX Hunting & Injection
14Process Ghosting
15Remote Thread Hijacking
16Module Stomping
17PEB Walk Injection
18PEB Walk & APIs Obfuscation
19NtCreateSection & NtMapViewOfSection
20Mokingjay
21Fork API Injection
22Injection through Fibers
23NT API Injection
24Direct Syscalls
25Indirect Syscalls
Laboratory Series

Process Injection Series

25 labs
Classic Local
PE 01
Local ProcessShellcode
Classic Code Injection — Local Process
Windows API calls to allocate memory in local process, write shellcode to allocated memory, and execute it within the same process context.
Open Lab
Classic Remote
PE 02
Remote ThreadCreateRemoteThread
Classic Code Injection — Remote Process
Remote thread injection using OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to execute shellcode inside another process.
Open Lab
API Obfuscation
PE 03
API ObfuscationStatic Bypass
Classic Code Injection with API Obfuscation
Remote thread injection with API call obfuscation to evade static detection by AV/EDR — demonstrates before/after import table differences.
Open Lab
VirtualProtect
PE 04
VirtualProtectRWX Bypass
Classic Code Injection — VirtualProtect
Avoid RWX region detection by first allocating RW memory, then changing permissions to RX with VirtualProtect only before shellcode execution.
Open Lab
DLL Injection
PE 05
DLLLoadLibrary
Classic DLL Injection
Force a target process (explorer.exe) to load a malicious DLL (panda.dll) by injecting the DLL path into remote process memory and calling LoadLibrary.
Open Lab
Reflective DLL
PE 06
FilelessReflective
Reflective DLL Injection
Execute code within another process by loading a DLL directly from memory without writing to disk, evading disk-based detection mechanisms.
Open Lab
Lagos Island
PE 07
Lagos IslandNTDLL Unhook
Unhook NTDLL.DLL — Lagos Island
Manually load and execute a DLL from disk into memory without registering it in the process module list — commonly used for EDR hook removal.
Open Lab
Process Hollowing
PE 08
HollowingSuspended
Process Hollowing
Start a legitimate process in suspended state, unmap its memory, replace it with malicious code, and resume — malware executes under a trusted process identity.
Open Lab
PE Injection
PE 09
PE BinarySelf Inject
PE Injection
Inject an entire Portable Executable into another process memory space (targeting explorer.exe) and execute it within the remote process context.
Open Lab
Entry Point
PE 10
WPM MagicRX Region
AddressOfEntryPoint Injection
Leverage AddressOfEntryPoint (RX region) and WriteProcessMemory to change permissions and write shellcode — avoids VirtualAlloc and VirtualProtect API calls entirely.
Open Lab
APC Injection
PE 11
APC QueueThread Context
APC Injection
Execute shellcode in another thread's context using the Windows Asynchronous Procedure Call mechanism for deferred function execution.
Open Lab
Early Bird
PE 12
Early LifecycleAPC
Early Bird Injection
Inject code at the very start of a process lifecycle before initialization completes, exploiting the suspended state for more control and less detection than standard APC.
Open Lab
RWX Hunting
PE 13
Memory HuntingRWX Bypass
RWX Hunting and Injection
Locate existing RWX memory regions inside a target process and inject shellcode there — no new memory allocation needed, avoiding RWX allocation detections.
Open Lab
Process Ghosting
PE 14
FilelessPending Delete
Process Ghosting
Create a file, mark it for deletion, map it as a memory section, close the handle (deleting it from disk), then spawn a process from the now-fileless section.
Open Lab
Thread Hijacking
PE 15
Thread HijackContext Swap
Remote Thread Hijacking
Hijack an already-running thread in a remote process by manipulating its context, avoiding the creation of new threads which are more easily detected.
Open Lab
Module Stomping
PE 16
Module OverwriteHiding in Plain Sight
Module Stomping
Overwrite sections of a legitimate loaded module with malicious code, avoiding custom or suspicious DLL loads by hiding inside a trusted module.
Open Lab
PEB Walk
PE 17
PEB WalkDynamic Resolve
PEB Walk Injection
Traverse the Process Environment Block to locate kernel32.dll and dynamically resolve VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread at runtime.
Open Lab
PEB Obfuscation
PE 18
PEB WalkAPI Obfuscation
PEB Walk and APIs Obfuscation
Combine PEB walking with full API call obfuscation for a layered approach that defeats both static import analysis and dynamic behaviour monitoring.
Open Lab
NT Section
PE 19
NT APIsShared Section
NtCreateSection and NtMapViewOfSection
Create a shared RWX memory section with NtCreateSection, map it into the target process using NtMapViewOfSection, write shellcode and execute.
Open Lab
Mokingjay
PE 20
Vulnerable DLLRWX Abuse
Mokingjay
Abuse existing RWX regions inside vulnerable DLLs (msys-2.0.dll) to avoid new RWX memory allocation detections — supports both self-inject and remote inject.
Open Lab
Fork API
PE 21
Process ForkDirty Vanity
Fork API Injection
Dirty Vanity technique abusing Windows process forking — create a child from the calling process, write shellcode into the forked process and execute it.
Open Lab
Fibers
PE 22
FibersCooperative Threading
Injection through Fibers
Execute shellcode using Windows fiber cooperative threading — manually switch between fiber execution contexts without spawning a new thread, evading thread-based detections.
Open Lab
NT API
PE 23
NT APIsUndocumented
NT API Injection
Remote injection using undocumented ntdll.dll APIs — NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateRemoteThread — bypassing higher-level hooks.
Open Lab
Direct Syscalls
PE 24
Direct SyscallsKernel Transition
Direct Syscalls
Bypass all EDR userland hooks by invoking syscall instructions directly in the stub, transitioning straight to kernel without passing through ntdll.dll.
Open Lab
Indirect Syscalls
PE 25
Indirect Syscallsntdll Origin
Indirect Syscalls
Evolution of direct syscalls — redirect execution to the syscall instruction inside ntdll.dll, making the call appear to originate legitimately from ntdll memory space.
Open Lab
Sources

References

01attack.mitre.org/techniques/T1055 — MITRE ATT&CK: Process Injection 02linkedin.com/in/usman-sikander13 03github.com/deepinstinct/Dirty-Vanity 04securityjoes.com — Process Mockingjay: Echoing RWX in Userland 05ired.team — Red Team Notes 06github.com/jthuraisamy/SysWhispers2 07github.com/klezVirus/SysWhispers3 08github.com/RedTeamOperations — Advanced Process Injection Workshop 09cytomate.net
⚠️
Disclaimer
The content, techniques, and tools in this repository are intended solely for educational and research purposes within the cybersecurity community. The author explicitly disclaims any responsibility for misuse or unlawful use. Any actions taken based on this information are done so entirely at the user's own risk.