ProcessInjectionTechniques

This comprehensive process injection series is crafted for cybersecurity enthusiasts, researchers, and professionals who aim to stay at the forefront of the field. It serves as a central repository of knowledge, offering in-depth exploration of various process injection techniques used by adversaries.

---

Project maintained by Offensive-Panda Hosted on GitHub Pages — Theme by mattgraham

C:\Users\Offensive-Panda>whoami

Usman Sikander (a.k.a Offensive-Panda) is a seasoned security professional specializing in adversary emulation, malware development, malware analysis, and red teaming. I am passionate to identifying and researching advanced evasion techniques, as well as analyzing real-world samples to extract TTPs for validating security postures through APT emulations. With a proven track record in developing exploits aligned with MITRE ATT&CK tactics and automating exploit processes, I excel in conducting comprehensive simulations within controlled environments that include security controls. My primary objective is to validate the security controls, deliver detailed threat analyses for proactive threat hunting, providing adversary attack paths, indicators of attack (IOAs), indicators of compromise (IOCs), and actionable mitigation strategies to strengthen and enhance an organization's detection engineering capabilities.

Purpose

The purpose of the Process Injection Series is to share valuable knowledge with the cybersecurity community, particularly those eager to learn about malware development and advanced evasion techniques. Through this series, I aim to not only expand my own expertise but also provide a centralized resource for all tactics, techniques, and procedures (TTPs) related to process injection. By doing so, I hope to empower others with the skills and understanding needed to navigate and contribute to the evolving landscape of cybersecurity.

Shellcode

Throughout the series, I will be using my custom-generated shellcode, which displays a message box with the text "Hello from Offensive Panda." This shellcode serves as a consistent and straightforward payload for demonstrating various process injection techniques. However, you are encouraged to experiment with different shellcodes tailored to your needs, allowing you to explore and apply the concepts in ways that best suit your learning objectives or project requirements.

Process Injection Techniques Heatmap

Classic Code Injection Local Process

Classic Code Injection Remote Process

Classic Code Injection with API Obfuscation

Classic Code Injection VirtualProtect

Classic DLL Injection

Reflective DLL Injection

Unhook NTDLL.DLL (Lagos Island)

Process Hollowing

PE Injection

AddressOfEntryPoint Injection

APC Injection

Early Bird Injection

RWX Hunting Injection

Process Ghosting

Remote Thread Hijacking

Module Stomping

PEB Walk Injection

PEB Walk and Obfuscation Technique

NtCreateThread and Map View

Mokingjay

Fork API Injection

Injection through Fibers

NT API Injection

Direct Syscalls

Indirect Syscalls

Process Injection Series

PE 1 - Classic Code Injection Local Process

In this lab, we cover classic code injection in local process technique. This technique uses Windows API calls to allocate memory in local Process, write the shellcode to the allocated memory, and then execute it.

PE 2 - Classic Code Injection Remote Process

In this lab, we cover classic code injection in remote process. This is one of the most straightforward forms of process injection technique also known as Remote Thread Injection. This method involves creating a new thread in a remote process and executing the payload or shellcode within that context. This is often done using Windows API functions such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

PE 3 - Classic Code Injection with API Obfuscation

In this lab, we cover the remote thread injection technique with APIs obfuscation. To evade static detection mechanisms used by AV/EDR solutions, we will implement API call obfuscation throughout the process. By the end of this lab, we'll demonstrate the difference in the import table of a sample program both before and after API obfuscation, highlighting how these changes can help to bypass static analysis.

PE 4 - Classic Code Injection VirtualProtect

In this lab, we cover classic code injection in remote process using VirtualProtect. This is the same technique, we discussed in last lab but one extra step is involved in this lab which is to change the permission of allocated memory with Windows API VirtualProtect. Allocating RWX region at a same time is great indicator for AV/EDR solutions, so to avoid RWX region detection, we first create RW and before executing shellcode we change it to RX.

PE 5 - Classic DLL Injection

In this lab, we cover a DLL injection technique that targets a process (in this case, explorer.exe) to load a malicious DLL (panda.dll) from the Downloads folder. DLL injection is a method used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library (DLL).

PE 6 - Reflective DLL Injection

In this lab, we cover a Reflective DLL Injection technique. This technique allows to execute code within the context of another process without writing the DLL to disk. By loading the DLL directly from memory without touching the disk, it evades common detection mechanisms, making it a preferred method for sophisticated malware and offensive security operations.

PE 7 - Unhook NTDLL.DLL (Lagos Island)

In this lab, we cover a Reflective DLL Loading technique. This technique to manually load and execute a DLL from disk into memory, often referred to as reflective DLL loading. This is useful in scenarios where loading a DLL without registering it in the process's module list is required, a common tactic in malware evasion and advanced threat emulation.

PE 8 -Process Hollowing

In this lab, we cover Process Hollowing Technique. Process Hollowing is a stealthy process injection technique where a legitimate process (usually a system or trusted application) is started in a suspended state, and its memory is replaced with malicious code. The malicious code then executes within the context of the trusted process, evading detection by security solutions that might rely on the legitimacy of the process.

PE 9 - PE Injection

In this lab, we cover PE (Portable Executable) Injection into another process, specifically targeting explorer.exe. PE injection involves injecting an entire PE (itself) into the memory of a target process and then executing it.

PE 10 - AddressofEntryPoint Injection

In this lab, we cover AddressOfEntryPoint Injection technique, This lab utilize the AddressOfEntryPoint of process which is RX region and WriteProcessMemory internal magic to change the permission and write the shellcode. This technique is avoiding the usage of VirtualAlloc, VirtualProtect APIs directly inside the code. The working of VirtualProtect will be covered by WPM magic.

PE 11 - APC Injection

In this lab, we cover Asynchronous Procedure Call (APC) injection. Asynchronous Procedure Call (APC) injection is a technique used to execute code in the context of another process's thread. This method leverages the Windows APC mechanism, which allows for deferred execution of functions in the context of a thread's execution.

PE 12 - Early Bird Injection

In this lab, we cover EarlyBird Injection technique, EarlyBird Injection is a process injection technique used to inject code into a target process early in its lifecycle, often before the process has fully initialized. This technique exploits the fact that the process is in a suspended state, allowing for more control and less detection. EarlyBird Injection allows you to inject code at a much earlier stage compared to APC injection.

PE 13 - RWX Hunting Injection

In this lab, we cover RWX hunting technique to avoid RWX memory detection of AV/EDR solutions, RWX hunt technique involves locating a target process, identifying writable and executable memory regions within that process, injecting shellcode into the identified memory, and then executing the shellcode.

PE 14 - Process Ghosting

In this lab, we cover Process ghosting technique, Process ghosting is a technique in which an attacker creates a file (malware), mark it for deletion (delete-pending state), copies/maps a malware into the memory (image section), close the handle (which deletes it from the disk), then create a process from the now-fileless section.

PE 15 - Module Stomping

In this lab, we cover Module stomping technique, module stomping is to inject malicious code into a legitimate process without the usual red flags that traditional injection techniques might raise. Instead of loading custom or suspicious DLLs, attackers overwrite parts of a legitimate module with their own code, effectively hiding in plain sight.

PE 16 - Remote Thread Hijacking

In this lab, we cover Remote Thread Hijacking technique, Remote Thread Hijacking is a method of injecting code into a process by hijacking an existing thread in that process. Unlike traditional code injection methods (e.g., using CreateRemoteThread or NtCreateThreadEx), this technique manipulates an already-running thread to execute malicious payloads.

PE 17 - PEB Walk Injection

In this lab, we cover PEB Walk and Injection, By using the PEB, the code directly traverses the list of loaded modules to find kernel32.dll, bypassing static analysis methods that rely on import table inspection. Once kernel32.dll is identified, the technique resolves necessary API functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread dynamically at runtime.

PE 18 - PEB Walk and Obfuscation Technique

In this lab, we cover PEB Walk and API Obfuscation Injection, By using the PEB, the code directly traverses the list of loaded modules to find kernel32.dll, bypassing static analysis methods that rely on import table inspection. Once kernel32.dll is identified, the technique resolves necessary API functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread dynamically at runtime.

PE 19 - NtCreateThread and Map View

In this lab, we cover NtCreateSection and NtMapViewOfSection code Injection, This code injection technique utilizing Native APIs such as NtCreateSection, NtMapViewOfSection. The process begins by creating a new memory section with read, write, and execute (RWX) protection using NtCreateSection.

PE 20 - Mokingjay

In this lab, we cover Mokingjay code Injection, This code injection technique utilize vulnerable DLLs. Vulnerable DLLs meaning here the DLL which has RWX memory region. So this technique avoid detection of RWX memory allocation which is big indication for security controls. This technique can be self inject or remote inject. In our lab, we use self inject using msys-2.0.dll for our operation.

PE 21 - Fork API Injection

In this lab, we cover Dirty Vanity code Injection, Dirty Vanity is a new code-injection technique that abuses forking, a lesser-known mechanism that exists in Windows operating systems. Forking a process is the act of creating a new process from the calling process. The name fork originates from the UNIX system calls of process creation – fork and exec.

PE 22 - Injection through Fibers

In this lab, we cover Injection through fibers technique, Fibers are a form of cooperative threading where a single thread can switch between multiple execution contexts (fibers), allowing the program to manually manage which fiber is active at any given time. This technique can be used for executing arbitrary shellcode, especially in situations where the attacker wants to execute the shellcode without creating a new thread.

PE 23 - NT API Injection

In this lab, we cover remote process injection using NT APIs, NT APIs are located inside ntdll.dll which are the last instance can be hooked by AV/EDRs solutions. Before we used windows APIs which are located inside kernel32.dll and well documented. But in this lab, we use undocumented native api's NtOPenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateRemoteThread to achieve remote process injection.

PE 24 - Direct Syscalls

In this lab, we cover remote process injection using direct syscalls, Most of the AV/EDR’s hooked on Windows and Native API’s and redirect the flow of program whenever a application calls these function in order to see the malicious behavior of program. When new process spawned EDR’s load their DLL’s in process memory to inspect the behavior of program. In this lab, we used direct calls which involves direct transit to kernel.

PE 25 - Indirect Syscalls

In this lab, we cover remote process injection using indirect syscalls, Most of the AV/EDR’s detects direct syscalls by looking syscall instruction in stub by static analysis, also syscall and return instructions are normally never executed outside the memory area of ntdll.dll. So these are big indicator for EDRs solutions. The indirect syscall technique is more or less an evolution of the direct syscall technique compared to direct syscalls.

References

• https://attack.mitre.org/techniques/T1055/
• https://www.linkedin.com/in/usman-sikander13/
• https://github.com/deepinstinct/Dirty-Vanity
• https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution
• https://www.ired.team/
• https://github.com/jthuraisamy/SysWhispers2
• https://github.com/klezVirus/SysWhispers3
• https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop
• https://www.cytomate.net

Disclaimer

The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.