What Is Process Injection?

Process Injection Explained

Process injection is a cyber attack technique in which an attacker transfers code or a full payload from a hostile process (the injector) into a benign, already-running process (the target). The goal is to compromise the target's control flow, compelling it to execute the attacker's hidden code. This is an essential step in defense evasion.

The technique typically involves at least 3 basic steps after target identification:

1. Allocation: The injector process uses Windows APIs, such as VirtualAllocEx, to reserve memory space within the target process.
2. Writing: The malicious code (often shellcode or a DLL) is written into this newly allocated memory using functions like WriteProcessMemory.
3. Execution: Finally, the injector forces the target process to execute the payload. This is commonly done by creating a new remote thread using CreateRemoteThread or hijacking an existing thread's execution flow.

Figure 1: The Four Steps of Classic Process Injection using Windows APIs.

By executing from the context of a legitimate application—such as a web browser or a system utility—the malicious code inherits the target's security permissions and avoids immediate detection. Because the malicious code resides only in the target's memory and is never written to disk, forensic analysis is significantly more challenging.

H2: Process Injection in the Attack Lifecycle

Process injection is primarily used during the Defense Evasion and Execution phases of the attack lifecycle, notably aligning with the MITRE ATT&CK framework as MITRE ATT&CK technique T1055.

• Execution: Injection is a mechanism for executing malicious code, but not via a typical, easily traced file. Instead, the execution is masked by a trusted process.
• Defense Evasion (Primary Fit): This is where injection provides its greatest value to the attacker.
  • By executing the payload within a benign process (such as a system utility), the malware avoids detection by security software that might be monitoring the original malicious file.
  • This allows the attacker to maintain persistence, conduct command and control (C2) communications, or perform privilege escalation while operating under a cloak of legitimacy.
• Persistence: Once injected, the malware can leverage the compromised, legitimate process to establish persistence, ensuring it survives system reboots.

Process Injection Step-by-Step.

The detailed execution of process injection can be systematically broken down into four critical phases, each relying on specific operating system functionalities to compromise the target process. To effect the same process without triggering alerts, broad changes are made, but the overall goals of each step remain the same.

Step 1: Discover and Connect to the Target

The initial step is to use the injection process to identify and gain access to the intended victim process.

• Target Identification: The injector uses functions like CreateToolhelp32Snapshot or other Windows APIs to enumerate all running processes on the system and locate a suitable target. Targets are typically selected based on their high trust level (e.g., explorer.exe or system services) or their access privileges.
• Handle Acquisition: Once identified, the injector calls a function such as OpenProcess. This is vital for obtaining a process handle with sufficient permissions—specifically, read, write, and thread-creation—to perform subsequent operations in the target's memory space. This handle acts as the communication channel between the two disparate processes.

Step 2: Remote Memory Allocation

With a valid handle, the injecting process must now prepare a landing zone for the malicious payload within the target's memory map.

• Virtual Space Reservation: The injector calls VirtualAllocEx, a specialized function that allocates or reserves a region of pages in the remote target process's virtual address space.
• Permission Setting: Crucially, the injector sets the memory protection flags for this new region to include PAGE_EXECUTE_READWRITE. This explicitly allows the memory to hold data, be read, and, most importantly, be executed as code once the payload arrives.

Step 3: Payload Delivery (Writing)

This phase involves the physical transfer of the malicious code into the reserved space.

• Data Transfer: The function WriteProcessMemory is invoked. The source is the attacker's payload (often a raw shellcode buffer or a DLL path) residing in the injector's memory, and the destination is the starting address of the newly allocated region in the target's address space.
• Data Integrity Check: While not always explicit, the goal is to ensure the payload is copied byte-for-byte, making it ready for execution.

Step 4: Remote Code Execution

The final step is to trigger the target process to execute the injected code.

• Thread Creation: The most straightforward method is using CreateRemoteThread. This instructs the operating system to create a new, detached thread of execution within the target process, with its execution starting point explicitly set to the memory address where the injected payload resides.
• Control Flow Hijacking: More advanced techniques may use Asynchronous Procedure Calls (APCs) or Thread Hijacking. In these scenarios, the attacker avoids creating a new thread and instead temporarily pauses an existing thread in the victim process, modifies its instruction pointer (RIP/EIP register) to point to the injected code, and then resumes the thread. The legitimate thread is thus "hijacked" to execute the malware, making the resulting activity harder to trace back to a suspicious thread creation.

Upon successful execution, the injected code now runs invisibly within the security context of the legitimate target process.

Advanced Process Injection and Evasion Techniques

Some techniques yield more evasive results for the attacker. These include injection attacks described in the image below:

Figure 2: Comparison of three advanced techniques

Process Hollowing (or Process Replacement)

Process Hollowing is a foundational advanced technique focused on running malicious code inside a freshly created, but legitimate, process. It is a complete replacement of a benign process's internal executable code.

Mechanism

1. The attacker creates a new instance of a legitimate, benign executable (like svchost.exe or explorer.exe) in a suspended state.
2. The malicious code then "hollows out" the target process by unmapping or overwriting its legitimate code section from memory.
3. The attacker allocates new memory and writes their malicious payload (typically a complete PE file) into the hollowed-out space.
4. The entry point of the suspended thread is changed to point to the start of the injected malicious code.
5. The thread is then resumed, causing the legitimate-looking process to execute the malicious payload.

Evasion Benefit

Because the malware runs from a process with the correct file path, command-line arguments, and the original name of a legitimate program, it easily bypasses simple whitelisting and image-name checks.

Thread Context Hijacking (Similar to Thread Execution Hijacking)

While Thread Context Hijacking shares goals with CreateRemoteThread, it is far stealthier because it doesn't create a new, potentially suspicious thread.

Mechanism

1. The attacker targets an existing, running thread within a victim process.
2. The target thread is suspended using the SuspendThread API.
3. The attacker uses GetThreadContext to read the thread's current state, including its registers.
4. The attacker modifies the Instruction Pointer (EIP/RIP) register within the thread's context to point to the address of the injected shellcode.
5. The attacker uses SetThreadContext to apply the modified context.
6. The thread is resumed using ResumeThread. The thread now begins executing the malicious shellcode from its new starting point.

Evasion Benefit

This technique leaves no trace of a suspicious thread creation, making it difficult for EDR systems that monitor thread activity. The execution path is simply redirected within a thread that was already running legitimately.

Process Herpaderping (or "Process Doppelgänging v2")

Process Herpaderping is a file-system-level trick that allows the malware to execute under the pretense of one file while the forensic evidence points to a completely different, benign file.

Mechanism

1. The attacker creates a legitimate, benign file on the disk (File A).
2. The attacker opens File A for mapping, but does not close the handle.
3. The attacker overwrites the content of File A on the disk with the malicious payload (File B). Because the file handle remains open to the original content, the OS thinks the original benign file is still there.
4. The malicious process is launched using the handle pointing to the original, benign File A. The process is loaded into memory based on the benign content.
5. The attacker then launches the new process, which is populated with the benign code.
6. Finally, the attacker closes the file handle and quickly modifies the on-disk file to be benign again.

Evasion Benefit

When a security analyst or forensic tool examines the running process, the disk-backed file it maps to (the forensic evidence) is the benign file (File A), while the code that was actually executed during the brief window is the malicious payload (File B).

Process Doppelgänging (The Original Version)

Process Doppelgänging is another disk-level manipulation technique that leverages the NTFS Transactional File System (NTFS-TxF) to inject and execute code without ever writing the malicious file to disk in a permanent, detectable state.

Mechanism

1. The attacker creates a file transaction using NTFS-TxF. This transaction is like a temporary, isolated sandbox for file operations.
2. Within this transaction, the attacker writes the malicious payload to a temporary file.
3. The attacker uses the file from within the transaction to create a process image. The Windows loader maps the malicious file into memory directly from the transactional space.
4. The process is executed.
5. The attacker rolls back the transaction (undoing it), which ensures that the malicious file is deleted and never permanently committed to the disk's master file table (MFT).

Evasion Benefit

Since the malicious executable existed only temporarily within a transactional context and was never written to disk in a non-transacted manner, traditional file-based monitoring (e.g., antivirus scanning) will never detect it, making it a powerful fileless execution technique.

These techniques highlight the ongoing cat-and-mouse game between attackers and security vendors, pushing detection from simple thread monitoring to deep analysis of memory contents and file-system transaction logs.

Defending Against Process Injection

Defending against process injection requires a layered strategy that moves beyond simple signature-based detection to deep analysis of memory activity, process behavior, and API usage. This approach focuses on making the necessary steps of injection—like allocating remote memory and creating remote threads—visible and suspicious.

Detection Strategies (Blue Team Focus)

Figure 3: Specific Indicators to Monitor by Detection Focus

Defense and Mitigation Strategies

Mitigation efforts should focus on limiting an attacker's ability to perform the necessary steps, especially on critical system components.

1. Principle of Least Privilege (PoLP):
   • Action: Restrict user accounts and applications to the minimum privileges required for their function.
   • Benefit: Prevents low-privilege malware from gaining the PROCESS_CREATE_THREAD or PROCESS_VM_WRITE permissions necessary to inject code into high-integrity system processes.
2. Code Integrity Policies (e.g., Windows Defender Application Control - WDAC):
   • Action: Implement policies that restrict which executables and scripts can run, based on a vendor certificate or file hash.
   • Benefit: Directly prevents the execution of the initial malicious payload (the injector) and can often block the loading of unsigned DLLs used in injection.
3. Exploit Protection / Memory Guarding:
   • Action: Enable and configure features like Control Flow Guard (CFG) and Data Execution Prevention (DEP) at the operating system level.
   • Benefit: Makes it significantly harder for an attacker to hijack a thread's control flow or execute code from non-executable memory segments, disrupting advanced techniques like Thread Hijacking.
4. Process Monitoring and Blocking: EDR / XDR
   • Action: Configure advanced EDR tools to block specific, high-risk cross-process API calls (e.g., blocking CreateRemoteThread originating from specific low-trust processes).
   • Benefit: Directly prevents the final, critical execution step of many injection attacks.
5. Secure Process Creation:
   • Action: Utilize modern operating system features that enforce tighter security controls around process creation, such as mandatory signing checks for executables.
   • Benefit: Reduces the number of potential legitimate targets that can be used for techniques like Process Hollowing and Process Doppelgänging.

FAQs