UNDERSTANDING PROCESS INJECTION, PROCESS AND MEMORY MANIPULATION

ID:30132171

Name: Khandaker Toufiqur Rahman

UNIVERSITY OF SOUTH WALES

30132171

Contents
1. INTRODUCTION .................................................................................................................................... 2
2. Discuss Different types of Process Injection Techniques ...................................................................... 2
DLL injection .............................................................................................................................................. 2
Portable Executable Injection ................................................................................................................... 3
Process Hollowing ..................................................................................................................................... 3
Thread Execution Hijacking ....................................................................................................................... 3
Thread Local Storage ................................................................................................................................. 3
Process Doppelgänging ............................................................................................................................. 4
3. Technical Explanation ........................................................................................................................... 4
4. Impact Analysis..................................................................................................................................... 7
5. Counter Measures and Mitigation ..................................................................................................... 10
6. Conclusion .......................................................................................................................................... 10
7. Reference............................................................................................................................................ 12

1
30132171

1. INTRODUCTION
The aim of this coursework is to learn about process injection and different types of process
injection. The objective of the coursework is to learn how a process injection works, also learn
how we detect and take countermeasures to mitigate by taking steps to prevent the systems from
falling victim to this attack.
Process injection is a technique that is generally used by attackers to execute malicious code with
a legitimate process. Its main goal is to use the legitimate process as a camouflage to hide itself
from security solutions. And make sure to execute the malicious activity. (red canary, 2023)
In terms of Cyber Security Process injection is crucial It has both offensive and defensive uses. For
offensive use process injection is the stepping stone to get into to world of malware development.
The malware uses this to bypass the detection of security mechanisms act as a legitimate process
and execute its means. Tools such as Cobalt Strike and Metasploit use injection methodologies to
maintain persistence or exert influence over hacked systems.
On the other hand, the technique is used to perform reverse engineering and analyze malware
by Developers and security professionals. It is also used to simulate attack environments and
observe the defense mechanism of different cyber security tools. (red canary, 2023)

2. Discuss Different types of Process Injection Techniques

There are many process injection techniques. they are a group of powerful tools that the attackers
possess, which allows them to execute malicious activities within the system. The most common
process injection techniques are discussed below-
DLL injection
This technique is one of the most famous attack methods used by attackers. It forces a legitimate
process to load a Dynamic Linked Library that contains the malicious code. There are different
types of DLL Injection like Classic DLL injection, which uses APIs like “LoadLibrary” whereas the
other type is the Reflective DLL injection, which does not use any APIs, instead, it comes with a
built-in loader. The loader is liable for mapping the DLL into the targeted legitimate process. The
DLL injections are generally used for malware injection, data theft, and system compromise other
uses are for debugging, and Security research.
The technique uses four steps to execute the injection. At the very beginning, they target a
legitimate process. In the next step, attackers inject the DLL into the process’s memory. In this
step, the Injected DLL gets loaded into the memory space of the process, and its code gets
executed. In the final step, the malicious code is executed, which means that the code can be
executed in the context of the target process. (MITRE ATT&CK,2021)

2
30132171

Portable Executable Injection

This method is a sophisticated process injection technique. This is used to execute arbitrary code
in the address space of a separate live process. It is done by injecting of PE file into the process
memory and then invoking its execution. It does not rely on System APIs it bypasses the operating
system loading mechanism instead. This method is generally used for Evasion, Privilege
Escalation, and Persistence.
This technique involves six techniques. in the beginning, the target process is identified. In the
next step, the malicious PE file is injected into the process memory. After that PE file gets the
memory allocated within the target process address space. In this step, the PE file gets written
into the allocated memory. In this step, the PE file resolves any dependencies like DLL within the
targeted process. In the last part, a new threat is created to execute the PE file in the targeted
process. ((MITRE ATT&CK,2021)
Process Hollowing
It is a method of injecting malicious code into a legitimate process on a targeted system used by
malware. It replaces the legitimate process code with malicious code. It is used to evade detection
by security software.
This process generally works in steps. Firstly it targets a legitimate process that has elevated
privileges. Then the attacker injects code into the targeted process to suspend the process. Then
the attacker allocates within the suspended memory to hold the malicious payload. Next, the
original code is removed from the process. Then the process gets resumed and executes the
malicious code instead of its original instructions.(AshkanHosseini, 2017)
Thread Execution Hijacking
Execution of Threads Hijacking is a process injection method wherein an attacker alters an existing
thread inside a target process to execute harmful code. This technique circumvents the
generation of new threads, hence complicating detection by security measures about the
injection.
The injection takes place in four steps at the very beginning it identifies a thread in the targeted
process in order to hijack [Link] do that the malware uses Open thread API. In the next step, the
thread gets suspended so that there is no interference while the injection is taking place. Then in
the next step, the threads execution context is changed. And the thread pointer is redirected to
point to malicious code in the process memory. At the last, the attacker resumes the thread which
results in running the injected code. (Yuval Fisher,2024)

Thread Local Storage

Thread Local Storage (TLS) injection is a specific approach for process injection in which malicious
code is inserted into a process and executed via Thread Local Storage callbacks. These callbacks

3
30132171

are routines that the system autonomously performs at thread startup or termination, making
them an excellent conduit for covert code execution.
The assailant alters the PE (Portable Executable) header of the target binary to include nefarious
TLS callbacks. The callbacks function automatically executes time a new thread is initiated or
concluded inside the process. In the next step, the attacker places The code in Process Memory.
The TLS directory in the PE header is modified to reference the location of the malicious malware.
Upon the initiation of a process or the creation of a thread, the system triggers the TLS callbacks,
resulting in the execution of the injected code.
Process Doppelgänging
It is a sophisticated and covert process injection method that uses Windows' handling of process
creation to run malicious code covertly and impervious to detection by conventional security
measures. It conceals malicious code as a component of a normal process by taking advantage of
the way the Windows Transactional NTFS (TxF) and the process loader behave.

This technique uses Windows Transactional NTFS to create a [Link] allows the m to
change a file inside of a transaction without performing modifications to the genuine file system.
Then in the next step, the executable file is changed within the transaction to contain malicious
code. As a result, The file system cannot see the file modifications since they are contained inside
the transaction. The altered (transactional) executable is used by the attacker to start a new
process in a suspended [Link] it believes the malicious code is a component of a
legitimate program, the operating system puts it into memory. The file system modifications are
undone when the transaction is rolled back. The executable's harmful changes never show up on
[Link] malicious code runs in the context of what seems to be a genuine program when the
process is restarted.

3. Technical Explanation
The Course assessment requirement was to show a Message box in an already running process
like Notepad. The method used for executing the process injection for the practical demonstration
is DLL injection. As instructed Notepad has been selected as the target for process injection.
The operating system used for executing the process injection was Windows 10 22H2. This is a
mature and stable Windows version, which is widely used, because of this reasons it is one of the
most suitable for testing different security techniques. It also comes with built-in debugging tools
and powerful functions like task manager and many more. As it is widely used it is a perfect
operating system and it is quite a newer version of the OS so it is one of the most preferred to
learn and understand how the modern OS manages memory for processes, how the threads and
libraries loading are done.

4
30132171

And the OS was run in an Oracle virtual box. It is a widely used virtual box. It is used to make sure
that the main PC is not affected by any kind of malicious activity in the done during the process
injection. It also provides the opportunity to run multiple Operating systems on one machine at
once. It also provides features like snapshots, customizable hardware, and network configuration
Features. It creates a sandbox-like environment so that malware, injections, or experimental
payloads can be safely tested. One of the biggest reasons VirtualBox is widely used is because it
is free of cost.
DLL injection is a sophisticated technique where a DLL is injected into an already running process.
DLL is a special kind of file that contains code or data that programs use. DLL works as a collection
of mini-programs or functions that are generally shared among larger programs. It is also
considered a portable executable.
During the execution of a process, the OS dynamically links all the necessary DLLs that the process
will need while running. The DLL contains the Widows APIs that the process uses for its
functionalities.
Because of this Properties DLL injection is widely used by attackers because it is easy to create a
DLL that will act as a legitimate DLL and occupy space in the memory space of the targeted
process. But to make sure that the DLL is used by the process there are 4 DLL callbacks. They are
generally abused to do so, They are DLL_PROCESS_ATTACHED, DLL_PROCESS_DETACHE,
DLL_THREAD_ATTACHE, DLL_THREAD_DETACHED. The DLL_PROCESS_ATTACHE gets triggered
when the DLL is injected into the memory space of the targeted process, the opposite action
triggers the DLL_PROCESS_DETACHE. The same actions trigger the other two, but in case those
actions need to be related to threads.
Keeping the above discussions in mind we created a Simple DLL using the callbacks. Here in the
DLL main function, we check which callbacks were triggered. And for the callback, we assigned a
message box. This approach makes sure the payload does not have any unintended side effects.
All the code was done using C++ to compile this DLL we used a rather renowned software Visual
Studio and while compiling the code we made sure the release version was 64-bit.
The next step after creating the DLL IS to create the DLL Injector. For this part, we use Windows
APIs to make sure that the injection happens properly.
At the very beginning, we make a handle using the OpenProcess API. The
API takes in 3 parameters which are the desired access, for our course work we used
PROCESS_ALL_ACCESS because we need access to all process resources. The nest parameter takes
in a Boolean value for our execution set t to False because we don’t want any child process to be
created under our handle. The third parameter is where the process ID is taken for our execution
it is the PID of Notepad. After the Handle is obtained in the next step we use it to allocate memory
by using the VirtualAllocEx API which takes in 5 parameters which includeing the process handle,
the base address of the block of memory we want to allocate. Because er don’t know which one

5
30132171

we know we are going to keep that null. In the parameter section, it also takes the size of the
memory that we want to allocate which we have set to the size of the path +1. The next parameter
is the allocation type. It basically works to tell the OS to let us write into the Allocated memory. the
last parameter is the page permissions in this section we have kept it to read and write because
we only want to do that for the time being. After the memory is allocated we move to the next
step. Where we use WriteProcessMerory API it is the last step to write the full path of the DLL
into the allocated memory of the Notepad. The next step is to place the actual DLL in the memory
space of the Notepad in order to do that we are going to use LoadLibraryA API. But to make sure
that the process executes the LoadLibraryA API we need to get the virtual address of the
loadlibrary API in the memory of the Notepad process. According to the Microsoft documentation
[Link]. In this step, we use a pointer to the [Link] using the GETModuleHandleW. After
getting the load library right virtual Address of the loadlibrary API we just need to create a remote
thread to execute the Loadlibrary API to execute within the Notepad process. In order to do that
we will use CreateRemoteThread. After all that we are use the WaitFor SingleObject API, the API
is used to wait for the thread to complete execution. After the thread returns we close the handle
using the CloseHandle API.
For the compilation of the Injection, we will still need to make sure that the file is compiled in
64bit format. After the compilation is done we will keep the dll and injection solution in the same
folder.
Now to execute the injection we will open a command prompt and all open Notepad so that we
can obtain its process ID using process hacker. In the Command Prompt, we will run the exe file
of the injector,targeted process and the .dll file in the same line. As a outcome the message box
will pop up in the screen.

The Screen shorts of the Process injection BY DLL Injection Method are given below-

6
30132171

The Recording Link of the Practical Demonstration- Recording 2024-11-21 164725.mp4

4. Impact Analysis
Security Impactions

Data Theft

Process injection allows unauthorized access to confidential information by executing malicious

code inside legal processes. Data theft is difficult to detect and often requires some time, since

7
30132171

perpetrators may covertly access or extract sensitive information, such as user passwords,
financial data, and personal information, without triggering security alerts.
Privilege Escalation
Malefactors often use process injection to get elevated privileges. By embedding malicious
malware into processes with elevated privileges, such as system services or administrative tasks,
they may deactivate security protocols, modify system settings, or commandeer other computers
inside the network.

RealLife Example
Stuxnet (2010)
Stuxnet is regarded as one of the most advanced cyberattacks in history, thought to be a state-
sponsored initiative intended to undermine Iran's nuclear program. Identified in 2010, Stuxnet
especially aimed at industrial control systems, notably the Siemens programmable logic
controllers (PLCs) used to manage uranium-enriching centrifuges at Iran's Natanz complex. The
virus used process injection to compromise and control these PLCs. By infiltrating trusted system
processes with its malware, Stuxnet manipulated the rotational rates of the centrifuges, inflicting
physical damage to the apparatus without activating alarms. This attack approach enabled
evasion of detection by security measures, since the malicious code operated inside the confines
of regular system processes. The success of Stuxnet was a pivotal moment in cybersecurity,
showing that hackers could effectively target key infrastructure and inflict substantial physical
harm without direct involvement. The assault underscored the growing capability of process
injection in specialist cyber warfare operations.(BBC,2010)
Emotet (2014 - Ongoing)
Emotet is a highly modular and changing malware strain first found in 2014 as a banking Trojan,
but it rapidly transformed into one of the most infamous malware delivery systems. Emotet is
mostly disseminated via phishing emails that include harmful attachments or URLs intended to
compromise the recipient's machine. Upon gaining access to a system, it employs process
injection to integrate itself into legitimate system processes such as web browsers, email clients,
or other trusted apps. This strategy complicates the identification of malware by antivirus
software and intrusion detection systems, since it masquerades as normal system activity. Upon
infiltrating a system, Emotet is capable of exfiltrating sensitive information, including login
passwords, financial data, and personal details. Moreover, it is often used to disseminate other
forms of malware, including ransomware (e.g., Ryuk) and information stealers such as TrickBot.
Emotet's tenacity and modular characteristics render it a considerable danger, with its extensive

8
30132171

deployment affecting thousands of companies worldwide, including governmental bodies,

healthcare facilities, and financial businesses.
Aurora(2009)
The Aurora assault, identified in 2009, was a series of cyberattacks aimed against prominent
corporations and government entities in the United States, particularly Google. The assault is
thought to have been coordinated by state-sponsored entities from China, targeting the theft of
intellectual property and confidential information. The assailants used process injection as a key
component of their plan to penetrate and extract data from the targeted systems. By embedding
malicious code within trusted system processes, the attackers evaded detection and sustained
covert access for a longer duration. The software enabled the attackers to collect a diverse array
of information, including source code, email archives, and other private material. The Aurora
assault is notable for both its use of process injection and the systematic approach to the cyber
espionage executed. It heightened awareness of the dangers associated with state-sponsored
cyberattacks and their possible effects on intellectual property, corporate espionage, and national
security.
Conficker(2008)
Conficker is a worm that was first identified in 2008 and rapidly emerged as one of the most
pervasive and destructive forms of malware of its day. It exploited weaknesses in the Windows
operating system, namely a defect in the Windows Server service, to propagate over networks
and infect millions of devices globally. Conficker used process injection methods to embed its
malicious code into legitimate system processes, hence complicating detection by security tools.
Upon infecting a device, Conficker might propagate to other computers on the network by
exploiting more vulnerabilities and using social engineering techniques. Conficker also
established a substantial botnet, used to execute various attacks, including spamming, credential
theft, and denial-of-service assaults. Notwithstanding its extensive influence, the Conficker worm
was challenging to eliminate owing to its utilization of process injection, enabling it to stay
concealed and endure on compromised systems.
TrickBot (2016 - Ongoing)
TrickBot is a very advanced malware variant that has been operational since 2016. Originally
recognized as a banking Trojan, TrickBot has transformed into an extensive malware framework
that use process injection to avoid detection and execute a range of nefarious operations. It
infiltrates computers via phishing emails or harmful files, and when installation, it embeds its
malicious code into normal processes to evade detection by antivirus programs. TrickBot is
recognized for its capability to expropriate login passwords, financial information, and personal
data. It also serves as a conduit for disseminating other forms of malware, including ransomware,
and is often associated with extensive ransomware operations, such as the Ryuk ransomware
assaults. TrickBot has compromised several companies globally, including hospitals, financial
institutions, and governmental entities. Its capacity for covert operation and the delivery of
9
30132171

supplementary payloads make it a notably perilous threat, one that persistently evolves and
adapts to circumvent conventional security measures.

5. Counter Measures and Mitigation

Behavior Analysis:

EDRs can be configured to detect cross-process events like code injection, duplicate processes,
and remote threads. This facilitates the examination, inquiry, and alleviation of sophisticated
hazards.
Process Injection detection

Certain EDRs may block certain forms of process injection by analyzing prevalent behavioral
patterns.
Operating system Configuration
Attack Surface Reduction (ASR) rules: In Windows 10, ASR rules may inhibit code injection in
Office apps.
Yama kernel module: This module mitigates ptrace-based process injection by limiting trace
access to privileged users.
Security kernel modules like as SELinux, security, and AppArmor provide sophisticated access
control and process limitations.
User Education
Educate users about phishing attempts and other social engineering strategies that may result in
process injection.
Prevention strategies
Regular update of the system is an important strategy that can be taken to prevent process
injection. Having strong password management and password policy. Application whitelisting
can also be used to prevent process injection.

6. Conclusion
To summarize, there is no doubt that process injection is a critical technique in cyber security, that offers
both offensive and defensive uses. And it is an ever-changing challenge for the security professionals.
Even thou there are different risks related to continuous vigilance and the implementation of detection
mechanisms, we can mitigate the risks posed by process injection and protect systems from these covert

10
30132171

threats. By understanding the different types of process injection, including DLL injection, process
hollowing, and others, we gain insight into the complexity of modern cyberattacks.

11
30132171

7. Reference
1) redcanary(2023)ProcessInjection Available at:[Link]
report/techniques/process-injection/ (Accessed at :18/11/2024)
2) AshkanHosseini(2017)Ten process injection techniques: A technical survey of common and
trending process injection techniques. Available at:
3) [Link]
trending-process.(Accessed at :18/11/2024)
4) MITRE ATT&CK (2023) Process Injection Avaiable At: [Link]
(Accessed at :18/11/2024)
5) Yuval Fisher(2024) Process Injection Techniques Available at :[Link]
techniques-hands-on/process-injection-techniques/
6) (Accessed at :18/11/2024)
7) [Link]/leetCipher
8) BBC (2010) Stuxnet 'hit' Iran nuclear plans. Available at:
[Link] (Accessed at :18/11/2024)
9) EUROPOL(2023) World’s most dangerous malware EMOTET disrupted through global action.
Available at: [Link]
press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-
through-global-action. (Accessed at :18/11/2024)

12