Understanding Process Injection

Process injection is a technique used by attackers to inject malicious code into the memory space of a running process. Unlike process hollowing, which replaces the entire executable image of a process, process injection allows the attacker to run their payload within an existing process without altering its main execution flow. This technique is widely used in malware development, allowing malicious code to blend with legitimate processes and evade detection..

How Process Injection Works

1. Finding the Target Process

The attacker begins by identifying a target process to inject code into. This is usually a legitimate system or application process (e.g., explorer.exe, svchost.exe) to minimize suspicion. They use functions like OpenProcess to obtain a handle to the target process.

2. Allocating Memory in the Target Process

Once the process is identified, the attacker allocates memory inside it using VirtualAllocEx. This newly allocated space will hold the injected malicious payload. The memory is typically allocated in the .data or heap section to blend with normal process activity.

3. Writing Malicious Code to Memory

With memory allocated, the attacker copies their malicious code into the target process using WriteProcessMemory. This step effectively plants the attacker’s payload within the remote process, but it is not yet executed.

4. Creating a Remote Thread

To execute the injected code, the attacker creates a new thread inside the target process. This is done using CreateRemoteThread, which instructs the target process to start executing the malicious code. Alternatively, more stealthy techniques like NtQueueApcThread or SetThreadContext can be used to hijack an existing thread instead of creating a new one.

5. Execution Within the Target Process

Once the malicious code is running inside the process, it gains the same privileges and access rights as the host application. This allows attackers to perform various malicious activities, such as keylogging, privilege escalation, or data exfiltration, while appearing to be a legitimate process.