Code injection in the current process - ties2/Red-Team GitHub Wiki

Antivirus software is designed to protect a computer system by detecting and removing malicious code. However, attackers are constantly looking for ways to bypass these protections, and one of the most common methods is code injection. Code injection involves inserting malicious code into a legitimate process or application, making it more difficult for antivirus software to detect the threat. In this essay, we will discuss code injection techniques used to bypass antivirus software and their potential impact on computer systems.

Code Injection Techniques:

  • DLL Injection:

DLL injection involves inserting a dynamic-link library (DLL) into the address space of a process. This technique is commonly used to modify the behavior of an application by injecting additional code. Attackers can use DLL injection to inject malicious code into a legitimate process, making it difficult for antivirus software to detect the threat. DLL injection is a common technique used by malware, rootkits, and other types of malicious software.

  • Process Injection:

Process injection involves injecting malicious code into a running process on a computer system. Attackers can use this technique to inject malicious code into a trusted process, making it more difficult for antivirus software to detect the threat. Process injection techniques include code injection into existing threads, remote thread injection, and process hollowing.

  • Thread Hijacking:

Thread hijacking involves taking control of a thread within a running process and executing malicious code within that thread. This technique can be used to bypass antivirus software by executing malicious code within a trusted process. Thread hijacking is a commonly used technique in rootkits and other types of malware.

  • Reflective DLL Injection:

Reflective DLL injection is a technique that involves loading a DLL directly into memory without using the traditional DLL loading mechanism. This technique is commonly used by malware to bypass antivirus software by avoiding the use of a traditional DLL that can be detected by antivirus software.

  • Impact on Computer Systems:

Code injection techniques used to bypass antivirus software can have a significant impact on computer systems. These techniques can allow attackers to execute malicious code on a computer system undetected, steal sensitive data, and take control of the system. The impact of code injection can range from a minor inconvenience to a major security breach, depending on the intent and severity of the attack.

Examples of Code Injection Attacks:

  • Zeus Banking Trojan: The Zeus banking Trojan is a well-known example of a malware that uses code injection techniques to bypass antivirus software. Zeus uses process injection techniques to inject malicious code into legitimate processes, making it more difficult for antivirus software to detect the threat. The Zeus Trojan is capable of stealing sensitive information such as login credentials, banking information, and other types of personal data.

  • Stuxnet Worm: The Stuxnet worm is another example of a malware that uses code injection techniques to bypass antivirus software. Stuxnet uses a combination of DLL injection and rootkit techniques to hide its presence on a computer system. The Stuxnet worm was designed to target industrial control systems, specifically those used in nuclear facilities. The worm was successful in causing physical damage to centrifuges used to enrich uranium.

  • Metasploit Framework: The Metasploit Framework is an open-source penetration testing tool that includes a variety of code injection techniques. The Metasploit Framework can be used to test the effectiveness of antivirus software by simulating a code injection attack. The Metasploit Framework is commonly used by security researchers and penetration testers to identify vulnerabilities in computer systems.

Process injection is a technique used by attackers to insert malicious code into a running process on a computer system, with the aim of executing arbitrary code and maintaining persistence on the system. This technique is often used in advanced persistent threats (APTs) and other sophisticated attacks, as it allows attackers to evade detection by antivirus and other security software. There are several types of process injection techniques, including code injection into existing threads, remote thread injection, and process hollowing.

Code Injection into Existing Threads

This technique involves injecting malicious code into a running process by modifying an existing thread within the process. This method is commonly used to inject malicious code into trusted system processes like svchost.exe or explorer.exe. The attacker locates a running process and identifies a suitable thread within the process to inject their code into. Once the attacker has identified a thread, they inject their malicious code into the thread by overwriting the thread's memory with the malicious code.

Remote Thread Injection

Remote thread injection involves injecting a new thread into a running process and executing the attacker's code within that thread. This technique is used when the attacker cannot identify a suitable thread within the target process to inject their code into. The attacker first creates a new thread within the target process and then injects their malicious code into the newly created thread. The attacker then executes their code within the new thread, effectively injecting their code into the target process.

Process Hollowing

Process hollowing is a technique used by attackers to create a new instance of a legitimate process and replace its memory with the attacker's malicious code. This technique involves creating a new instance of the target process in a suspended state, and then modifying its memory so that it contains the attacker's malicious code instead of the legitimate code. Once the attacker has replaced the legitimate code with their own code, they resume the process, effectively injecting their code into the legitimate process.

These process injection techniques are often used by attackers to execute malicious code on a compromised system, evade detection by antivirus and other security software, and maintain persistence on the system. In order to defend against process injection attacks, organizations can implement security measures such as endpoint detection and response (EDR) tools, application control, and privilege management.

here is an example of process injection using code injection into existing threads:

Suppose an attacker wants to inject malicious code into a running process on a victim's computer. The attacker identifies a process that is running with elevated privileges, such as a system service. The attacker creates a DLL that contains the malicious code and then uses a tool such as DLL Injector to inject the DLL into the running process.

The attacker then uses a code injection technique to inject the malicious code into an existing thread within the process. The attacker first identifies a suitable thread within the process that is currently running and has the appropriate permissions to execute the malicious code. The attacker then modifies the thread's context to point to the location of the injected code.

Once the code has been injected, it runs within the context of the target process and can perform any actions that the process is authorized to do. This could include stealing sensitive data, installing additional malware, or establishing a persistent backdoor for future access.

One example of a code injection technique that can be used for process injection is reflective DLL injection. Reflective DLL injection is a technique that allows a DLL to be loaded into a process without the need for the process to call the traditional LoadLibrary function. Instead, the attacker loads the DLL directly into memory and uses code within the DLL to create a new thread that runs within the target process. This technique makes it more difficult for antivirus software to detect the presence of the injected DLL because it does not rely on traditional function calls.

Another example of process injection is remote thread injection. Remote thread injection involves creating a new thread within a target process and then using that thread to execute the attacker's code. This technique is commonly used by malware that has already gained a foothold on a victim's computer and is attempting to spread to other processes or systems.

Process hollowing is another technique used for process injection. In process hollowing, the attacker creates a new process in a suspended state and then replaces the legitimate code within the process with the malicious code. The attacker then resumes the process, and the malicious code runs within the context of the legitimate process. This technique can be used to bypass antivirus software because the malicious code appears to be running within a legitimate process.

Overall, process injection is a powerful technique that attackers can use to bypass security measures and gain access to sensitive data. Organizations can defend against process injection by implementing security controls such as process monitoring, code signing, and memory protection mechanisms. Additionally, regular security awareness training for employees can help to prevent social engineering attacks that can lead to successful process injection.

Sources:

https://www.fireeye.com/blog/threat-research/2020/06/understanding-process-injection-techniques.html https://www.malwaretech.com/2017/05/22/process-injection-explained/ https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/process-injection-and-its-many-techniques