Process Injection
Last updated
Last updated
What is process injection? Process injection comprises of injecting a DLL or shell code into a remote process instead of injecting it into a local one. There are various ways of doing this. Some include DLL injection, shell code injection, thread local storage, and more. This is all based on MITER ATT&CK found below.
Steps to implement shell code injection
The first one will be OpenProcess() What this does is it allows you to use a handle to open the process you choose to inject the code. The next function is the VirtualAllocEx(). This function allows you to allocate memory in the code to open. The WriteProcessMemory() copies buffer from a source to the destination in a remote process “This will be used to write shellcode in the remote process.” CreateRemoteThread() Creates a thread in a remote process to execute code. “A thread will be created to execute shellcode present in the target process.”
You can see this in is used after you wrote the code, and you can statically analyze the exe in something like PEstudio.
After throwing an example of a Process Injection into PEStudio you can look at the imports and this can tell you some of the imports that are used in the PE.
When writing in C \ C++, it is important to understand how the code itself works. A great first step in doing this is watching a video credit to crow.
The linked one can be a great way to learn and understand malware development and its workings. The first step in this can be done by opening your IDE and getting started. First, you're going to want to get started by including your DLLs or your dynamic linked library.
The header file, Windows.h, is the base header file for Win32 programming, its contain declaration of almost all basic windows macros and different typesdef. The #include<stdio.h> directive is commonly used in C programming as it includes the standard input-output header file (stdio.h), which contains essential functions like printf() , scanf() , and many others.
Next is going to be your main function int
The int main function is with the printf statement. The return 0 is not needed but is the best practice.
HANDLE OpenProcess(
[in] DWORD dwDesiredAccess,
[in] BOOL bInheritHandle,
[in] DWORD dwProcessId
);
In this next picture, you have the handle to store the remote process. Then you are in a deafening hprocess. The Openprocess() function allows you to open a process into which you want to inject the code. In this, you have to define the permaniters the first one being the access. For this, we will define PROCESS_ALL ACCESS. This will allow any user to access the process. The next permanent will be the BOOL inherit handle. This will be labeled as true because we need it to inherit the handle. The next part will be the dwProcessId. This is the part where you will get the PID of the process you want to inject code into and then fill it in for the permanent.
Next is the void* exec_mem. This is a pointer to the memory that was allocated using VirtualAllocEx. This is then used and filled in to VirtualAllocEx is used to allocate a block of memory in a process with the PAGE_EXECUTE_READWRITE protection, which means the memory can be executed and read from or written to. The exec_mem variable is used to store the address of the allocated memory block, so you can later write executable code into that block or execute code that you've written there.
Above, you can see that the first variable being executed is shell code. It is then defined with the shell code that you will paste your own into and use for code injection. Next is the handle. All a handle does is use it as a reference or identifier for a specific resource. In this case, it would be hprocess and hthread. A void is just a pointer that is not associated with any resource. It just points to some data in storage. Next are the Handel hprocess and void exe_mem. They are just being defined. In beginning defined, they are using the Open hprocess and VIrtualAllocEX to define them. The last and
HANDLE CreateRemoteThread(
[in] HANDLE hProcess,
[in] LPSECURITY_ATTRIBUTES lpThreadAttributes,
[in] SIZE_T dwStackSize,
[in] LPTHREAD_START_ROUTINE lpStartAddress,
[in] LPVOID lpParameter,
[in] DWORD dwCreationFlags,
[out] LPDWORD lpThreadId
);