Understanding Process Injection

Process Injection:

Process Injection is a technique used by Software developers for debugging, enhancing functionality, and extensibility. Process Injection is also used in the StealthOps/Red team Operations by the threat actor/attacks.

In a real-time scenario, the threat actor will try to inject the malicious code into the notepad.exe address space which has already been running, which helps him to avoid getting detected by AV/EDR or escalating privileges.

Image Source: vanmieghem.io

Why process Injection is Used:

Process injection is used by a threat actor to inject their malicious code into the address space of a running process. It allows them to execute code within the context of a legitimate process, which makes the AV/EDR harder to detect and trace their activities. Below are the reasons to use process injection in the engagement,

1. Security AV/EDR Evasion
2. Privilege Escalation
3. Persistence
4. Sandbox evasion
5. Credentials Stealing

How Process Injection Works:

Process Injection can be done in two ways,

1. Process Injection can be done in an already running process.
2. Spawning a new process and injecting it into the process.

When performing process injection, we need to have the following queries,

1. How can we access the remote thread?
2. How can we send our malicious code into the remote process?
3. How can we execute our malicious code which is inside the remote process?

We can do process injection by two API methods,

1. Win32 API
2. Windows NT API

In this blog, we are going to explore the Win32 API only. To achieve process injection, several Windows API (WinAPI) calls are utilized. Let’s look into some of the general Win32 APIs used in Process Injection.

CreateToolhelp32Snapshot — Used for Process and Thread Enumeration
OpenProcess — This allows a process to open a handle to another process, which can be used to read, write, or manipulate the memory.
CreateProcess — This allows to create a new process.
EnumProcesses — This allows us to enumerate all running processes on a system.
WriteProcessMemory — This allows a process to write data to the memory space of another process.
CreateRemoteThread — This allows to create a remote thread within a target process.
DuplicateHandle — It is used for duplicating handles within a process or between processes.
VirtualAllocEx — Used to allocate memory within the address space of another process.
VirtualProtectEx — It is used for memory protection and manipulation within a process’s address space.
SetThreadContext — This allows us to modify the execution context of a thread.

Simple ProcessEnumeration Code in C:

The below code will list the process Name and the process ID running in the machine.

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

int main() {
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hSnapshot == INVALID_HANDLE_VALUE) {
        printf("Failed to create process snapshot.\n");
        return 1;
    }

    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (!Process32First(hSnapshot, &pe32)) {
        printf("Process32First failed.\n");
        CloseHandle(hSnapshot);
        return 1;
    }

    do {
        printf("Process ID: %d\tProcess Name: %s\n", pe32.th32ProcessID, pe32.szExeFile);
    } while (Process32Next(hSnapshot, &pe32));

    CloseHandle(hSnapshot);
    return 0;
}

Code Walkthrough:

1. The code starts by taking a “snapshot” of all the programs or processes that are currently running on a Windows computer.
2. Then it checks whether the snapshot was successfully taken.
3. Next, it prepares a structure (like a container) to hold information about a process.
4. It starts looking at the first process in the snapshot. This is the beginning of the list of running programs.
5. Next comes the loop. It starts looking at the first process, writes down some information about it (like a name and an ID), and then moves on to the next process.
6. Then it prints the process name and the ID.
7. After it writes down information about one process, it moves on to the next.
8. Then it closes the handle after finishing its job.

We’ll see the process injection techniques in the upcoming blog series.

Thanks for Reading !!!

Happy Hacking!!!