Process Injection: inject shellcode in a target process
ProcessInjection
What is Process Injection?
It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Why Process Injection?
Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
The program is designed to perform process injection. Currently, the tool supports 2 process injection techniques.
1) Vanilla Process Injection
2) DLL Injection
In this vanilla technique, there are 4 Windows API which is used to inject shellcode into the remote process.
- OpenProcess – The OpenProcess function returns a handle of an existing process object.
- VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
- WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
- CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
Vanila Process Injection Currently the program accepts shellcode in 3 formats
1) base64
2) hex
3) C
What is DLL?
Dynamic Link Library (DLL) is a file which contains the code and is been loaded by the program to perform one or more actions during run time.
What is DLL Injection?
DLL Injection is a process of injecting a DLL into the running process which might contain malicious code and can be used for performing malicious activities.
In this DLL Injection technique 6 Windows API are used.
- OpenProcess – The OpenProcess function returns a handle of an existing process object.
- VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
- WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
- CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
- GetModuleHandleA – The GetModuleHandleA function retrieves a module handle for the specified module which is already loaded by the calling process.
- GetProcAddress – The GetProcAddress function retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
Tutorial [1, 2]
Copyright (C) 2019 3xpl01tc0d3r
