This is an overview to all common process injection techniques used by malware, including AtomBombing, Process Hollowing aka RunPE, Process Doppelgänging. Buy me a coffee: ko-fi.com/struppigel Follow me on Twitter: twitter.com/struppigel My process Injection overview infographic: struppigel.blogspot.com/2017/07/process-injection-info-graphic.html Process Injection Techniques Gotta Catch Them All: i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf Atom bombing: www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows Atom bombing: www.enisa.europa.eu/publications/info-notes/atombombing-2013-a-new-code-injection-attack Process Doppelgänging: hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/ Hasherezade's video on creating the illusion of executing a TXT file: th-cam.com/video/XmWOj-cfixs/w-d-xo.html DLL injection en.wikipedia.org/wiki/DLL_injection DLL Injection via LoadLibrary/CreateRemoteThread: www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces DLL Search Order Hijacking (DLL injection that is not process injection): dmcxblue.gitbook.io/red-team-notes/persistence/dll-search-order-hijacking Backdooring PE files with shellcode (code injection that is not process injection): www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode
This is a fantastic diagram for explaining how things work, I wish I had though of this! I really like these new "explainer" videos you have been doing with deep dives into each topic : )
Thank you! Means a lot more to hear it from you than anyone else. Also thank you for the coffees. Now I don't have any hand free for typing anymore ... ;)
Generally the ones that are the least well-known. If you don't know what to look for, you won't see it, nor will developers include it into AV products.
It's a shame there's no discord in the description, I know a couple more ways to do process injection that I would be happy to share with you! (Some don't even require a handle) All in all it's a really good video and way to explain them, I'm impressed by your research as I did the same.. Nice video as always :)
Thank you for your feedback. Sure, you can show me some techniques. I am aware that this does not show all injection techniques. Just the most common ones I see in malware. Maybe you have found some I don't know yet, so I would be happy to know. :) You can DM me on Twitter (@struppigel) or write me on portx@gmx.de
I'm currently learning a bit about Win32 Programming and I find it hilarious that all these injection types have dedicated functions to execute them, I always thought you'd have to do a lot of trickery to do something like that. Also, is there no windows built-in security check that prevents you from easily writing to another processes' memory? Or is that only done by AV's?
These functions are an overview for malware analysts, so you can recognize these and know where to put breakpoints for unpacking the injected code. Depending on the technique used there can be more complicated stuff involved than just calling these functions. E.g. check out the article on AtomBombing which describes that it needs ROP chaining, among others. There are several security mechanisms that can prevent injection in processes, especially such processes that would grant more rights. But there is not much that holds a malware back from injecting into its own child process (what they often do as a means to execute encrypted code dynamically, so they are just packed). Some security mechanisms that might be relevant are ASLR, data execution prevention (DEP), Mandatory Integrity Control, AppContainer, code enclaves, trustlets.
This is an overview to all common process injection techniques used by malware, including AtomBombing, Process Hollowing aka RunPE, Process Doppelgänging.
Buy me a coffee: ko-fi.com/struppigel
Follow me on Twitter: twitter.com/struppigel
My process Injection overview infographic: struppigel.blogspot.com/2017/07/process-injection-info-graphic.html
Process Injection Techniques Gotta Catch Them All: i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
Atom bombing: www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows
Atom bombing: www.enisa.europa.eu/publications/info-notes/atombombing-2013-a-new-code-injection-attack
Process Doppelgänging: hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
Hasherezade's video on creating the illusion of executing a TXT file: th-cam.com/video/XmWOj-cfixs/w-d-xo.html
DLL injection en.wikipedia.org/wiki/DLL_injection
DLL Injection via LoadLibrary/CreateRemoteThread: www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces
DLL Search Order Hijacking (DLL injection that is not process injection): dmcxblue.gitbook.io/red-team-notes/persistence/dll-search-order-hijacking
Backdooring PE files with shellcode (code injection that is not process injection): www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode
This is a fantastic diagram for explaining how things work, I wish I had though of this! I really like these new "explainer" videos you have been doing with deep dives into each topic : )
Thank you! Means a lot more to hear it from you than anyone else.
Also thank you for the coffees. Now I don't have any hand free for typing anymore ... ;)
This video covers only the surface - throughout the past months my mind has opened to so many new techniques that you would never imagine.
Good job, the visual parts and the explanations were so helpful. 🙏
Thank you.
u use c or c++ ?
This is such a wonderful work and an awesome explanation. Thanks for this!!
Such as great explanation with sort of API's in easy way. great effort.. "claps" for your work
What is the stealthiest process injection method in you opinion? (Even the ones not included in this video)
Thx!
Generally the ones that are the least well-known. If you don't know what to look for, you won't see it, nor will developers include it into AV products.
It's a shame there's no discord in the description, I know a couple more ways to do process injection that I would be happy to share with you! (Some don't even require a handle)
All in all it's a really good video and way to explain them, I'm impressed by your research as I did the same..
Nice video as always :)
Thank you for your feedback. Sure, you can show me some techniques. I am aware that this does not show all injection techniques. Just the most common ones I see in malware. Maybe you have found some I don't know yet, so I would be happy to know. :)
You can DM me on Twitter (@struppigel) or write me on portx@gmx.de
@@MalwareAnalysisForHedgehogs whatof gab?
very well explained
Thanks!
What about stack bombing and herpaderping
very good video, thank you
Awesome video. I still have one or two questions. You'll have to explain it to me at the next meeting :-)
I'm currently learning a bit about Win32 Programming and I find it hilarious that all these injection types have dedicated functions to execute them, I always thought you'd have to do a lot of trickery to do something like that. Also, is there no windows built-in security check that prevents you from easily writing to another processes' memory? Or is that only done by AV's?
These functions are an overview for malware analysts, so you can recognize these and know where to put breakpoints for unpacking the injected code.
Depending on the technique used there can be more complicated stuff involved than just calling these functions. E.g. check out the article on AtomBombing which describes that it needs ROP chaining, among others.
There are several security mechanisms that can prevent injection in processes, especially such processes that would grant more rights. But there is not much that holds a malware back from injecting into its own child process (what they often do as a means to execute encrypted code dynamically, so they are just packed).
Some security mechanisms that might be relevant are ASLR, data execution prevention (DEP), Mandatory Integrity Control, AppContainer, code enclaves, trustlets.
Nice explanation 👌👌👌 Need a video on PE file structure
I made one here: th-cam.com/video/l6GjU8fm8sM/w-d-xo.html
Wow. This is amazing! Thanks for making this :)
How can I learn malware analysis
I recommend working through the book "Practical Malware Analysis" by Honig and Sikorsky
@@MalwareAnalysisForHedgehogs You can recommend some tutorials to me?
@@dabicao6747 Try lena's reverse engineering tutorials.
Now I feel so stupid, nice video!
Awesome
How to remove a rat , heur or backdoors from a sofware or exe.
Good video but hard to follow with the hand written notes
You are right, thank you for the feedback, I will do better :)
Thnx bro yoooooooou best
The handwritten text discouraged me from going in more than 2 minutes
Thank you for your feedback. Yes, the presentation is not really good. This video is a few years old, I hope the current ones are a little better.
No, no no.. horrible squiqles for a diagram.. and you also assumed we already have knowledge about the basic terms.
You are right. I will do it better for the next videos. :)