Process injection is one of the most important techniques in cyber security. This technique works by dropping code into another already running process address space and executing the code in that space. This is truly a disaster from a security perspective as it allows the code to execute under the permissions of the target process, which may be able to bypass security controls by using the target process’ existing privilege escalation, detection mechanisms, etc.
Process injection is a threat vector that has spawned many forms of malware infesting the internet and advanced persistent threats (APTs). Though this is a valid technique in a software development environment to debug or extend an application, it is often used by threat actors to run code without authorization, evade persistence, and remain undetected.
This blog analyzes the principles of process injection, its core mechanisms, common techniques, detection methods, and how to prevent it. We will also explore some fundamentals, such as memory operations, injection techniques, detection methods, and practical examples of attacks.
What is Process Injection?
Process injection allows a code to be injected into the memory space of the other ongoing process. In this technique, the attacker forces the target process to run arbitrary code by writing their own code into the address space of that process. The code being injected executes under the context and rights of the vulnerable process, thus, it inherits all of its access rights and the trust level on the system.
Process injection consists of the following technical components at the core: process handle acquisition, memory allocation in the target process, code writing operations, and execution triggering mechanisms. They use Windows API functions such as OpenProcess(), VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread() to execute the injection process.
Why Process Injection is Dangerous?
Several technical aspects make this attack type relatively dangerous. The code executed from the injected thread has the same privileges as the target process, effectively resulting in elevated access to the system. This method bypasses any file-based security scanning since the insecure code exists only in memory.
It also has a serious effect on the stability and security of systems. Injecting operations may get crashed by the target processes and introduce instability across the system. They achieve this by terminating security product processes, stealing data from protected applications, and establishing persistent system access that evades common cleanup techniques.
Process Memory Fundamentals
The technical basis for process injection techniques is the understanding of process memory structures and operations. There are internal features of the Windows OS memory management model that enable and also restrict memory interactions and access between processes. They instantly alter the way process injection works and the way defenders can detect and protect against it.
Virtual Memory and Process Address Space
Each Windows process has its own virtual address space, isolated from other processes running on the same system. The range of this virtual address space is 0 to 0x7FFFFFFF for 32-bit processes and 0 to 0x7FFFFFFFFFF for 64-bit processes. Mapping from virtual addresses to physical memory locations is done with the help of the paging technique by the Windows Memory Manager.
The process has a number of regions in its address space, such as the process executable code, loaded DLLs, heap allocations, and stack space. These regions have specific functions and types of data. Windows has page tables that describe where pages of memory frames are, and whether they are in the virtual address space.
Memory Permissions and Protection
There are access permissions for memory regions, which describe how processes should interact with them. These permissions include:
PAGE_EXECUTE:Memory can be executed as codePAGE_READ:Memory can be readPAGE_WRITE:Memory can be written toPAGE_EXECUTE_READ:Memory can be executed and readPAGE_EXECUTE_READWRITE:Memory can be executed, read, and written to
These permissions are enforced by the Windows Memory Manager at the page level. If an application (or process) tries to access memory in a way that is not allowed, the system raises an access violation.
Critical Windows APIs for Memory Operations
Windows has a few important APIs for memory manipulations. These APIs are the building blocks of process injection. The ‘Ex’ versions for these functions are for external processes, whereas the regular successors are for the memory space of the calling process. Knowing these APIs enables the detection of potential injection activities and tracking.
- VirtualAlloc/VirtualAllocEx: Reserves and commits memory in a process
- VirtualProtect/VirtualProtectEx: Changes memory region permissions
- ReadProcessMemory: Reads data from another process’s memory space
- WriteProcessMemory: Writes data to another process’s memory space
- VirtualFree/VirtualFreeEx: Releases allocated memory regions
Types of Process Injection Techniques
Process injection comprises a number of different techniques that all make use of some form of code execution for target processes. This difference in Windows API calls and memory manipulation makes for unique operation patterns and detection signatures for each technique.
Analyzing these techniques can be a good help to the security teams in identifying and responding to specific injection methods.
1. DLL Injection
DLL Injection is the process of forcing a process to load a malign DLL files. It uses a set of API functions: OpenProcess(), VirtualAllocEx(), and CreateRemoteThread(). This begins with reserving memory inside the target process to hold the path of the DLL. It then starts a remote thread that calls LoadLibrary() with the path as a parameter to instruct the target process to load the malicious DLL.
An injected DLL has full access to the target process functions/processes with memory addresses of the entire memory space of the target process and all other modules the target has loaded into memory.
2. Code Injection
Code injection is a form of attack that injects malicious code into a process memory space, and the code executes upon it. This simply writes a code to the address of a process memory space. This is a multi-step technique that includes getting a handle on the process, using VirtualAllocEx() to allocate memory, WriteProcessMemory() to write the code, and then finally, CreateRemoteThread() to execute it.
The code that it runs has the permissions of the target process in which it is executing, and all security privileges and access rights will be inherited.
3. Thread Execution Hijacking
Thread execution hijacking suspends a thread in the target process, changes its execution context to point to the attacker code, and continues the execution. In this technique, the attacker makes use of SuspendThread(), GetThreadContext(), SetThreadContext(), and ResumeThread() APIs.
Since it uses a legitimate thread, it makes it harder to get detected as the hijacked thread runs with its existing privileges to execute the malicious code.
4. APC (asynchronous procedure call) Injection
APC injection queues malicious code to be executed when a thread enters an alert state. This method enqueues code onto a thread using QueueUserAPC(). The code injected into the thread is executed when it processes its APC queue, which usually happens during particular system calls or wait operations. This method is well suited to threads that repeatedly visit mutable states.
5. Reflective DLL Injection
The method of reflective DLL injection loads a DLL with the help of a Windows loader and does not write a file system artifact. It is a custom DLL with instructions on how to map it and address it in memory. This trick involves injecting the loader code and DLL into the target process memory and executing the loader to prepare the DLL. It avoids detection by normal DLL loading mechanisms and monitoring.
6. Process Hollowing
Process Hollowing is a stealthy injection technique where attackers create a legitimate process in a suspended state (using CreateProcess with CREATE_SUSPENDED), unmap its original memory space (via NtUnmapViewOfSection/ZwUnmapViewOfSection), allocate new memory (VirtualAllocEx), write malicious code (WriteProcessMemory), fix the PE header and relocations, update the Process Environment Block (PEB), and finally redirect the entry point (SetThreadContext) before resuming execution (ResumeThread). This allows malicious code to execute under a legitimate process’s identity and privileges.
How Process Injection Works?
Process injections follow a series of steps in the attempt to execute code in a target process. No matter the injection method, technical implementation follows certain steps that manipulate process memory and change how the process flow executes.
The first one is target process identification and access acquisition operations. The malicious process uses OpenProcess() to get a handle on the target process. Required access rights for this handle are PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ.
The second crucial step is memory allocation in the target process. The VirtualAllocEx() allocates memory space in the target process address space by reserving and committing pages of the virtual memory.
The third step is to copy the shellcode to the allocated memory area. WriteProcessMemory() copies the code bytes from the source buffer to the target process memory region. This operation should consider the alignment and size requirements.
The last step of execution triggering represents the final core components. Each technique employs one mechanism or another:
CreateRemoteThread()creates a new thread to execute the injected codeQueueUserAPC()queues code execution in an existing threadSetThreadContext()modifies existing thread execution flow- Direct modification of function pointers or hooks
Once execution is in motion, the injected code executes inside the context of the target process, having access to the target process’s resources and security token. This code can then do whatever it was designed to do, running under the target process’s privileges and trust level.
How to Detect Process Injection Attacks?
Process injection is difficult to detect because it involves several components and behaviors of the system. To identify injection activity, security systems must monitor memory movements, API calls, and all process behavior.
These detection methods, in combination, form an overall detection strategy.
Memory Pattern Analysis
Memory analysis is focused on searching for popular patterns in memory regions of processes. This happens because these regions of the process memory are scanned by security tools to check the permission settings of process memory and the expected content. This includes detecting anomalous executable regions and pages that do not conform to their typical content signatures within processes, among others.
Memory scanners look for deviations from original process binaries, either by monitoring changes in normally static process memory structures or looking for dynamic code segments.
API Call Monitoring
Suspicious sequences of memory manipulation calls are detected by Windows API monitoring. Security tools monitor OpenProcess() for process access, VirtualAllocEx() for memory allocation, and WriteProcessMemory() for memory writes. If a thread is created or manipulated, e.g., CreateRemoteThread(), this will be a clear sign of injection.
Changes to state for processes and threads via APIs like SuspendThread() and SetThreadContext() should also be monitored, as these are often found in injection chains.
Behavioral Indicators
Monitoring the behavior of processes is done to identify unexpected patterns of activity suggesting these injection attempts. Intrusion detection systems watch for threads in a relatively stable running process and changes in the process memory map to keep track of such processes.
These behaviors, along with modification of the Import Address Tables and cross-process memory operations, are relevant indicators for detection.
Detection Tools
Spotting process injection needs some security tools with deep monitoring capabilities. Real-time analysis is done by process monitors that monitor API calls and system actions, while memory analysis tools perform a deep analysis of the process memory spaces. Event log analyzers allow teams to record the history of security events within the system so that they can gain a perspective on the past.
Enterprise detection and response (EDR) solution such as SentinelOne combines various ways to monitor with analytic capabilities. There are system administration tools such as process monitor and process explorer, which show the processes in detail as well as the memory allocation per process.
How to Prevent Process Injection Attacks?
Prevention for process injection cannot be provided by a single security control but involves controls at the system, process, and code levels. These mitigations focus on limiting process injection capabilities, as well as making potential target processes harder to inject into.
System-Level Prevention
Preventative measures at the system level begin with the correct management of access and privileges. Systems should have process creation and manipulation rights configured to restrict non-administrative users such that they can only open handles to sensitive processes on systems. These restrictions are enforced by user account control (UAC) and AppLocker policies to manage which processes can run and at what privilege level.
Code Signing
Another important layer of prevention is code signing enforcement. Modules should be loaded with their digital signatures verified, and inappropriately signed or unsigned codes should be rejected by the systems. Windows Defender Application Control (WDAC) policies enforce code integrity requirements and disable the loading of unsigned DLLs and executables.
Memory Protection
Memory protection mechanisms that are an important part of the defense. Data Execution Prevention (DEP) protects against code execution from data pages, whereas Address Space Layout Randomization (ASLR) makes it difficult to target specific memory.
Medium protected-process mitigations include Control Flow Guard (CFG), which checks targets for indirect calls, and Protected Process Light (PPL,) which limits the ability of processes to open existing ones according to member signature levels.
Application Hardening
Even for application hardening, the security team needs to follow secure coding practices and compiler options as well. Developers should configure security features, such as /DYNAMICBASE and /NXCOMPAT, implement exception handling, and validate memory operations within the application debugging process.
How SentinelOne Can Help Defend Process Injection?
SentinelOne’s platform has several technical controls that are designed to detect and prevent process injection attacks. This platform uses process behavior and in-memory monitoring to spot injection attempts at the different stages of execution.
Behavioral AI
The behavioral AI engine of the platform is more focused on injection techniques and watches out for suspicious patterns in memory allocations and Windows API calls. For example, it has always included monitoring for OpenProcess(), VirtualAllocEx(), and WriteProcessMemory() operations to determine possible injection patterns.
Memory Protection
Memory protection with SentinelOne extends to process hollowing attempts and DLL injection, too. By monitoring the process creation flags, permissions for memory regions, and threads that are running to determine if legitimate processes are manipulated.
If the platform identifies questionable operations in memory, it can instantly respond by blocking the injection attempt and isolating the affected process.
Deep Visibility
Deep Visibility can provide such Telemetry data for an investigation of process injection incidents by security teams. It allows teams to monitor the entire flow, from injection attempts to process relationships, memory operations, and sequences of API calls.
Such visibility allows us to see the original attack vector as well as any other devices that may have been compromised.
Conclusion
Process injection remains a critical security problem in the modern computing landscape and one with active, widespread adoption among attackers. Process injection is a well-known and widely-used technique still in use today that runs code within the context of a legitimate process so it can bypass positive security controls.
Security teams need to implement comprehensive detection and prevention strategies that include memory protection, behavioral control, and access control. Understanding the mechanics of process injection techniques enables organizations to harden their systems appropriately and deploy security controls efficiently.
Behavioral AI, real-time process monitoring, and automated response found in second-generation EDR products, such as SentinelOne, are what enable organizations to defend against these types of process injection attacks. The integrated features work together with the SentinelOne endpoint protection platform to enhance organizational defenses against process injection attacks through detection, prevention, and response to these classes of advanced threats.
FAQs
1. What is a Process Injection Attack?
Process injection is an attack where the attacker copies and executes a code in the memory of a process. This gives a malicious actor the ability to run their own code in the target process, enabling them to evade security measures.
2. Why do Attackers use Process Injection?
Process injection is a technique that is predominantly used for hiding activity and persistence, as well as executing code with higher privileges. If the Windows DLL is injected into another process through normal processes, the code executed will perform operations with the same trust level as the target process and will have the same access rights, making it more difficult for security tools to detect malicious behavior.
3. How can Process Injection be Detected?
Detection of process injection requires monitoring of the memory, API, and process behaviors. Static program analyzers mark such injection attempts by looking for patterns such as anomalous memory allocations, thread creations, and abnormal process manipulation API sequences.
4. Is Process Injection always malicious?
Process injection is mainly used by malware, but in some scenarios this technique can be used legitimately, for instance, debugging, malware analysis, monitoring techniques, and to extend the functionality of an application.
5. What role does Process Injection play in Advanced Persistent Threats (APTs)?
In APT (Advanced Persistent Threat) style campaigns, process injection plays a critical role in achieving persistence and avoiding detection. APT actors use advanced injection techniques to gain permanent access to infected systems and to guarantee that they will never be discovered during a prolonged operation.