 Welcome to malware analysis for Hedgehogs. Process injection is a technique that's often used by malware. In most cases, malware uses it to dynamically run a payload. That means the actual payload shall not touch the disk to prevent static detection by entire virus software. The second reason is to inject malware code into a trusted process. In many cases, a common Windows process. This can be used to escalate privileges. I created this overview some years ago for a workshop. I researched all common injection techniques at the time and tried to find a way to categorize them by their characteristics and make them understood easily. The result was a process injection graphic that describes four main characteristics or steps. Most injection techniques can be described this way. The overview is not complete and some of the techniques may require additional steps, but it helps to understand the general concept of it. Firstly, all process injection techniques need to obtain a handle on the target process. Secondly, all of them have a certain type of data that is injected. Thirdly, there is some way to transfer said data to the target process. As a last step, the injected code must be executed. So, the first step is the process handle for the target process. Mavar may obtain it by creating a new process. Many packers, especially crypters, therefore apply process injection to their own child process. A very commonly used API function is create process and its variants. There are different variants, like create process with logonw, create process as user, and t create user process. But all of them have the words create and process in them, so it should be obvious to you. An older form of process creation is using winexec. That's therefore compatibility of 16-bit windows. This isn't used much, but if you look at older Mavar, you may see it used. You can also search for a process that is already running and then open it to get the handle. This needs a combination of several API functions. Create tool help 32 snapshot, process32 first, process32 next to iterate the processes. And last but not least open process, which returns the handle. Alternatively, antique query system information is also a way to obtain a process listing. In both cases, creating or getting a process handle, the process may be suspended to prepare it for injection. So it is one of these. The next characteristics is the data to be injected. You can inject a section only or the whole process image. You can inject only pieces of code and some injection techniques are specific to DLLs. Depending on those types of injection data, you have different ways to transfer this data to the target process. A way that is section-based is the combination of anti-unmap view of section, anti-create section and anti-map view of section. The anti-unmap view of section will carve out a certain section of the process. Unmapping means the virtual address space where this section is no longer reserved and can be used for something else. Anti-create section and anti-map view of section then create the new section with the injected data and set the desired access rights so that the section can be executed. So this API combination is used to transfer a section to the target process. If you transfer all sections this way, you have the whole process. Now there is something left to do, that is telling the system to start execution at the newly injected code. Set thread context is used to do that and resume thread will finally resume execution of the target process that had been set to suspended state in the beginning. An alternative way to transfer data to the target process is the combination of anti-unmap view of section, virtual-alloc-x and write-process-memory. Virtual-alloc-x is used to allocate memory and set the desired access rights. Write-process-memory will write the data to the target process. Create remote thread, takes the process sender and start address, then creates a thread to run the code. So this way we can also execute the code. Now let's say we want to inject a small piece of code instead of a whole section or all sections. Here we don't need to carve out the virtual memory, we just find a little space to put that code in and use that. There are a few more APIs we can use for the data transfer. This is a technique called atom-bombing. Atom tables are a way to share data between processes. We add the malicious code as a string to the atom table via global-add-atom. Then issue an asynchronous procedure call for global-get-atom name to make an alertable thread in the target process copy the code to its own memory. The memory region needs to have RWX rights. The original paper used an ROP chain to allocate executable memory and copy the code there, whereas actual malware implementations as seen in Drydex invoke anti-protect virtual memory to do the same. Each entry in the atom table is fairly small, so it works best for injecting shellcode. Or alternatively, by overwriting the import table, it can be used to load a DLL. Queue-user-apc may also be used in combination with other techniques to make a process execute a specific function. So it is one of many ways to execute your injected data. There are most likely more errors possible from the transfer part to the queue-user-apc than I have occluded here. Note. Sometimes lower-level functions with anti-prefix like anti-queue-apc thread must be used instead for certain techniques. I did not include all of the anti-versions of API functions, because it would clutter the graphic. This should get across the general idea instead of implementation details. If you want to know the exact details, check the links in the description below. A more common technique to inject DLL files is via write process memory and create remote thread. Also load library and create remote thread work. Then there is setWindowsHookX, which does both the transfer data and execution part. Hence I set it on the board of both steps. Some of these techniques have specific terminology you will have heard before. For examples, the ones that carve out the process memory via anti-unmap view of section are called process hollowing. Process hollowing is also called runPE. If it involves atom tables, it is called atom bombing. If the injected data is code, you summarize those techniques as code injection. If you inject a DLL, it is called DLL injection. Note that the terms DLL injection and code injection and compass more than just process injection. You will find terms like search order hijacking, which are a form of DLL injection, but do not belong to process injection techniques. Code injection may also be done by a virus to an executable file or source file on disk. So it depends on the context. Don't be confused if you find different things there that have nothing to do with process injection. While reversing files that perform process injection, you can set breakpoints on these functions to extract the injected data. Oftentimes, it makes sense to use the lower level API functions. Some functions are commonly used to change access writes for the injected memory region to be writeable, readable and executable. I list them here, so you are able to recognize them as typical injection function in combination with the others in the graphic. There is another more recent technique that does not fit into this diagram. That is process doppelganging. The reason that it does not fit is that unlike the other techniques, it starts before the process is created. How so? Again, we have some form of data to inject. There must be some kind of data transfer, but this time to a file instead of a process memory. Then the process creation happens. The injected data in this case is in form of a PE file section. The transfer is done via createTransaction and createFileTransacted. Windows Vista introduced transactional and TFS that allows to perform save file operations. Transactions have the advantage that they prevent data corruption by making sure that file changes don't get in the way of each other if several threads read from and write to a file. So these transactions have a rollback mechanism. While you create a changed version of the file, you have the possibility to revert all those changes with the rollback transaction call. And that's exactly what is done here. The changed file image is created. The changes are rolled back. But the changed version still exists in memory. This changed version of the file image is used to create the process. Thus, you can even create the illusion that an innocent text file is running as an executable as demonstrated by Hashir Rezadeh in her process doppelganging video. If I were to draw process doppelganging into our process injection overview, I would place it here, before the create process. If you know other injection techniques that are not listed here, please let me know. Please leave a like and post below if you have any questions. Thank you for watching.