August 9th, 2019
Amit Klein, VP Security Research
Itzik Kotler, CTO
At Black Hat and DefCon 2019, we presented the results of an extensive project to catalog and analyze process injection techniques. Before we started this project in late 2018, we thought process injection in Windows was a well-documented topic, with many techniques now known and implemented to inject from one process to the other. During the course of this project, we realized that there were many more process injection techniques than we initially estimated and that it is possible to create combinations of techniques that form many additional process injection implementations. That realization led to our decision to create the definitive compendium of process injection techniques and to also create a useful tool to implement more variants of process injection techniques.
Basically, process injection is used by malware to gain more stealth (i.e. to run malicious logic in a legitimate process) and to bypass security products (e.g. AV, DLP and personal firewall solutions). It does this by injecting unauthorized code that enables sensitive operations (e.g. network access) in a process which is privileged to do so.
For this research, we decided to take a closer look at process injection in Windows. Part of our research effort was to understand the landscape, with a focus on present-day platforms (Windows 10 x64 version 1803+, 64-bit processes). We quickly realized there were a number of problems.
In our comprehensive analysis, we addressed all the above issues. We provided the first comprehensive catalogue of true process injection techniques in Windows. We categorized the individual techniques into write primitives and execution methods. We tested the techniques against 64-bit processes (medium integrity) running on Windows 10 x64. We tested them with and without process protection techniques (CFG, CIG). We analyzed each technique and explained its requirements and limitations. Finally, we provide stripped down, minimalist PoC code that works, and at the same time is short enough to clearly show the technique at hand.
We tried to be as comprehensive as possible, i.e. really cover all different techniques. We may have missed a few and more are sure to be discovered. To get all our findings in detail, you need to read the White Paper but here’s a quick summary.
First of all, we significantly underestimated the number of viable techniques. IOnce we started to catalog known attack techniques, we found more than 20. Counting multiple variations of many of those attacks, you can argue there are dozens of process injection attack techniques out in the wild. Coverage of such attacks in security tools is highly desired because process injection at large is a convenient way for malware to move its logic to a less suspicious, more legitimate process. Having so many process injection techniques (with no single security product likely to cover them all) can enable savvy attackers to create an undetected process injection variant for use in their stealthy attacks.
As we continued with our research, we identified an entirely new process injection technique that we named Stack Bomber. This is a CFG-agnostic execution technique that we paired with a memory writing technique. Because it’s relatively new, we believe very few tools and scanners can protect against this. To be frank, the discovery did not totally surprise us; we expect that over time many new attack types will be discovered.
All of the PoCs described in the chart above are available in our GIT repository. We provide “full exploitation” PoCs which demonstrate execution (MessageBox) for all techniques. But we decided as we went through this project that we wanted to take it a step further with an entirely new tool that will make it much easier to research and identify novel process injection techniques. The result is PINJECTRA, a “mix and match” C++ class library that allows anyone to easily construct process injections by combining compatible write primitives with execution methods. PINJECTRA utilizes a C/C++ static type system to rapidly develop new process injection techniques, as well as to experiment with existing ones. PINJECTRA is implemented as a Visual Studio Solution that contains 4 projects: a library, a dummy test program and 2 dummy DLLs. This is the first offering of its kind and we hope it proves useful to the Windows development and security community.
We hope our research will support a better, broader and deeper understanding of the defense evasion techniques that exist today and how to mitigate these issues. We will continue to compile more examples, so consider this an evolving corpus of examples, PoCs and more. We also hope that people find PINJECTRA useful and integrate it into their security research practices.
To access our presentation slides, download the whitepaper and download the tool, here are the links on Blackhat’s site. Scroll down to the end of the session description and you will see the materials. https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf