Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft.
Malware can use process injection techniques to inject code designed for a specific operation into a legitimate process that can help it achieve its goal. Malware can leverage process injection for stealth and to bypass security mechanisms.
Itzik Kotler, co-founder and CTO of SafeBreach, and Amit Klein, the firm’s VP of security research, have summarized and tested two dozen known process injection techniques. Their research shows whether each technique is stable, what its prerequisites and limitations are, and specifies the main APIs they use. While some of the injection methods are theoretical, some have been known to be used by malware in the wild.
The experts decided to take on this task after being unable to find a resource that lists all known process injection techniques. They tested all of the techniques on a Windows 10 x64 machine against 64-bit processes.
It’s worth noting that Windows 10 includes several features designed to protect against process injection, including Control Flow Guard (CFG), Dynamic Code Security, the Binary Signature policy, and the Extension Point Disable policy.
In an interview ahead of their presentation at the Black Hat cybersecurity conference in Las Vegas, Kotler and Klein told SecurityWeek that only two of the tested techniques failed completely due to Windows 10’s protections, and four of them, including the one they have identified, have worked regardless of the level of protection. The other injection methods may or may not work depending on the level of protection.
According to the researchers, the process injections that are capable of bypassing the protection mechanisms in Windows are typically aggressive and easier to detect. However, the new injection method they have found, dubbed StackBomber, is supposedly much stealthier, which makes it more valuable to attackers, and it does not require elevated privileges to work.
StackBomber has been described as a new execution technique that works well in combination with a new memory writing technique that was also discovered by Kotler and Klein.
Microsoft does not view process injection methods as vulnerabilities and, as such, they are not covered by its bug bounty programs. The SafeBreach researchers told SecurityWeek that they reported their findings to the tech giant, but, as expected, it will not take any immediate action to address StackBomber.
SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.
SafeBreach has made available all of the proof-of-concepts (PoCs) it has used during its research, and released an open source framework named PINJECTRA that allows users to create their own process injections.
The company is aware that its findings could be abused by malicious actors, but says its goal is to help the community, particularly companies specializing in client protection, which can incorporate defenses into their products.
UPDATE. Microsoft has provided SecurityWeek the following statement: Microsoft has a strong commitment to security and will take appropriate action as needed to help keep customers protected.
January 8, 2020