This year’s Black Hat conference will feature our CTO Itzik Kotler’s and my research and presentation “Process Injection Techniques – Gotta Catch Them All” on Thursday, August 8. We will also deliver the same research and in-depth briefing at DEF CON the next day, Friday, August 9.
Process injection is a key building block in a malware attack. It is the step that enables the malicious logic to hop from its own suspicious malware process into a benign, trusted process (like an Office process or a system process). To this end, the original malware process needs to somehow write code/logic into the target process and execute it – the combination is known as “process injection”. This approach has been in use for more than two decades, and obviously many techniques to establish both memory writing and code execution have cropped up during that time.
Surprising as it may sound, while the concept of process injection is well known, no single repository or collection of such techniques is available, and no document exists that comprehensively analyzes the techniques and compares them. Many process injection techniques were developed pre-Windows 10 with the old x86 CPU architecture (32 bit) in mind, so it is not always clear whether a particular technique is applicable to Windows 10 x64 (64 bit). Windows 10 specifically contains several new protection techniques (e.g. CFG, CIG) that attempt to prevent remote exploitation, but also have a serious impact on process injection.
Furthermore, the term “process injection” is sometimes used to describe other attacks (such as process spawning and loading DLLs during process initialization) that are fundamentally different than “true” process injection. Moreover, documents that do describe true process injection often fail to emphasize where the novelty is – in memory writing, or in execution technique. In short, descriptions of process injection are scattered in blogs and whitepapers; they are often out of date, use imprecise terminology and don’t focus enough on the specific novelty of each technique.
Our research fills this gap. We provide a first-of-a-kind comprehensive collection, analysis and PoC of all true process injection techniques that we could find, with focus on Windows 10 x64 (version 1803 or later). We categorize the fundamental techniques as memory writing (and allocation) versus execution techniques. We describe the prerequisites for each technique, its limitations, and how it fares against. Windows 10 CFG and CIG protection mechanisms. For each technique, we provide a barebones PoC that clearly delineates the essence of the technique, for easy analysis by peer researchers. We also tabulate the techniques to make comparisons simple.
Complementing a whitepaper on process injection techniques that we will publish after this presentation is a library called PINJECTRA (freely available in GitHub). PINJECTRA provides an implementation of almost all techniques. The most important feature of this library is its ability to “mix and match“ almost any memory writing technique with almost any execution technique, thus enabling researchers, red-teamers and blue-teamers to explore all possible combinations.
Finally, we present Stack Bombing – a new execution technique (coupled with a new memory writing technique) that can run code in almost any process, using a novel approach that circumvents Windows 10 CFG protection. A stable implementation is provided (one in which the original process logic can proceed to run) along with insights and tips regarding this technique and potential variants.
Join us at Black Hat in Las Vegas on Thursday, August 8th at 11am for the session “Process Injection Techniques -- Gotta Catch them All”
Location: Las Vegas Mandalay Bay Convention Center, South Seas CDF Hall
As mentioned above, we will deliver the same session the next day at DEF CON on Friday, August 9th at Noon.