ProcessInjection - Tool To Inject Shellcode in a Target Process

Trojan or malware that can exploit our devices is varied, attacker can build a undetectable/fud backdoor or trojan with different format or extension like image file, PDF, word, excel, mp3, mp4 or even backdoor can be inject on a legit sofware. Because of that you need to know how attacker can make the backdoor to protect yourself from it.

What is Process Injection ?

Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Why Process Injection ?

Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
There are multiple types of process injection technique. In this post I will cover the vanilla process injection technique and walk you through some demo’s.

The tool for process injection can be found on my github repo.

The program is designed to perform process injection. Currently the tool supports 2 process injection techniques.

Vanila Process Injection
DLL Injection

Vanila Process Injection Currently the program accepts shellcode in 3 formats

base64
hex
C

Vanila Process Injection

In this vanilla process injection technique there are 4 Windows API which are used to inject shellcode into the remote process.

OpenProcess – The OpenProcess function returns a handle of an existing process object.
VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.

Demo (Vanila Process Injection)

Read complete step by step demo here.

DLL Injection

What is DLL ?

Dynamic Link Library (DLL) is a file which contains the code and is been loaded by the program to perform one or more actions during run time.

What is DLL Injection ?

DLL Injection is a process of injecting an DLL into the running process which might contains malicious code and can be used for performing malicious activities.

In this post I will provide an overview about the technique and a demo using the process injection tool which I created. It can be found on my github repo.

In this DLL Injection technique 6 Windows API are used.

OpenProcess – The OpenProcess function returns a handle of an existing process object.
VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
GetModuleHandleA – The GetModuleHandleA function retrieves a module handle for the specified module which is already loaded by the calling process.
GetProcAddress – The GetProcAddress function retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

Overview of DLL Injection

DLL Injection is a very old technique which is still used by many malware’s & frameworks which are used for performing security assessments or simulate the behavior of an attacker. This technique can also be used for evading controls which are used for detection or prevention of malicious activities.

ProcessInjection Covenant Grunt - Tool To Inject Shellcode in a Target Process xploitlab

Below are the steps followed while adding the DLL Injection technique in the tool.

Step 1:- Used OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.
Step 2:- Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.
Step 3:- Used VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.
Step 4:- Used WriteProcessMemory for writing the DLL path into the allocated memory space.
Step 5:- Used CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.