Process injection is an old technique used for hiding code execution, avoiding detection and bypassing security solutions by injecting into whitelisted processes. This is a short post about InjectProc, an open source project that demonstrates the following common process injection techniques:
- DLL injection: Works by opening the target process, allocates space and then write code into the remote process, finally to execute the remote code using CreateRemoteThread.
- Process replacement: This method is based on John Leitch’s paper “Process Hollowing“. Starts by creating target process and suspend it. Unmaps the process from memory, allocates space. It then write headers and sections into the remote process to finally resume the remote thread.
- Hook injection: Finds or Creates process. Sets hook using SetWindowsHookEx.
- APC injection: Injects code without creating any remote thread using Asynchronous Procedure Calls (APC). Starts by opening process and allocates space. Execute code using QueueUserAPC. More information here.
How do you use InjectProc?
It accepts command line parameters and is simple to use. Example:
./InjectProc.exe <path/to/exe or process_name> <path/to/dll>
It has been tested to work on Windows 10 build 1703, 64bit and needs the Microsoft Visual C++ Redistributable libraries to run.
You can download this open source project here.