Malware Theory – Process Injection



This is an overview to all common process injection techniques used by malware, including AtomBombing, Process Hollowing aka RunPE, Process Doppelgänging.
Buy me a coffee: https://ko-fi.com/struppigel
Follow me on Twitter: https://twitter.com/struppigel

My process Injection overview infographic: http://struppigel.blogspot.com/2017/07/process-injection-info-graphic.html
Process Injection Techniques Gotta Catch Them All: https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
Atom bombing: https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows
Atom bombing: https://www.enisa.europa.eu/publications/info-notes/atombombing-2013-a-new-code-injection-attack
Process Doppelgänging: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
Hasherezade’s video on creating the illusion of executing a TXT file: https://www.youtube.com/watch?v=XmWOj-cfixs
DLL injection https://en.wikipedia.org/wiki/DLL_injection
DLL Injection via LoadLibrary/CreateRemoteThread: https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces
DLL Search Order Hijacking (DLL injection that is not process injection): https://dmcxblue.gitbook.io/red-team-notes/persistence/dll-search-order-hijacking
Backdooring PE files with shellcode (code injection that is not process injection): https://www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode

source