Inside Windows Memory: Modern Day Process Injection Tradecraft

Transcript

1. Inside Windows Memory: Process Injection Tradecraft

2. Athis SN aka apt0xp3nda19 Head @DEF CON Chennai DCG9144 Areas

   of Interest & Expertise: Red Team, MalDev, Exp Dev, Reverse Eng & Malware Analysis Certs: CRTP, CRTA, MCRTA ... $ Whoami

3. Introduction to Windows Internals Classic Process Injection Techniques Thread-Based Injection

   Techniques Process Replacement Techniques Manual Mapping & Reflective Techniques Introduction to Ghosting Techniques Modern Day EDR-Aware & Stealth Techniques Red vs Blue: A Never-Ending Journey $ Agenda

4. Windows Internals 101

5. A process is a container that isolates applications from each

   other. It manages threads, handles, memory, and security tokens. A process itself does not execute code - threads inside it perform execution. Each process has its own virtual address space and resources. Uniquely identified by a Process ID (PID). PID identifies the running instance, not the executable file. If a process terminates, its PID may be reused by the OS. $ Processes

6. Each process has its own: Threads, Handle table, Access token

   (security context), Unique PID A process can be created by a parent process, but child processes continue running even if the parent dies. Every process has an Integrity Level defining its permissions. Some processes are protected to prevent termination, tampering, or injection. $ Process Structure & Security

7. $ Process Structure & Security

8. A thread is the execution flow inside a process -

   it executes the actual code. Enables concurrent execution of tasks within the same process. A process can have one or multiple threads running simultaneously. Types of Threads: Main Thread, Program-Created Threads, Worker threads Thread States: Ready, Running, & Waiting $ Threads

9. The Process Environment Block (PEB) is an internal Windows structure

   that contains important information about a running process. It stores details such as loaded modules, process parameters, heap information, and environment data. The PEB resides in user-mode memory and is accessible to the process itself. It plays a key role in how Windows manages process execution and module loading internally. $ Process Environment Block (PEB)

10. Windows APIs (Application Programming Interfaces) are a set of functions

    provided by the Windows operating system that allow applications to interact with system resources. They enable programs to perform tasks such as process creation, memory management, file operations, and network communication. These APIs act as a bridge between user applications and the underlying operating system. By using Windows APIs, developers can build applications that leverage core OS functionalities without directly interacting with low-level system components. $ Windows APIs

11. Virtual Memory is a memory management mechanism that gives each

    process its own isolated address space, independent of physical RAM. It allows the operating system to manage memory efficiently by mapping virtual addresses to physical memory through page tables. Paging divides memory into fixed-size blocks called pages, enabling the system to move data between RAM and disk when needed. This approach improves stability, isolation, and efficient utilization of system resources. $ Virtual Memory & Paging

12. $ PE Headers

13. $ User Mode vs Kernel Mode

14. Classic Process Injection Techniques

15. Process Injection is a technique used to execute arbitrary code

    inside the memory space of another process. Instead of launching a separate malicious program, the attacker runs code under the context of a legitimate and trusted process to evade detection. The fundamental approach involves allocating memory in a remote process, writing the payload into that memory, and triggering its execution. This method heavily relies on Windows APIs for memory management and thread manipulation to achieve stealthy in- memory execution. $ Process Injection 101

16. CreateRemoteThread DLL Injection - LoadLibrary-Based $ Common Injection Techniques

17. CreateRemoteThread Injection is a classic Windows process injection technique where

    an attacker forces a target process to execute malicious code by creating a new thread inside it. The attacker first allocates memory within the target process and writes the payload into that memory region. Using the CreateRemoteThread API, a new thread is then created that points to the injected payload as its starting address. Once the thread begins execution, the payload runs within the context of the legitimate process, allowing the attacker to blend malicious activity with normal system operations and potentially evade detection. $ CreateRemoteThread Injection

18. $ CreateRemoteThread

19. DEMO: CreateRemoteThread Injection

20. $ Detections Monitor suspicious API call sequences such as memory

    allocation, memory writing, and remote thread creation in another process. Detect unusual cross-process memory access or modification behavior. Look for processes spawning threads in unrelated or higher-privileged processes. Behavioral monitoring of abnormal process interactions and privilege misuse.

21. Thread-Based Injection Techniques

22. Thread-Based Injection is a technique where attackers manipulate or abuse

    existing threads within a target process to execute malicious code. Instead of simply creating a new thread, the attacker leverages mechanisms such as APC queuing or thread context modification to redirect execution flow. This approach focuses on thread-level control to trigger payload execution inside a legitimate process. By operating through threads, it provides a stealthier alternative to traditional remote thread creation methods. $ Thread-Based Injection Techniques

23. QueueUserAPC Injection x Early Bird Thread Context Hijacking NtCreateThreadEx Injection

    Early Cascade Injection $ Thread-Based Injection Techniques

24. Early-Bird APC Injection is a variation of APC-based thread injection

    where the attacker queues the payload into a newly created process’s main thread before it begins normal execution. The process is typically created in a suspended state, and the malicious APC is queued using QueueUserAPC before the thread is resumed. When the thread starts running, the queued APC executes before most security tools can fully initialize or hook the process, allowing the payload to run very early in the process lifecycle. This technique enables code execution under a legitimate process context while reducing the chances of detection by user-mode monitoring mechanisms. $ Early-Bird APC Injection

25. $ Early-Bird APC Injection

26. DEMO: Early-Bird APC Injection

27. Monitor for suspicious thread creation or manipulation activity. Detect anomalies

    in thread execution flow or unexpected thread start addresses. Identify APC queue abuse or irregular thread state transitions. Look for unusual thread context changes within running processes. $ Detections

28. Process Replacement Techniques

29. Process Replacement Techniques involve modifying or replacing the memory of

    a legitimate process to execute malicious code. Instead of injecting into a running process, attackers create or manipulate a process and swap its original image with a payload. This allows execution under the identity of a trusted application. Techniques like Process Hollowing fall under this category. These methods are commonly used to evade file-based detection and blend into normal system activity. Process Hollowing, Process Herpaderping, and Process Doppelgänging are all examples of Process Replacement Techniques $ Process Replacement Techniques

30. $ Process Hollowing Technique

31. DEMO: Process Hollowing

32. $ Detections Detect processes created in suspended state followed by

    abnormal memory modifications. Monitor inconsistencies between the process image on disk and the code running in memory. Identify suspicious process creation patterns from uncommon parent processes. Behavioral monitoring for unexpected execution flow changes within legitimate processes.

33. Manual Mapping & Reflective Techniques

34. Manual Mapping and Reflective techniques involve loading and executing a

    payload inside a process without relying on the normal Windows loader mechanisms. Instead of using standard APIs like LoadLibrary, the attacker manually maps the PE file into memory, resolves imports, and handles relocations programmatically. Reflective DLL Injection takes this further by embedding a custom loader within the DLL itself. These techniques reduce visible artifacts and help evade security solutions that monitor conventional loading behavior. $ Manual Mapping & Reflective Techniques

35. Reflective DLL Injection is a technique where a DLL is

    loaded directly into a process’s memory without using the standard Windows loader APIs like LoadLibrary. The injected DLL contains its own reflective loader that manually maps its sections into memory, resolves imports, and performs relocations at runtime. This allows the DLL to execute entirely from memory without being loaded through the normal module loading process. Because the DLL never goes through the standard loader or disk- based loading mechanisms, it helps evade traditional monitoring and detection techniques that rely on DLL load events. $ Reflective DLL Injection

36. DEMO: Reflective DLL Injection

37. $ Detections Detect memory regions containing executable code not backed

    by a legitimate module. Monitor for modules loaded without standard loader behavior. Identify anomalies in import resolution or module lists within a process. Use memory inspection tools to detect unregistered or hidden modules in process memory.

38. Introduction to Ghosting Techniques

39. Ghosting techniques exploit how Windows separates file objects from process

    execution. Once an executable image is mapped into memory, the backing file can sometimes be deleted or modified without stopping execution. The goal is to execute code while leaving inconsistent, deleted, or misleading artifacts on disk. $ Ghosting Techniques 101

40. $ Process Ghosting

41. Modern EDR-Aware & Stealth Techniques

42. Direct Syscalls Indirect Sycalls & Call-Stack Spoofing Sleep Obfuscation /

    Memory Encryption VEH-Based Techniques Kernel Callback & ETW Bypasses Hardware-Level Evasions & Debugger Register Manipulation $ EDR-Aware Techniques

43. Red vs Blue: A Never- Ending Journey

44. The battle between the Red and Blue teams is a

    continuous cycle of attack and defense. As offensive techniques evolve to evade detection, defensive strategies adapt to improve visibility and response. Every new bypass leads to stronger monitoring, and every new detection sparks more advanced evasion. It’s an ongoing race that constantly drives innovation on both sides. $ Red vs Blue

45. Any Queries?

46. $ Game Over