🛠️ Process injection

This technique aims at increasing privilege and/or escaping the protections applied to the processes

This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category name. Wanna help? Please reach out to me: @_nwodtuhs​
Theory
Instead of simply executing the shellcode, it has become common to find tricks to hide its active load. The classic schema looks like this:
// encrypt the shellcode 
 encrypt(ciphered, SHELLCODE, SHELLCODE_LENGTH, KEY);
// decrypt + handoff 
 decrypt(deciphered, ciphered, SHELLCODE_LENGTH, KEY); 
 handoff(deciphered, SHELLCODE_LENGTH);
After the malicious code is injected into a legitimate process, attackers also can access legitimate processes' resources such as process memory, system/network resources, and elevated privileges 
picussecurity.com
Practice
Process injection exists in many forms, often based on legitimate services.
The techniques mainly used are : 
​Process Doppelganging​
​Dll injection​
​CRT​
Resources
all these methods and many others are also described in Ired's article : https://www.ired.team/offensive-security/code-injection-process-injection​
​https://www.cyberbit.com/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/​

🛠️ Obfuscation

🛠️ Stealth with C2

Last modified 6mo ago