Standard process injection — Making the grunt work Part 1/4

Process injection in windows

There are multiple approaches to injecting code into a live process. Windows implementations include Reference from ATT&CK:

  1. Dynamic-link library (DLL) injection involves writing the path to a malicious DLL inside a process and then invoking execution by creating a remote thread.
  2. Portable executable injection involves writing malicious code directly into the process (without a file on disk) and then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into the process) overcome the address relocation issue.
  3. Asynchronous Procedure Call (APC) injection involves attaching malicious code to the APC Queue of a process’s thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed “Early Bird injection”, involves creating a suspended process in which malicious code can be written and executed before the process’ entry point (and potentially subsequent anti-malware hooks) via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.
  4. Thread Local Storage (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point.

Lab setup

  1. Windows 10 Victim — Patched & Running Windows Defender
  2. Kali Linux waiting to receive shellz
  3. Preconfigured Covenant with docker
  4. Donut — latest release
  5. ProcessInjection by 3xpl01tc0d3r

Covenant setup

I am not going to show you how to set up Covenant, you can find the resources in the project's repository, but this is how I built the docker container:

//Build docker container
$ ~/Covenant/Covenant > docker build -t covenant .
$ ~/Covenant/Covenant > docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant --username AdminUser --computername 0.0.0.0
  • We are going to use notepad.exe (PID 4932)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brenton Swanepoel

Brenton Swanepoel

Excited about OSINT, threat hunting and the general breaking of things