Understanding Process Injection: An In-Depth Analysis

ice-wzl
5 min readJun 27, 2023

Introduction

Process injection is a technique widely used in the field of cybersecurity and software development. It involves injecting code into a running process, thereby manipulating its behavior or gaining unauthorized access. While process injection has legitimate uses in debugging, software testing, and performance optimization, it is also a favored method among malware authors for malicious activities.

In this blog post, we will provide a high-level overview of process injection, explore various WinAPI calls involved, and present a code example for process injection.

High-Level Overview of Process Injection

Process injection refers to the act of injecting code or data into a running process, with the intent to alter its behavior or exploit its functionalities. The injected code can execute within the context of the target process, enabling the attacker to evade detection mechanisms and carry out malicious activities. Process injection techniques can be broadly categorized into four types:

  1. DLL Injection: This technique involves injecting a dynamic-link library (DLL) into the target process. The injected DLL can contain additional functionality that the process did not originally possess.
  2. Code Injection: Here, the attacker directly injects machine code into the target process. This technique requires the code to be carefully crafted and executed within the process’s memory space.
  3. Process Hollowing: In this technique, the attacker creates a new process in a suspended state and replaces its executable code with malicious code. The attacker then resumes the process, leaving behind a legitimate-looking but compromised process.
  4. Reflective Injection: Reflective injection is a stealthier form of process injection that involves loading an entire module into the target process’s memory without relying on traditional LoadLibrary calls. The injected code runs entirely in memory, making it difficult to detect.

WinAPI Calls for Process Injection

To achieve process injection, several Windows API (WinAPI) calls are utilized. Let’s explore each of these calls along with their…

--

--

ice-wzl

Reverse Engineer, Red Teamer, CTF fan & creator