Table of contents
| Process Injection Techniques | Win32 API used | MITRE ATT&CK | Detection |
|---|---|---|---|
| Process Hollowing | CreateProcess, ReadProcessMemory, NtUnmapViewOfSection,CreateFile , VirtualAllocEx, ReadProcessMemory,WriteProcessMemory, SetThreadContext, ResumeThread. | T1055.012 | DS0009 |
| Process Ghosting | CreateFile,GetFileSize,VirtualAlloc,ReadFile,NtOpenFile,NtSetInformationFile,WriteFile,NtCreateSection,NtCreateProcessEx,... | ||
| RWX Hunting&Injection | NtGetProcess,GetProcessImageFileName,VirtualQueryEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject. | ||
| Classic Code Injection Local Process | VirtualAlloc,memcpy,CreateThread,WaitForSingleObject. | ||
| Classic Code Injection Remote Process | CreateToolhelp32Snapshot,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject. | ||
| Classic Code Injection VirtualProtect | CreateToolhelp32Snapshot,OpenProcess,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,WaitForSingleObject. | ||
| Classic Code Injection with API Obfuscation | CreateToolhelp32Snapshot,OpenProcess,Deobfuscation,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject. | ||
NtCreateSection and NtMapViewOfSection | NtCreateSection,NtMapViewOfSection,OpenProcess,NtMapViewOfSection,memcpy,CreateRemoteThread. | ||
| NT API Injection | EnumProcess,OpenProcess,GetModuleFileNameEx,GetProcAddress,NtOpenProcess,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx. | ||
| Fork API Injection (Dirty Vanity) | |||
| PE Injection | CreateToolhelp32Snapshot,Process32FirstW???,GetModuleHandle,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread | T1055.002 | DS0009 |
| PEB Walk Injection | EnumProcess,OpenProcess,non-volatile-register-retrieval,CONTAINING_RECORD,GetProcAddressKernel32,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread. | ||
| PEB Walk and APIs Obfuscation Technique | EnumProcess,OpenProcess,non-volatile-register-retrieval,CONTAINING_RECORD,GetProcAddressKernel32,Deobfuscation,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread. | ||
| Direct Syscalls | CreateToolhelp32Snapshot,NtOpenProcess,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx. | ||
| Indirect Syscalls | EnumProcess,OpenProcess,GetModuleFileNameEx. | ||
| Classic DLL Injection | T1055.001 | DS0009, DS0011 | |
| Reflective DLL Injection | CreateFile,GetFileSize,ReadFile,VirtualAllocEx,WriteProcessMemory,“ | ||
Unhook ntdll.dll (Lagos Island) | CreateFile,GetFileSize, malloc,ReadFile,VirtualAlloc,CopyMemory,LoadLibrary,GetProcAddress, NtAllocateVirtualMemory,memcpy, NtCreateThreadEx. | ||
| Module Stomping | EnumProcess,OpenProcess,EnumProcessModules,GetModuleFileNameEx,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,FindModuleBase,WriteProcessMemory,CreateRemoteThread. | ||
| Mokingjay | |||
| Remote Thread Hijacking | EnumProcess,OpenProcess,GetModuleFileNameEx,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateToolhelp32Snapshot,Thread32First,Thread32Next,OpenThread,SuspendThread,GetCurrentThreadContext,SetThreadContext,ResumeThread. | T1055.003 | DS0009 |
| APC Injection | CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateToolhelp32Snapshot,Thread32First,Thread32Next,OpenThread,QueueUserAPC. | T1055.004 | DS0009 |
| Early Bird Injection | |||
| AddressOfEntryPoint Injection | NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,WriteProcessMemory,NtResumeThread. | ||
| Injection through Fibers |