Observation
This is a subset technique derived from Classic Code Injection Local Process and, except we don’t allocate a buffer with rwx permissions on our own process, but rather look for processes with those permissions and inject our shellcode into it.
Working
NtGetNextProcessis used to enumerate all processes.GetProcessImageFileNameto retrieve the image name of the process.VirtualQueryExis used to query for memory regions marked asPAGE_EXECUTE_READWRITE.- Once the right process is found,
WriteProcessMemoryis used to write the shellcode into the memory region of said process. - A thread on that process is created using
CreateRemoteThread.