We covered process injection and process hollowing. Process injection is the process of injecting an already running process with malicious code or shellcode. Process hollowing is the process of creating a legitimate process in a suspended state and then unmapping the legitimate code from memory and replacing it with the shell code. Both Process injection and hollowing are useful to hide rootkits and shellcodes in innocently-looking processes to maintain access and persistence. This was part of TryHackMe Abusing Windows Internals red team pathway.
We also covered DLL Injection & DLL Hijacking along with a practical scenario from TryHackMe Abusing Windows Internals lab which is part of the Red team pathway. DLL Injection relies in using Windows API calls to perform specific actions such as selecting a running process, allocating memory and writing the malicious DLL to the allocated memory region. DLL Hijacking relies on having access permissions to locate and replace a legitimate DLL with a malicious one.
Leverage windows internals components to evade common detection solutions, using modern tool-agnostic approaches.
Process injection is commonly used as an overarching term to describe injecting malicious code into a process through legitimate functionality or components.
At a high level, shellcode injection can be broken up into four steps:
- Open a target process with all access rights.
- Allocate target process memory for the shellcode.
- Write shellcode to allocated memory in the target process.
- Execute the shellcode using a remote thread.
Process hollowing offers the ability to inject an entire malicious file into a process. This is accomplished by “hollowing” or un-mapping the process and injecting specific PE (Portable Executable) data and sections into the process.
At a high-level process hollowing can be broken up into six steps:
- Create a target process in a suspended state.
- Open a malicious image.
- Un-map legitimate code from process memory.
- Allocate memory locations for malicious code and write each section into the address space.
- Set an entry point for the malicious code.
- Take the target process out of a suspended state.
At a high-level thread (execution) hijacking can be broken up into eleven steps:
- Locate and open a target process to control.
- Allocate memory region for malicious code.
- Write malicious code to allocated memory.
- Identify the thread ID of the target thread to hijack.
- Open the target thread.
- Suspend the target thread.
- Obtain the thread context.
- Update the instruction pointer to the malicious code.
- Rewrite the target thread context.
- Resume the hijacked thread.
At a high-level DLL injection can be broken up into six steps:
- Locate a target process to inject.
- Open the target process.
- Allocate memory region for malicious DLL.
- Write the malicious DLL to allocated memory.
- Load and execute the malicious DLL.
What flag is obtained after injecting the shellcode?
What flag is obtained after hollowing and injecting the shellcode?
What flag is obtained after hijacking the thread?
What is the Windows API call used to queue an APC function?
Can the void function pointer be used on a remote process? (y/n)
Was the injection techniques employed by TrickBot reflective? (y/n)
What function name was used to manually write hooks?