We covered process injection and process hollowing. Process injection is the process of injecting an already running process with malicious code or shellcode. Process hollowing is the process of creating a legitimate process in a suspended state and then unmapping the legitimate code from memory and replacing it with the shell code. Both Process injection and hollowing are useful to hide rootkits and shellcodes in innocently-looking processes to maintain access and persistence. This was part of TryHackMe Abusing Windows Internals red team pathway.

We also covered DLL Injection & DLL Hijacking along with a practical scenario from TryHackMe Abusing Windows Internals lab which is part of the Red team pathway. DLL Injection relies in using Windows API calls to perform specific actions such as selecting a running process, allocating memory and writing the malicious DLL to the allocated memory region. DLL Hijacking relies on having access permissions to locate and replace a legitimate DLL with a malicious one.

What is Process Injection

Process injection is commonly used as an overarching term to describe injecting malicious code into a process through legitimate functionality or components.

At a high level, shellcode injection can be broken up into four steps:

  1. Open a target process with all access rights.
  2. Allocate target process memory for the shellcode.
  3. Write shellcode to allocated memory in the target process.
  4. Execute the shellcode using a remote thread.

Once access is gained, the attacker:

  1. Lists all active processes using system tools like tasklist (Windows) or ps aux (Linux).
  2. Chooses a process that matches the compromised user’s privileges—optimally a system process to avoid suspicion.
  3. Retrieves the Process ID (PID) to target the process directly.

Injection Procedure Using APIs
The injection sequence is:

  • Use OpenProcess to get a handle on the selected process.
  • Allocate memory for the shellcode using VirtualAlloc.
  • Use WriteProcessMemory to write the shellcode.
  • Execute it via CreateRemoteThread.

These APIs are core parts of Windows internals that allow precise memory and process control.

Crafting Shellcode
The shellcode, often created with msfvenom, is a snippet of binary instructions that executes the payload. It can be copied from pre-made repositories or generated for specific tasks.

Its correct placement and execution within the target process enables a stealthy backdoor or functionality like keylogging, file exfiltration, or C2 communication.

What is Process Hollowing

Process hollowing offers the ability to inject an entire malicious file into a process. This is accomplished by “hollowing” or un-mapping the process and injecting specific PE (Portable Executable) data and sections into the process.

At a high-level process hollowing can be broken up into six steps:

  1. Create a target process in a suspended state.
  2. Open a malicious image.
  3. Un-map legitimate code from process memory.
  4. Allocate memory locations for malicious code and write each section into the address space.
  5. Set an entry point for the malicious code.
  6. Take the target process out of a suspended state.

At a high-level thread (execution) hijacking can be broken up into eleven steps:

  1. Locate and open a target process to control.
  2. Allocate memory region for malicious code.
  3. Write malicious code to allocated memory.
  4. Identify the thread ID of the target thread to hijack.
  5. Open the target thread.
  6. Suspend the target thread.
  7. Obtain the thread context.
  8. Update the instruction pointer to the malicious code.
  9. Rewrite the target thread context.
  10. Resume the hijacked thread.

At a high-level DLL injection can be broken up into six steps:

  1. Locate a target process to inject.
  2. Open the target process.
  3. Allocate memory region for malicious DLL.
  4. Write the malicious DLL to allocated memory.
  5. Load and execute the malicious DLL.

TryHackMe Abusing Windows Internals Room Answers

Identify a PID of a process running as THM-Attacker to target. Once identified supply the PID as an argument to execute shellcode-injector.exe located in the Injectors directory on the desktop.

What flag is obtained after injecting the shellcode?

Identify a PID of a process running as THM-Attacker to target. Supply the PID and executable name as arguments to execute hollowing-injector.exe located in the injectors directory on the desktop.

What flag is obtained after hollowing and injecting the shellcode?

Identify a PID of a process running as THM-Attacker to target. Supply the PID as an argument to execute thread-injector.exe located in the Injectors directory on the desktop.

What flag is obtained after hijacking the thread?

What protocol is used to execute asynchronously in the context of a thread?

What is the Windows API call used to queue an APC function?

Can the void function pointer be used on a remote process? (y/n)

What alternative Windows API call was used by TrickBot to create a new user thread?

Was the injection techniques employed by TrickBot reflective? (y/n)

What function name was used to manually write hooks?

Video Walkthrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles