At Black Hat and DefCon 2019, we presented the results of an extensive project to catalog and analyze process injection techniques. Before we started this project in late 2018, we thought process injection in Windows was a well-documented topic, with many techniques now known and implemented to inject from one process to the other. During the course of this project, we realized that there were many more process injection techniques than we initially estimated and that it is possible to create combinations of techniques that form many additional process injection implementations. That realization led to our decision to create the definitive compendium of process injection techniques and to also create a useful tool to implement more variants of process injection techniques.
Basically, process injection is used by malware to gain more stealth (i.e. to run malicious logic in a legitimate process) and to bypass security products (e.g. AV, DLP and personal firewall solutions). It does this by injecting unauthorized code that enables sensitive operations (e.g. network access) in a process which is privileged to do so.
For this research, we decided to take a closer look at process injection in Windows. Part of our research effort was to understand the landscape, with a focus on present-day platforms (Windows 10 x64 version 1803+, 64-bit processes). We quickly realized there were a number of problems.
- We could not find a single repository with a full list of all injection techniques. There are some texts that review multiple injection techniques (hat tip to Ashkan Hosseini, EndGame for a nice collection and to Csaba Fitzl AKA “TheEvilBit” for some implementations), but no one captured all (or almost all) techniques.
- The documents that describe injection techniques typically lump together “true injection techniques” (the object of this paper) with other related topics, such as process hollowing and stealthy process spawning. In this paper, we’re interested only in injection from one 64-bit process (medium integrity) to another, already running 64-bit process (medium integrity).
- The texts often try to present a complete injection process, by mixing writing and execution techniques, when only one of them is novel.
- Many texts target 32-bit processes, and it was not clear whether they apply to 64-bit processes.
- Many articles focus on pre-Windows 10 platforms; but it is not clear whether they apply to Windows 10, with its implementation changes and with its new security features.
- Some attacks require privilege elevation, and as such are not interesting because with privilege escalation it is possible to mount many other, perhaps more devastating attacks.
- Process injection example texts lack analysis – discussion of requirements and limitations, impact of Windows 10 security features, etc.
- The example texts usually provide a PoC, but it’s “too well written” – meaning, the PoC checks for return code, handles errors, handles 32-bit and 64-bit processes, edge conditions, etc. This makes the code lengthy and difficult to follow, whereas a researcher needs a concise, minimal code that implements only the strictly necessary steps of the attack.
- Likewise, the PoC implements an end-to-end injection (not just the novel write/execute technique). This again makes the PoC pretty big and difficult to follow.
In our comprehensive analysis, we addressed all the above issues. We provided the first comprehensive catalogue of true process injection techniques in Windows. We categorized the individual techniques into write primitives and execution methods. We tested the techniques against 64-bit processes (medium integrity) running on Windows 10 x64. We tested them with and without process protection techniques (CFG, CIG). We analyzed each technique and explained its requirements and limitations. Finally, we provide stripped down, minimalist PoC code that works, and at the same time is short enough to clearly show the technique at hand.
We tried to be as comprehensive as possible, i.e. really cover all different techniques. We may have missed a few and more are sure to be discovered. To get all our findings in detail, you need to read the White Paper but here’s a quick summary.
3X as Many Techniques as Previously Believed
First of all, we significantly underestimated the number of viable techniques. IOnce we started to catalog known attack techniques, we found more than 20. Counting multiple variations of many of those attacks, you can argue there are dozens of process injection attack techniques out in the wild. Coverage of such attacks in security tools is highly desired because process injection at large is a convenient way for malware to move its logic to a less suspicious, more legitimate process. Having so many process injection techniques (with no single security product likely to cover them all) can enable savvy attackers to create an undetected process injection variant for use in their stealthy attacks.
A New Attack Type: Stack Bomber
As we continued with our research, we identified an entirely new process injection technique that we named Stack Bomber. This is a CFG-agnostic execution technique that we paired with a memory writing technique. Because it’s relatively new, we believe very few tools and scanners can protect against this. To be frank, the discovery did not totally surprise us; we expect that over time many new attack types will be discovered.
PINJECTRA: A New Tool To Identify Process Injection Techniques
All of the PoCs described in the chart above are available in our GIT repository. We provide “full exploitation” PoCs which demonstrate execution (MessageBox) for all techniques. But we decided as we went through this project that we wanted to take it a step further with an entirely new tool that will make it much easier to research and identify novel process injection techniques. The result is PINJECTRA, a “mix and match” C++ class library that allows anyone to easily construct process injections by combining compatible write primitives with execution methods. PINJECTRA utilizes a C/C++ static type system to rapidly develop new process injection techniques, as well as to experiment with existing ones. PINJECTRA is implemented as a Visual Studio Solution that contains 4 projects: a library, a dummy test program and 2 dummy DLLs. This is the first offering of its kind and we hope it proves useful to the Windows development and security community.
Conclusion: More Work to Be Done
We hope our research will support a better, broader and deeper understanding of the defense evasion techniques that exist today and how to mitigate these issues. We will continue to compile more examples, so consider this an evolving corpus of examples, PoCs and more. We also hope that people find PINJECTRA useful and integrate it into their security research practices.
To access our presentation slides, download the whitepaper and download the tool, here are the links on Blackhat’s site. Scroll down to the end of the session description and you will see the materials. https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf