/InjectProc

InjectProc - Process Injection Techniques

Primary LanguageC++GNU General Public License v3.0GPL-3.0

InjectProc

Process injection is a very popular method to hide malicious behavior of code and are heavily used by malware authors.

There are several techniques, which are commonly used: DLL injection, process replacement (a.k.a process hollowing), hook injection and APC injection.

Most of them use same Windows API functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, for detailed information about those functions, use MSDN.

DLL injection:

  • Open target process.
  • Allocate space.
  • Write code into the remote process.
  • Execute the remote code.

Process replacement:

  • Create target process and suspend it.
  • Unmap from memory.
  • Allocate space.
  • Write headers and sections into the remote process.
  • Resume remote thread.

Hook injection:

  • Find/Create process.
  • Set hook

Note:

InjectProc uses SetWindowsHookEx function, you can try different ways to installing hooks, for example, EasyHook

APC injection:

  • Open process.
  • Allocate space.
  • Write code into remote threads.
  • "Execute" threads using QueueUserAPC.

Download

Windows x64 binary - x64 bit DEMO

Dependencies:

vc_redist.x64 - Microsoft Visual C++ Redistributable

DEMO

InjectProc DEMO - Process Injection Techniques

Contributors

Warning

Works on Windows 10 build 1703, 64bit.

I've not enough time to test other systems and make it portable if you have enough time please contribute.

I create this project for me to better understand how process injection works and I think it will be helpful for many beginner malware analysts too.