In the escalating arms race of cybersecurity, attackers consistently strive to bypass endpoint security systems. One of the most persistent and sophisticated mechanisms for achieving stealth is Process Injection. By injecting malicious code directly into the address space of a legitimate, running process, malware effectively turns trusted system utilities into digital cloaking devices.
What is Process Injection?
Process injection is an evasion technique where an attacker runs custom code inside the address space of another process. Instead of starting a separate, suspicious process (like malware.exe), the payload executes under a trusted wrapper, such as explorer.exe or svchost.exe. This bypasses signature-based firewalls, system process white-lists, and standard Task Manager detection.
"The greatest trick malware ever played was convincing the operating system that its payload was a trusted system service."
Key Injection Techniques
| Technique | Mechanism | Detection Difficulty |
|---|---|---|
| DLL Injection | Forces a remote process to call LoadLibrary() to write a DLL path into the target process's memory. |
Moderate (High visibility due to DLL loading hooks) |
| Process Hollowing | Launches a legitimate utility in a suspended state, unmaps its code, writes a malicious payload, and resumes thread. | High (Bypasses traditional endpoint tools) |
| Reflective Loading | Loads a DLL directly from memory instead of using the OS loader, parsing its own import tables in-memory. | Extreme (Leaves no traces on the disk filesystem) |
1. Classic DLL Injection Mechanics
Classic DLL injection typically leverages a standard API chain in the Windows kernel. The injector process locates the target process identifier, allocates a space of memory, writes the path of the malicious DLL into that allocation, and forces execution via remote thread execution:
// Standard API Chain for Classic Injection 1. OpenProcess() // Get handle to target process 2. VirtualAllocEx() // Allocate memory in target space 3. WriteProcessMemory() // Write DLL file path into allocated memory 4. CreateRemoteThread() // Force target process to load DLL via LoadLibraryA
2. Process Hollowing: The Ultimate Impersonation
In Process Hollowing, malware creates a legitimate system process (e.g. svchost.exe) in a CREATE_SUSPENDED state. It then unmaps the original executable using internal system calls such as NtUnmapViewOfSection or ZwUnmapViewOfSection. The malicious payload is subsequently written in place of the hollowed section, the thread entry point is updated to point to the entry point of the new payload, and the process is resumed with ResumeThread().
How Modern EDR Platforms Detect Injection
Modern Endpoint Detection and Response (EDR) tools have evolved beyond signatures to monitor memory integrity and API sequences. EDR agents hook key Windows APIs at both the user-mode and kernel-mode level (using kernel callbacks), auditing patterns of remote memory manipulation.
- Memory Discrepancy Audits: EDR platforms scan active memory blocks to compare executing code against their original disk-based images, catching Process Hollowing instantly.
- Heuristic Memory Scans (YARA-in-Memory): Periodically checking memory allocations marked as
PAGE_EXECUTE_READWRITEfor signatures of shellcode. - Behavioral Sequencing: Detecting the exact sequence of
VirtualAllocExfollowed immediately byWriteProcessMemoryandCreateRemoteThreadoriginating from a non-system process.
Building a Resilient Defense
Defending against sophisticated in-memory malware requires a combination of strong endpoint configurations:
- Enable Attack Surface Reduction (ASR): Block process creations originating from vectors such as Office apps or scripting tools.
- Implement Zero Trust Principles: Even if a process is trusted (like
explorer.exe), restrict its outbound network access using application-aware firewalls. - Keep EDR Agents Tuned: Ensure real-time deep memory scanning and active kernel hooking are enabled to flag unauthorized API transitions instantly.