Awesome

InjectProc

Process injection is a very popular method to hide malicious behavior of code and are heavily used by malware authors.

There are several techniques, which are commonly used: DLL injection, process replacement (a.k.a process hollowing), hook injection and APC injection.

Most of them use same Windows API functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, for detailed information about those functions, use MSDN.

DLL injection:

• Open target process.
• Allocate space.
• Write code into the remote process.
• Execute the remote code.

Process replacement:

• Create target process and suspend it.
• Unmap from memory.
• Allocate space.
• Write headers and sections into the remote process.
• Resume remote thread.

Hook injection:

• Find/Create process.
• Set hook

Note:

InjectProc uses SetWindowsHookEx function, you can try different ways to installing hooks, for example, EasyHook

APC injection:

• Open process.
• Allocate space.
• Write code into remote threads.
• "Execute" threads using QueueUserAPC.

Download

Windows x64 binary - x64 bit DEMO

Dependencies:

vc_redist.x64 - Microsoft Visual C++ Redistributable

DEMO

InjectProc DEMO - Process Injection Techniques

Contributors

• nullbites

Warning

Works on Windows 10 build 1703, 64bit.

I've not enough time to test other systems and make it portable if you have enough time please contribute.

I create this project for me to better understand how process injection works and I think it will be helpful for many beginner malware analysts too.