Process Injection in Malware Development – Reverse Engineering

Process Injection is one of the foremost well-known strategies malware creators use to bypass firewalls, perform memory forensics procedures, and moderate down inexperienced turn around engineers by including pernicious usefulness to legitimate forms and covering up it whereas doing so. In this area, we are going cover the hypothesis behind prepare injection and why it is commonly utilized in different APT attacks these days.

What’s process injection? In the Windows operating system, processes are allowed to allocate, read, and write in another process’s virtual memory, as well as create new threads, kill threads, and change these threads’ registers, including the instruction pointer(EIP/RIP). Process injection is a method that’s implemented by malware authors so that they can inject code inside another process memory or a spread library (DLL) and execute that code inside the space of that process .In Windows Vista and higher, it’s not permitted to inject into core Windows processes such as explorer.exe or into other users’ processes. But it’s still OK to inject in most current user browsers and other current user processes. This method is legitimately used by multiple endpoint security products to watch applications and for sandboxing , but it’s also misused by malware developers.

How DLL injection happens ?

The Windows operating system allows processes to load dynamic link libraries into other processes for security reasons, sandboxing, or even graphics.

Windows has created registry entries for DLLs so that they can be loaded in every process that meets certain criteria. Many of them allow the malware DLL to be injected into multiple processes, including browsers and other legitimate processes. There are many of these registry entries available, but we will explore the most common ones here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

This registry entry was one of the most misused registry entries by malware to inject DLL code into other processes and maintain persistence. The libraries included in this path are loaded together with every process that loads user32.dll(the system library used mainly for the UI).In Windows 7 SP1 and more new versions, it requires DLLs to be signed and it’s disabled by default. for Windows 8 and beyond. However, it still can be misused by configuration the RequireSignedAppInit_DLLs value to False and LoadAppInit_DLLs to True . To do this, you require administrative privileges to be able to set these entries, which can be resolved, for example, with the help of social engineering: