Process Injection is a popular technique used by Red Teams and threat actors for defense evasion, privilege escalation, and other interesting use cases. At the time of this publishing, MITRE ATT&CK includes 12 (remote) process injection sub-techniques.
Process Injection is a technique used by Red Teams and threat actors to evade defense, escalate privileges, and for other purposes. Recently, a technique was researched that does not require explicit memory allocation or direct use of methods that create threads or manipulate thread contexts. This technique is called AddressOfEntryPoint Process Injection and involves obtaining the target image PEB address and pointer to the image base of the remote process via NtQueryInformationProcess(), obtaining the target process image base address as derived from the PEB offset via ReadProcessMemory(), reading and capturing the target process image headers via ReadProcessMemory(), getting a pointer to the AddressOfEntryPoint address within the target process optional header, overwriting the AddressOfEntryPoint with desired shellcode via WriteProcessMemory(), and resuming the process (primary thread) from a suspended state via ResumeThread().
Another technique is called 'ThreadQuery' Process Injection. It involves obtaining a handle to the primary process thread via CreateProcess(), using NtQueryInformationProcess() to obtain a function pointer to the ThreadQuerySetWin32StartAddress, writing shellcode to the address of ThreadQuerySetWin32StartAddress with WriteProcessMemory(), and leveraging ResumeThread() to resume the thread for launching the shellcode.
When analyzing the ThreadQuerySetWin32StartAddress, it was found that the address of the program entry point is likely to be the address of the program entry point when querying for the primary process thread. This was tested by creating a target process in a suspended state, obtaining the memory address of the primary thread, overwriting the memory address of the thread with shellcode, and resuming the thread to execute the shellcode.
Defensive considerations include tracing for stack events and correlating with System/Application/Security-Mitigations Event Log errors, as well as using a POC Yara rule to identify suspicious PE files that leverage methods associated with entry point process injection.
In conclusion, two process injection techniques were explored that do not require explicit memory allocation or direct use of methods that create threads or manipulate thread contexts. These techniques can be used to evade defense, escalate privileges, and for other purposes. Defensive considerations were also discussed.
📓 No Alloc, No Problem: Leveraging Program Entry Points for Process Injection
👉🏽 Process Injection is a popular technique used by Red Teams and threat actors for defense evasion, privilege escalation, and other interesting use cases. At the time of this publishing, MITRE ATT&CK includes 12 (remote) process injection sub-techniques. 👉🏽 Process Injection used to evade defense and escalate privileges 👉🏽 AddressOfEntryPoint Injection: obtains target process image information to overwrite shellcode 👉🏽 ThreadQuery Injection: obtains handle to primary process thread for launching shellcode 👉🏽 ThreadQuerySetWin32StartAddress identified as likely address of program entry point 👉🏽 Test conducted on target process in suspended state to execute shellcode 👉🏽 Defensive considerations include tracing for stack events and POC Yara rule 👉🏽 Techniques can be used for other purposes beyond defense evasion and privilege escalation 👉🏽 AddressOfEntryPoint Injection involves obtaining target process image information via NtQueryInformationProcess() 👉🏽 ThreadQuery Injection involves obtaining function pointer to ThreadQuerySetWin32StartAddress via NtQueryInformationProcess() 👉🏽 Defensive measures needed to mitigate threat of process injection techniques.