Process Injection
The most popular covert launching technique is process injection. As the name implies, this technique injects code into another running process, and that process unwittingly executes the malicious code. Malware authors use process injection in an attempt to conceal the malicious behavior of their code, and sometimes they use this to try to bypass host-based firewalls and other process-specific security mechanisms.
Certain Windows API calls are commonly used for process injection. For example, the VirtualAllocEx
function can be used to allocate space in an external
process’s memory, and WriteProcessMemory
can be used to write data to that allocated space. This pair of functions is essential to the first three loading techniques ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.