10 Process Injection Techniques: Technical Survey Of Common & Trending Process Injection Techniques

Discussion in 'other security issues & news' started by WildByDesign, Jul 18, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,104
    Location:
    Toronto, Canada
    Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques
    By Ashkan Hosseini

    Link: https://www.endgame.com/blog/techni...-technical-survey-common-and-trending-process


     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,722
    Nice overview of Process Injection Techniques :thumb:
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    Endgame missed one DLL injection method which in my opinion is one of the worst. It is high jacking of dlls that are loaded and stored in the knowndlls and knowndlls32 kernel space global root table. These areas store the base OS dlls that loaded into every process at startup time.
    http://resources.infosecinstitute.com/dll-hijacking-attacks-revisited/
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    Yep, great article. Seems like Endgame has one of the best blogs, everything is explained clearly. All HIPS should be able to tackle these type of code injection methods, but not all of them do. Probably the best way is to simply block important processes from being modified. Think of all processes that are allowed to connect to the network and all system processes. Methods 1 to 6 should be easily stoppable, method 7 to 9 are more difficult to detect. And method 10 isn't actually a code injection method, you can only perform API hooking after successfully injecting code, so it's the end-goal.

    Yes good point. But I really need a home user version of the Endgame HIPS, it looks awesome LOL.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    Endgame isn't a HIPS. It's a behavior blocker using the Next/Gen AI algorithms. In that regard, there are better solutions; namely Cloudstrike/Falcon.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,084
    I bet it's to pricey for us mere mortals
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    AV-Comparatives did a stand-alone test of Endgame last month using its Real-World Protection test methodology: https://www.av-comparatives.org/endgame-2-3-11/

    Result was 99.5% detection w/5 false positives. These results put it in the top tier of signature based solutions.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,502
    Location:
    U.S.A. (South)
    From @WildByDesign's link where things are spelled out clearly and in plain layman's terms in those selected demonstrations, it's not so unlike and quite the same techniques (although some might be different to meet compatibility with systems after Windows 98 used before on 32 bit Win 98.

    Is it any surprise that if you look at matters with some objectivity and a bit closer, that even today, M$ code and it's internal branch layouts are no different than regrooving an old tire. They are using the same basics they regard as source with some modifications here and there but leave plenty of room for malware writers to make the most of that craft via the simplest of means if you ask me.

    So glad that this forum and it's members seriously use their uncanny initiative to drill these points home on EXACTLY the why and where things happen as they do.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    Well, I don't really make a difference between HIPS and BB. But too bad that companies like Endgame, Invincea and CrowdStrike don't make consumer versions, that would be the ultimate dream LOL. From what I read Endgame is really on point, I would probably pick them over other companies.

    I really wonder how HIPS like SpyShelter and Comodo would fare against malware using these code injection methods, I'm afraid they will fail against many of them. It would also be interesting to see how AppGuard and MemProtect would perform. I'm guessing they would do better, because they simply block access to memory of certain processes.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    I'm not sure what you mean with this? HIPS/BB are already capable of automatically blocking API modification, without any user interaction.

    But to get back at code injection (which is needed to perform API hooking), I believe AppGuard and MemProtect have got the right approach. They can for example protect the browser against code injection by blocking memory access, so it doesn't matter which code injection method is being used. And they can also block the browser itself from modifying other processes, so if it gets exploited, it can't infect the rest of the system.

    Sandboxie will do the same because it blocks inter-process communication. And that's the problem with HIPS like SS and Comodo, they will alert about certain code injection methods, but they can't monitor them all. And even if they could, they would generate lots of alerts.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    You have your coffee this morning? You posted a link to a utility process for manually selecting which API's should be monitored. It was this type of activity I was referring to.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    Yes, but it seems you don't understand what this tool is about. It's basically a banking trojan simulator. But instead of confusing you, I should have posted a link about an actual banking trojan, let's take Gozi as example, see first link.

    In the article you can read which API's it's trying to hook. So it's needed not needed to monitor "thousands" of API's. BTW, they tried to make Edge more safer by blocking unsigned injections, FF and Chrome will also implement this, but apparently it's not bulletproof, see link number 2.

    https://securityintelligence.com/go...build-to-inject-into-windows-10-edge-browser/
    http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    I would rate it "better than nothing" but a long way to go.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    Yes, but it will for sure raise the bar. BTW, I believe that HIPS that are capable of detecting API hooking, are also looking at if injected DLL's are signed or not. This way they know when to block or alert, because AV's often hook the browser, and you don't want to interfere with that.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    Vary it degree of detection with some only detecting global hooking explicitly via rule option. However, most are internally monitor for all API's used in process memory modification activities.

    Some have like default rules, many do not. I wouldn't make any assumptions in this regard with actual user test verification needed.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    Not all HIPS have got the ability to detect API hooking, which is different from global hooking. For example, ESET doesn't have this ability. Tools like Trusteer, HMPA, Zemana and SpyShelter do have this ability, and that is what made them stand out, when they introduced this feature. But all of them of course don't alert about AV's that are legitimately hooking the browser, that's what I meant.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    Yes, it does. The difference is you can't monitor the API's individually. They are included in rule settings such as process debugging, event interception, and modification.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    I don't believe that's the same thing, can you post a screenshot of it?
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    Here's a detailed analysis of Win32/Gapz which probably remains the most advanced bootkit every discovered: https://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf

    What makes Gapz unique is its ability to bypass any HIPS monitoring of its activities including the detection of hooking API's you're so obsessed with. Gapz worked equally well on both x86 and x64 OS versions. It was stuff like this that prompted MS to created Secure Boot and related protections in Win 8/10.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    I'm not sure if it will be able to bypass all HIPS, but it sure is advanced as hell. But anyway, you didn't answer my question, can you post a screenshot of the behaviors that are being monitored by ESET? Because I really don't think it can detect API hooking.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,180
    Location:
    U.S.A.
    I can't because its default HIPS rules are hidden and stored in such a way that only Eset techs can decipher them.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,607
    Location:
    The Netherlands
    OK I see. But like I said, the stuff that you mentioned is not the same as the ability to block/detect API hooking, after code injection has already taken place. And to get back at the article, a few notes: Only methods, 1,2 and 5 are common and sometimes used by legitimate tools. The others are mostly only being used by malware. Also, method 5 isn't that dangerous, it's often used by key-loggers but you can easily defeat them with keystroke encryption, as offered by KeyScrambler, SpyShelter and HMPA.
     
Loading...