Malware Journey Day 14

Process Injection

The executable is being written into memory.

From infosec it is “Process injection on the other hand is the injection of malicious code into a non-malicious process”

What immeditately comes to mind is the WINAPI function openProcess. What openprocess does is the handling of the legit process.

So setting a bp there is useful.

VirtualAllocEx will handle what OpenProcess returns.

Finally we need to set a bp at WriteProcessMemory or NtWriteVirtualMemory.

Finally we will do CreateRemoteThread. This runs the bad executable.

Basically all of these steps are loading and running an executable

Overall

OpenProcess(),VirtualAllocEx(),WriteProcessMemory(), and CreateRemoteThread()

The first breakpoint I hit is the NtWriteVirtualMemory. I skipped OpenProcess and VirtualAllocEx.

From this winAPI function I understand it is writing to memory(duh), so seeing 4 bytes of data being written for me is no cause to investigate any further.

Continuing this blog for tmr.