Process Injection Techniques - Gotta Catch Them All

The presentation discusses the Conject tool, an open-source library for generating and testing process injection attacks. The tool utilizes a mix-and-match approach to combine different techniques and payloads for maximum effectiveness.

• Conject is an open-source library for generating and testing process injection attacks
• The tool utilizes a mix-and-match approach to combine different techniques and payloads for maximum effectiveness
• The presentation demonstrates several techniques, including stack bombing and memory in a memorizing technique
• Conject provides a new safe diagnostics execution technique
• The library ejector allows for the mix-and-match generation of process injection attacks
• The presentation emphasizes the importance of covering various combinations that are not provided in existing tools

The presentation includes a demo of the Conject tool, showcasing its ease of use and effectiveness in injecting processes into both test and real-world applications. The presenter demonstrates several techniques, including stack bombing and memory in a memorizing technique, and emphasizes the mix-and-match approach as a key feature of the tool.

When it comes to process injection in Windows, there are only 6-7 fundamental techniques, right? That's what we thought in late 2018, when we started researching this area. Turned out we were way off the mark. We counted 20 techniques (so far…), which we had to collect, extract and analyze from many websites, blogs and papers. This in turn begged the question – where is that ultimate "Windows process injection" collection?In this presentation, we provide the most comprehensive to-date "Windows process injection" collection of techniques - the first time such resource is available, that really covers all (or almost all) true injection techniques. We focus on Windows 10 x64, and on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. We pay special attention to the new Windows protection technologies, e.g. CFG and CIG. We differentiate between memory write primitives and execution techniques, and discuss memory allocation strategies. Our collection is curated, analyzed, tabulated, with straight-forward, research-grade PoCs. We tested each technique against Windows 10 x64 with and without protections, and we report on the requirements, limitations, and quirks of each technique.And of course – no decent BlackHat presentation is complete without new attacks. We describe a new memory writing primitive which is CFG-agnostic. We describe a new "stack bombing" execution method (based on the memory write primitive above) that is inherently safe (even though overwriting the stack is a-priori a dangerous and destabilizing action).Finally, we provide a mix-and-match library of all write primitives and execution methods, so that process injection users can generate "tailor-made" process injections.