Process Injection Techniques - Gotta Catch Them All

This presentation provides a comprehensive collection of process injection techniques for Windows 10 x64, focusing on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. The presentation differentiates between memory write primitives and execution techniques, and discusses memory allocation strategies. The collection is curated, analyzed, tabulated, with research-grade PoCs. The presentation also introduces new attacks, including a new memory writing primitive which is CFG-agnostic and a new “stack bombing” execution method that is inherently safe. Finally, a library of all write primitives and execution methods is released, so users can generate “tailor-made” process injections.

• There is no comprehensive collection or catalog of process injection techniques
• True process injection is injecting code or logic from one live user space process to another live user space process
• The presentation focuses on Windows 10 x64 and differentiates between memory write primitives and execution techniques
• New attacks are introduced, including a new memory writing primitive which is CFG-agnostic and a new “stack bombing” execution method that is inherently safe
• A library of all write primitives and execution methods is released

The presenters discovered that there was no comprehensive collection or catalog of process injection techniques, and that there was no analysis or comparison between the various techniques out there. They also found that there was no update for Windows 10 as several techniques are pretty old from the Windows XP days and the 32-bit architecture, and it was not clear to them whether they can be ported as is to Windows 10 with its new security mechanisms and their 64-bit architecture. This led them to conduct their own research and create a comprehensive collection of process injection techniques for Windows 10 x64.

When it comes to process injection in Windows, there are only 6-7 fundamental techniques, right? Wrong. In this talk, we provide the most comprehensive to-date “Windows process injection” collection of techniques. We focus on Windows 10 x64, and on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. We pay special attention to the new Windows protection technologies, e.g. CFG and CIG. We differentiate between memory write primitives and execution techniques, and discuss memory allocation strategies. Our collection is curated, analyzed, tabulated, with straight-forward, research-grade PoCs. We tested each technique against Windows 10 x64 with and without protections, and we report on the requirements, limitations, and quirks of each technique. And of course – no decent DEF CON presentation is complete without new attacks. We describe a new memory writing primitive which is CFG-agnostic. We describe a new “stack bombing” execution method (based on the memory write primitive above) that is inherently safe (even though overwriting the stack is a-priori a dangerous and destabilizing action). Finally, we release a library of all write primitives and execution methods, so users can generate “tailor-made” process injections.