For a long time now, malware has been using process injection as part of its infection or payload mechanisms. There are various reasons why the bad guys use process injection in their malware, including:
- attempting to evade client firewalls (for example, injection of downloading code into processes that will already be trusted through the firewall)
- hiding activity (making it harder for the user to notice, and therefore remove, a rogue process)
There are various ways of injecting code into other processes. In this post, I will share just a couple of the common methods we see malware use.
Perhaps the crudest method is for a malicious process to write a complete copy of itself into the memory space of the target process, and then run that code. Many downloader Trojans use this technique, as a way of attempting to bypass client firewalls.
A piece of malware analysed in the lab last week demonstrates this technique perfectly. When run, Troj/Agent-FVU does the following:
1. Create the host process, in this case launching a new instance of
svchost.exe (the legitimate system process).
2. Allocate a block of memory within the address space of this new
svchost.exe process. In this example the VirtualAllocEx() API was used.
3. Perform the memory write, writing the malicious code (copy of the Trojan, file size 22000h) into the virtual address space of
Looking at the virtual address space within
svchost.exe we can see copy of the malicious file written to memory (at 0x400000h):
4. Run the malicious code. There are several ways to achieve this. Most commonly CreateRemoteThread() or ResumeThread() constructs are used.
Several other pieces of malware use a slightly less blatant approach, achieving process injection in a more subtle way. The next example shows a technique that is frequently used by malware whose payload is delivered by a dropped malicious library (DLL). The Troj/Sers-Gen family demonstrate this method perfectly:
1. Drop DLL to disk (in this case
2. Enumerate processes, looking for target process (in this case
3. Allocate a block of memory within the address space of the target process and perform the memory write. Instead of writing code to be executed into the target process, just the path to the dropped DLL is written.
4. We can see the written data when we inspect the relevant address.
5. Finally, to run the malicious code (in this case, load the malicious library). Here, CreateRemoteThread() is used in order to load the malicious library via LoadLibrary().
Of course, there are several other techniques used by malware to run malicious code within other processes. This is one area where deployment of a quality client firewall can help. Aside from the regular firewalling of network traffic, several products, including the Sophos Client Firewall, actively block many of the process injection techniques used by malware.