Ashkan Hosseini described the ten technological injection processes: a technical overview of general and trend injection process methods. He provided screenshots for many of these methods to facilitate analysis of reverse design and malware, helping to identify and protect against these common methods.
1. One of the most common methods is the ‘CLASSICAL DLL-INJECTION THROUGH CREATEREMOTETHREAD AND LOADLIBRARY’.
2. ‘PORTABLE EXECUTABLE INJECTION (PE-INJECTION)’. This method is similar to other methods, such as reflexive DLL injection and a memory module, since they do not unload files onto the disk.
3. ‘TECHNOLOGICAL DETECTION (EXAMPLE, REPLACEMENT OF PROCESS AND RUNPE)’.
4. ‘CAPTURE OF PROJECT IMPLEMENTATION (AKA SUSPEND, INJECT AND RESUME (SIR))’. This method has some similarity with the previously considered excavation technology.
5. ‘HOOK INJECTION VIA SETWINDOWSHOOKEX’.
6. ‘INJECTION AND PRESERVATION BY REGISTRATION MODIFICATION (EXAMPLE, APPINIT_DLL, APPCERTDLLS, IFEO)’.
7. ‘INJECTION APC AND ATOMBOMBING’.
8. ‘IMPLEMENTATION OF THE ADDITIONAL MEMORY OF THE WINDOW (EWMI) THROUGH THE SETWINDOWLONG’. Like most other technologies mentioned above, malware must run the code that it wrote.
9. ‘INJECTION WITH USE OF GASKETS’.
10. ‘IAT HOOKING AND INLINE HOOKING (SO CALLED USERLAND RUTKITS)’.
Ashkan Hosseini examined methods that malware uses to hide its activity in another process. More information can be learned in his post. Defenders will never be “committed” in their mission to detect and prevent a hidden injection of the process, because opponents will never stop innovating.