Code Injection

• Code injection is very common with modern malware

• A built-in feature of Windows!
• VirtualAllocEx( ) and CreateRemoteThread( )
• SetWindowsHookEx( )
• Reflective injection loads code without registering with host process
• PowerShell-based reflective injection is very common

• Process hollowing is easy and stealthy

• Malware starts a suspended instance of legitimate process
• Original process code deallocated and replaced
• Can retain DLLs, handles, data, etc. from original process
• Process image EXE not backed with file on disk à process hollowing

1
Code Injection Detection

All injection aims to execute code in a target process

Mission: Identify extraneous code
1. Find DLLs introduced using the Windows loader (API)
• Audit loaded DLLs
• Includes DLL persistence hijacks and side-loading
2. Identify unusual executable memory locations
• Discover code not loaded via legitimate API calls
• Search memory for executable pages containing code
3. Uncover kernel and userland process inconsistencies
• Permission changes, file mapping issues, pointer modifications
• Compare hard to change (kernel) with easy to change (userland)
2
Code Injection Detection Tools

Volatility
ldrmodules Detect unlinked DLLs and non-memory-mapped files

malfind Find hidden and injected code and dump affected memory sections

hollowfind (Vol2) Identify a wide range of process hollowing artifacts

ptemalfind (Vol3) Upgraded version of malfind using page tables to detect injection

MemProcFS
findevil Plugin used to identify a suite of process inconsistencies

Live Analysis
Moneta Usermode memory scanner for process injection anomalies

Hollows Hunter Usermode scanner using pe-sieve implant detection

3
Simple DLL Injection: Attach and Allocate

1 2

5
Simple DLL Injection: Execute

6
1. Find DLLs introduced using the Windows API

• Code injected using API libraries is often present in PEB and VAD lists
• The Volatility ldrmodules plugin blends information from both
• It is normal for process executable to not be tracked in the InInit list
7
Reflective Code Injection

• Advanced technique to perform arbitrary code

execution without explicitly calling LoadLibrary
• Uses a custom reflective loader instead of Windows loader
• Code is not registered in any way with the host
system, making it very difficult to detect
• Bonus: code can be injected directly from network/memory
• Used by many advanced adversary toolkits
• Metasploit, Cobalt Strike, PowerSploit, Empire, DoublePulsar
• Memory analysis is well suited for detection
9
2. Identify Unusual Executable Memory Locations

Memory section Memory section Memory section

with “Execute” not backed with a contains code (PE
permissions file on disk file or shellcode)

10
Detecting Code Injection: windows.malfind.Malfind

Purpose
• Scans process memory sections looking for indications of code
injection. Identified sections can be extracted for further analysis.

Important Parameters
• Directory to save extracted files (--dump)
• Show information for specific process IDs (--pid)

Investigative Notes
• Significantly outclassed by new malware, but surprisingly effective
• Useful to understand the challenges of injection detection
• False positives occur and disassembled code is a helpful sanity check
• You might see multiple injected sections within the same process
• Dumped sections can be reverse engineered or scanned with A/V
11
Detecting Code Injection: malfind (Meterpreter)

13
Detecting Code Injection: malfind (No MZ)

Well-known
assembly code
prologue present in
an injected memory
section (also note
lack of MZ header)
15
Detecting Code Injection: malfind (False Positive)

Assembly does not

appear to represent
real code—potential
false positive (also
note the lack of the
MZ header)
16
Innovations in Code Injection

• New forms of injection are designed to defeat detection

• Header modification, clearing, and mirroring
• Permission modifications to eliminate suspicious RWX
• Process Environment Block modifications and masquerading
• Module overwriting, hollowing, and patching
• Best defense: ID and extraction of suspicious pages
1. Strings, YARA signature scans, antivirus
2. Have a reverse engineer validate the code
• Simple detections like orphan processes and unusual
parent processes are also commonly associated
17
Understanding Process Memory
• Shareable/Mapped
Kernel Memory • Shared between other processes and DLLs
(Restricted)
• Mapped data files
PEB

DLL • Image Mapped

DLL • EXE or DLL loaded by the image loader
• VAD Type: VadImageMap
DLL

EXE
• Private
Heap • Application Data
• Stack and Heap
Stack

19
MemProcFS FindEvil Detections

Process Irregularities:
PROC_NOLINK Process not in the EPROCESS doubly-linked list

PROC_PARENT Unexpected parent for process (limited checks on well-known processes)

PROC_USER Process token indicates unexpected user account context

Unusual Memory Pages:

PE_INJECT DLL/EXEs files present not mapped to “image” memory

NOIMAGE_RWX/RX Executable pages present not mapped to “image” memory

PRIVATE_RWX/RX Executable pages present in private process memory (data, stacks, heaps)

21
MemProcFS FindEvil Example (Emotet)

PhoneCallHistoryApis.exe has multiple suspicious

memory locations
• PE_Patched is a false positive
• (4) RWX pages not in image memory
• (1) RX page not in image memory

23
3. Uncover Kernel and Userland Process Inconsistencies

24
Uncovering Process Inconsistencies: windows.ldrmodules
Purpose
• DLLs are tracked in three different linked lists in the PEB for each
process. Code injection attacks often leave DLLs unlinked. This
Volatility plugin queries each list and displays the results for comparison.

Important Parameters
• Show information for specific process IDs (--pid)

Investigative Notes
• DLLs loaded via the legit Windows API will be present in all three lists
• Common false positives:
• The process executable will not be present in the "InInit" list
• Non EXE/DLL files present in image mapped memory (.fon, .mui, .winmd)
• Some legit DLLs can be present in process memory without being loaded
• Volatility 3 often marks SysWOW64 DLLs as not loaded
• Missing "MappedPath" information is another a sign of injection
25
ldrmodules Data Sources

svchost.exe
svchost.exe

26
Detecting Code Injection: ldrmodules (Stuxnet)

Two suspicious regions identified within lsass.exe

• Memory section 0x80000 is not present in any of the three PEB lists and
not mapped to disk (sign of code injection)
• Memory section 0x1000000 should be the executable, but is not mapped
to disk (sign of process hollowing)
27
MemProcFS FindEvil Detections (1)

Irregularities
PROC_NOLINK Process not in the EPROCESS doubly-linked list

Process
PROC_PARENT Unexpected parent for process (limited checks on well-known processes)

PROC_USER Process token indicates unexpected user account context

Memory Pages Inconsistencies

PE_INJECT DLL/EXEs files present in non-image memory pages

Unusual
NOIMAGE_RWX/RX Executable pages present not mapped to a DLL/EXE location

PRIVATE_RWX/RX Executable pages present in private process memory (data, stacks, heaps)

Image binary path mismatch in PEB and VAD (indicates PEB

PEB_MASQ

Kernel/PEB
modification)
PE_NOLINK DLL present in VAD, but not linked in PEB lists. High false positives.

PE_PATCHED DLL modified after load time. Many false positives in 32-bit and JIT code

28
MemProcFS FindEvil Detections (2)
• A DLL hollowing attack in sdev.exe (unlinked DLL in PEB)
• notepad.exe shows evidence of reflective injection

29
MemProcFS FindEvil Next Steps

• Suspicious memory can be the final clue that a

process is bad and the system is compromised
• Cross-reference with process details and network activity
• Document virtual addresses and VAD paths
• Extract corresponding memory section(s)
• files and vmemd folders
• Include page file, if possible
• Analyze offline
• Malware scans, reversing

30
MemProcFS FindEvil False Positives

31
Look for Evidence of Code Injection Review
• Code injection is a very popular means for malware to
hide and launder its activities
• Three common injection methods are:
• Simple DLL Injection
• Reflective Code Injection
• Process Hollowing
• Identifying processes with injected memory sections is
difficult in disk-based forensics, but much more feasible
using memory analysis
• ldrmodules shows evidence of unlinked/unmapped DLLs
• malfind identifies and dumps suspicious memory sections and processes
• MemProcFS findevil detects a large number of common and advanced
injection techniques
32