Connect with us

Hi, what are you looking for?


Malware & Threats

New Windows Process Injection Can Be Useful for Stealthy Malware

Process injection - Credits:

Process injection - Credits:

Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft.

Malware can use process injection techniques to inject code designed for a specific operation into a legitimate process that can help it achieve its goal. Malware can leverage process injection for stealth and to bypass security mechanisms.

Itzik Kotler, co-founder and CTO of SafeBreach, and Amit Klein, the firm’s VP of security research, have summarized and tested two dozen known process injection techniques. Their research shows whether each technique is stable, what its prerequisites and limitations are, and specifies the main APIs they use. While some of the injection methods are theoretical, some have been known to be used by malware in the wild.

The experts decided to take on this task after being unable to find a resource that lists all known process injection techniques. They tested all of the techniques on a Windows 10 x64 machine against 64-bit processes.

It’s worth noting that Windows 10 includes several features designed to protect against process injection, including Control Flow Guard (CFG), Dynamic Code Security, the Binary Signature policy, and the Extension Point Disable policy.

In an interview ahead of their presentation at the Black Hat cybersecurity conference in Las Vegas, Kotler and Klein told SecurityWeek that only two of the tested techniques failed completely due to Windows 10’s protections, and four of them, including the one they have identified, have worked regardless of the level of protection. The other injection methods may or may not work depending on the level of protection.

According to the researchers, the process injections that are capable of bypassing the protection mechanisms in Windows are typically aggressive and easier to detect. However, the new injection method they have found, dubbed StackBomber, is supposedly much stealthier, which makes it more valuable to attackers, and it does not require elevated privileges to work.

Advertisement. Scroll to continue reading.

StackBomber has been described as a new execution technique that works well in combination with a new memory writing technique that was also discovered by Kotler and Klein.

Microsoft does not view process injection methods as vulnerabilities and, as such, they are not covered by its bug bounty programs. The SafeBreach researchers told SecurityWeek that they reported their findings to the tech giant, but, as expected, it will not take any immediate action to address StackBomber.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

SafeBreach has made available all of the proof-of-concepts (PoCs) it has used during its research, and released an open source framework named PINJECTRA that allows users to create their own process injections.

The company is aware that its findings could be abused by malicious actors, but says its goal is to help the community, particularly companies specializing in client protection, which can incorporate defenses into their products.

UPDATE. Microsoft has provided SecurityWeek the following statement: Microsoft has a strong commitment to security and will take appropriate action as needed to help keep customers protected.

Related: Hackers Can Abuse Text Editors for Privilege Escalation

Related: Online Sandbox Services Used to Exfiltrate Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.