Listen to this Post
Introduction
Remote process injection is a critical technique in both offensive security (red teaming) and malware development. By leveraging minimal permissions (PROCESS_CREATE_THREAD and PROCESS_QUERY_LIMITED_INFORMATION), attackers can bypass traditional safeguards without ROP gadgets. This article explores Native API exploitation for stealthy code execution.
Learning Objectives
- Understand how to inject code into remote processes with restricted permissions.
- Learn Native API calls for bypassing security controls.
- Explore real-world applications for red teaming and defensive hardening.
1. Minimal Process Access Requirements
Verified Command (Windows API):
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_LIMITED_INFORMATION, FALSE, targetPID);
Step-by-Step Guide:
- Use `OpenProcess` with the above flags to obtain a handle to the target process.
- These permissions avoid triggering alarms from tools monitoring
PROCESS_ALL_ACCESS.
3. Validate handle success with `hProcess != NULL`.
2. Native API for Thread Creation
Verified Snippet:
NtCreateThreadEx(&threadHandle, GENERIC_ALL, NULL, hProcess, (LPTHREAD_START_ROUTINE)payloadAddress, NULL, FALSE, 0, 0, 0, NULL);
Explanation:
– `NtCreateThreadEx` (from ntdll.dll) creates a thread in the target process without requiring PROCESS_VM_OPERATION.
– `payloadAddress` points to shellcode allocated via VirtualAllocEx.
3. Shellcode Allocation with Low Privileges
Verified Command:
LPVOID remoteBuffer = VirtualAllocEx(hProcess, NULL, payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
Steps:
- Allocate memory in the target process with `PAGE_EXECUTE_READWRITE` permissions.
2. Write shellcode using `WriteProcessMemory`.
- Avoid `PROCESS_VM_WRITE` by using indirect writes (e.g., queueing APC).
4. Bypassing API Hooks
Verified Technique:
Direct syscall invocation via assembly:
mov r10, rcx mov eax, SSN_NtCreateThreadEx syscall
Why It Works:
- Evades user-mode hooks placed by EDR solutions.
- Requires fetching SSN (System Service Number) dynamically.
5. Defensive Mitigations
Verified Detection (PowerShell):
Get-Process | Where-Object { $_.Threads.Count -gt 20 } | Select-Object Id, Name
Action:
- Monitor for abnormal thread counts in critical processes.
- Restrict `PROCESS_QUERY_LIMITED_INFORMATION` via Group Policy.
What Undercode Say
- Key Takeaway 1: Minimal permissions reduce detection likelihood but require deeper API knowledge.
- Key Takeaway 2: Native API and syscalls are the future of evasion as EDR improves.
Analysis:
The shift toward low-permission exploitation reflects the cat-and-mouse game between attackers and defenders. Techniques like these will dominate advanced malware campaigns, necessitating kernel-mode detection enhancements. Defenders must prioritize syscall monitoring and process behavior analytics over signature-based tools.
Prediction
Within 2ā3 years, expect widespread adoption of hardware-assisted EDR (e.g., Intel CET) to counter these methods. Offensive tools will respond with hypervisor-level evasion, escalating the arms race.
For the original research, see Thanos Tserpelisās post and Primitive Injection.
IT/Security Reporter URL:
Reported By: Sektor7 Institute – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ā
