Malware authors are always looking for new ways to achieve code injection. By using such techniques, a malware can run itself as another legitimate process on the system.
This is done for a few reasons which include:
• To hide the malware presence in the operation system
• To use other process context (for example, to bypass an application firewall)
• To mine data from the process (for example, form grabbing in browsers)
In general, by using such techniques, the malware writes part of its code in a remote process memory, and then causes the remote process to execute the injected malicious code.
Achieving code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions. I found a new injection-less method to inject code to a remote process.
In this method I don’t use any of the known methods to inject code. To achieve the injection-less injection the remote process is made to read data from the injecting process by calling ReadProcessMemory. This code injection works only on x86_64 architecture.
In addition to this method, I found another way to copy data in the remote process. By copying data inside the remote process, I can recreate a shellcode from the injecting process. The second method should work on x86 and x86_64 architectures.