Malware authors are always looking for new ways to achieve code injection. By using such techniques, a malware can run itself as another legitimate process on the system.
This is done for a few reasons which include:
• To hide the malware presence in the operation system
• To use other process context (for example, to bypass an application firewall)
• To mine data from the process (for example, form grabbing in browsers)
In general, by using such techniques, the malware writes part of its code in a remote process memory, and then causes the remote process to execute the injected malicious code.
Achieving code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions. I found a new injection-less method to inject code to a remote process.
In this method I don’t use any of the known methods to inject code. To achieve the injection-less injection the remote process is made to read data from the injecting process by calling ReadProcessMemory. This code injection works only on x86_64 architecture.
In addition to this method, I found another way to copy data in the remote process. By copying data inside the remote process, I can recreate a shellcode from the injecting process. The second method should work on x86 and x86_64 architectures.
Alon Weinberg is a security researcher at Deep Instinct. Before Alon joined Deep Instinct two years ago, he served in the IDF for 4.5 years in an elite cyber unit as a security researcher. As part of his role in Deep Instinct, Alon is in charge of finding new ways to enhance protection and defense mechanisms. Alon leverages his cyber-offense experience and OS internals knowledge to conduct malware analysis and RE, explore attack surfaces in Windows and macOS, and research existing or new attack vectors and evasion techniques. Alon is addicted to cross-fit and enjoys riding his motorcycle during his free time.