Process Injection Techniques - Gotta Catch Them All

Black Hat USA 2019

Presented by: Amit Klein, Itzik Kotler
Date: Thursday August 08, 2019
Time: 11:00 - 11:50
Location: South Seas CDF

When it comes to process injection in Windows, there are only 6-7 fundamental techniques, right? That's what we thought in late 2018, when we started researching this area. Turned out we were way off the mark. We counted 20 techniques (so far…), which we had to collect, extract and analyze from many websites, blogs and papers. This in turn begged the question – where is that ultimate "Windows process injection" collection?

In this presentation, we provide the most comprehensive to-date "Windows process injection" collection of techniques - the first time such resource is available, that really covers all (or almost all) true injection techniques. We focus on Windows 10 x64, and on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. We pay special attention to the new Windows protection technologies, e.g. CFG and CIG. We differentiate between memory write primitives and execution techniques, and discuss memory allocation strategies. Our collection is curated, analyzed, tabulated, with straight-forward, research-grade PoCs. We tested each technique against Windows 10 x64 with and without protections, and we report on the requirements, limitations, and quirks of each technique.

And of course – no decent BlackHat presentation is complete without new attacks. We describe a new memory writing primitive which is CFG-agnostic. We describe a new "stack bombing" execution method (based on the memory write primitive above) that is inherently safe (even though overwriting the stack is a-priori a dangerous and destabilizing action).

Finally, we provide a mix-and-match library of all write primitives and execution methods, so that process injection users can generate "tailor-made" process injections.

Itzik Kotler

Itzik Kotler is the CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEFCON, Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware. (NASDQ: RDWR)

Amit Klein

Amit Klein is a world renowned information security expert, with 28 years in information security and over 30 published technical and academic papers on this topic. Amit is the VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, DefCon, NDSS, InfoCom, DSN, HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats