Lets continue where we left off
The simplest form of this attack involves forcing a process to load a new DLL (Dynamic Link Library). Traditional detection tools, like Volatility’s dlllist or ldrmodules, can easily spot this. However, as security tools got better at detecting it, attackers evolved, developing more advanced techniques that try to bypass these detections.
But here’s the catch—no matter how stealthy an attack is, it always leaves behind clues. The key to forensic investigation is finding those clues.
How to Detect Code Injection
Most code injection techniques follow a common three-step pattern. Even advanced variants like reflective DLL injection share similar traits. The trick is to look at the process’s memory structures, particularly the VAD (Virtual Address Descriptor) tree, which keeps track of all memory sections.
Here’s the step-by-step process to detect injected code:
Check Memory Permissions – One of the biggest red flags in process memory is a section with PAGE_EXECUTE_READWRITE permissions. Normally, memory sections shouldn’t be both writable and executable—it’s a dangerous combination that allows injected code to be written and executed.
Verify If the Memory Section Is Mapped to a File – On Windows, legitimate code (DLLs, EXEs) is loaded from disk. If a memory section is executable but isn’t mapped to a file, that’s highly suspicious.
Confirm the Presence of Executable Code – Just because a memory section looks suspicious doesn’t mean it’s necessarily malware. Some legitimate applications (like .NET or JIT compilers) have memory pages with unusual permissions. To confirm if the injected code is truly malicious, forensic tools check for actual executable content like a Portable Executable (PE) file or shellcode.
-------------------------------------------------------------------------------------------------------------
Using Volatility to Detect Code Injection
Luckily, you don’t have to manually go through every memory section. Tools like Volatility’s malfind plugin and MemProcFS findevil automate this process. These tools scan process memory for suspicious sections and provide easy-to-read output for analysts.
How malfind Works
The malfind plugin scans memory and looks for sections that:
Have executable permissions
Are not mapped to a file on disk
Contain actual executable code
If it finds a match, it flags the section for further review. With the --dump option, malfind can even extract these sections so they can be analyzed further using tools like IDA Pro, YARA, or an antivirus scanner.
Example command:
python3 vol.py -f /mnt/c/Users/Akash\'s/Downloads/solarmarker/solarmarker.img windows.malfind > /mnt/c/Users/Akash\'s/Downloads/malfind.txt---------------------------------------------------------------------------------------------------------
Giving you hint which make your analysis easier
When you run malfind and found EBP and ESP it often indicates that some part of the memory that is traditionally not executable (such as the stack) now contains executable code.
----------------------------------------------------------------------------------------------------------
Advanced Detection Techniques
While malfind is a great first step, attackers have developed methods to bypass it by modifying memory markers. Here are additional techniques that can help:
YARA rules – Custom rules to scan memory dumps for known malware patterns
Strings analysis – Looking for suspicious keywords inside dumped memory sections
Behavioral monitoring – Watching for unusual process behavior (e.g., svchost.exe spawning a reverse shell)
----------------------------------------------------------------------------------------------------------
Evolution of Code Injection
Volatility’s malfind becoming effective at detecting reflective injection. However, attackers countered by cleaning up after themselves.
For instance, the CoreFlood botnet cleared the first page (4096 bytes) of the loaded DLL to evade detection. Similarly, groups like APT29 (Russia) and APT32 (Vietnam) use Cobalt Strike payloads that erase their headers post-execution. Winnti RAT, linked to a Chinese nation-state group, adopts similar evasion strategies.
Detecting Stealthier Code Injections
To counter these sophisticated injection methods, analysts must go deeper. Memory dumping helps identify obfuscated code:
Volatility malfind’s --dump option: Extracts suspicious memory sections for further analysis.
String Analysis & YARA Rules: Identifies patterns in dumped memory sections.
Reverse Engineering: The most thorough but resource-intensive approach.
Behavioral analysis—such as monitoring parent-child process relationships and orphaned files—remains effective.
------------------------------------------------------------------------------------------------------
MemProcFS and the “FindEvil” Plugin
Newer memory forensic tools like MemProcFS offer enhanced detections through its FindEvil plugin. When enabled, this feature generates findevil.txt, flagging suspicious memory regions:
Process Irregularities:
PROC_NOLINK: Unlinked processes (possibly malicious).
PROC_PARENT: Unexpected parent-child process relationships.
PROC_USER: System processes running under incorrect user accounts.
Memory Page Flags:
PE_INJECT: Executable memory sections lacking proper image mappings.
NOIMAGE_RWX / NOIMAGE_RX: Suspicious permissions outside image memory.
PRIVATE_RWX / PRIVATE_RX: Executable code in private memory sections.
-------------------------------------------------------------------------------------------------------------
We will continue remaining part of code injection into next article stay connected and keep learning
-------------------------------------------------------------------------------------------------------------
Conclusion
As attackers refine their methods, defenders must continuously adapt. Memory forensic techniques—combined with behavioral analysis—offer powerful tools for detecting modern injection techniques.
-------------------------------------------------Dean--------------------------------------------------
Comments