A common question that comes up a lot is: "If code injection is so easy to detect, why do attackers keep using it?"
The simple answer?
It’s only easy to detect if you’re performing deep memory analysis. Most security tools don’t do that by default, and attackers have found smarter ways to hide. Plus, code injection solves a ton of problems for malware, making it an effective technique even today.
-------------------------------------------------------------------------------------------------------------
Why Code Injection Works So Well
Code injection is like a digital disguise. Instead of running as a suspicious-looking standalone program, malware hides inside legitimate processes. This makes it much harder for an admin or security tool to spot it. Here’s how attackers take advantage of it:
Blending in with legitimate processes – Instead of creating a new process , attackers inject their code into something already running, like your web browser or system utilities.
Inheriting permissions – If the injected process has high-level privileges, the malware gets the same access. This is a common trick used by credential stealers to hijack the LSASS process and grab login hashes or Kerberos tickets.
Avoiding detection – Security tools often look for new or untrusted processes. But if malware is running inside an already trusted app (like your browser), it flies under the radar.
-------------------------------------------------------------------------------------------------------------
Process Migration: Staying One Step Ahead
Hackers don’t just inject their code and call it a day. They also move it around to avoid getting caught. This is called process migration.
Imagine an attacker exploits a vulnerability in your browser and gets some initial access.
But what if you close your browser?
Their malware dies with it. To prevent this, they migrate the malicious code to a more persistent process—something critical that rarely gets shut down.
Hacking tools like Metasploit and Cobalt Strike even have built-in features to automate process migration, making this a common tradecraft among cybercriminals.
-------------------------------------------------------------------------------------------------------------
Common Code Injection Techniques
There are a lot of ways to inject malicious code, and some are stealthier than others. Let’s break down the most popular ones:
1. DLL Injection
This is one of the easiest ways to perform code injection, thanks to Windows' architecture. If an attacker has admin rights, they can:
Allocate memory in a target process
Write a malicious DLL into it
Use Windows functions like VirtualAllocEx() and CreateRemoteThread() to execute it
Some advanced methods, like Reflective DLL Injection, bypass API monitoring tools and load malicious DLLs without ever writing them to disk. This makes them harder to detect with traditional antivirus solutions.
2. Process Hollowing
This is a bit different from DLL injection. Instead of injecting into a running process, the attacker:
Creates a legitimate Windows process in a suspended state
Replaces its memory with malicious code
Restarts the process, now running as malware while keeping the original process name
This is how malware like Stuxnet, DarkComet, and Kronos stay hidden while running inside trusted processes.
3. Atom Bombing & Hooking
Atom Bombing: Uses the global atom table to inject code into another process.
SetWindowsHookEx Hooking: Forces a process to load a malicious DLL by hooking its function calls.
Even PowerShell can be abused for code injection! Attackers often use script-based techniques to execute payloads in memory, avoiding traditional detection methods.
-------------------------------------------------------------------------------------------------------------
How to Detect Code Injection
Even though code injection is sneaky, it always leaves traces behind. Memory forensics is one of the best ways to uncover it. Here are the key methods:
Check for injected DLLs – Many injection techniques still rely on Windows’ normal DLL loading process, which means you can look at process memory structures to find unexpected DLLs.
Look for suspicious executable memory – Attackers might try to avoid API calls, but at some point, the injected code has to be executable. If you find unusual executable pages in memory, it’s a red flag.
Compare kernel vs. userland process data – Advanced malware manipulates memory permissions, changes execution pointers, and even patches loaded code. Comparing different memory sources can reveal these inconsistencies.
-------------------------------------------------------------------------------------------------------------
Tools for Detecting Code Injection
1. Volatility Memory Forensics Framework
Volatility has been a go-to tool for analyzing memory dumps. It includes several plugins that help uncover hidden malware techniques:
ldrmodules: Detects DLLs that are either unlinked or loaded from unusual locations—both major red flags.
malfind: Scans for suspicious memory allocations that might indicate reflective injection or process hollowing.
hollowfind: Specifically designed to detect process hollowing by comparing data structures within a process.
threadmap: Focuses on identifying malicious threads, making it harder for attackers to hide their tracks.
ptemalfind: Uses kernel-based page table information to identify hollowed processes, offering stronger detection against advanced evasion tactics.
One thing to note—some of these plugins are only available in Volatility 2, while newer ones like ptemalfind are designed for Volatility 3.
2. MemProcFS
This is another powerful memory analysis tool that takes things a step further. Its findevil plugin helps detect different types of code injections, making it a great addition to your forensic toolkit.
3. Live Memory Analysis Tools
As attackers get more sophisticated, relying solely on RAM dumps isn’t always enough. Some malware, like those using the Gargoyle memory evasion technique, remain dormant most of the time and only execute briefly, making them harder to catch in static memory dumps. That’s where live memory analysis comes in:
Moneta (by Forrest Orr) and Hollows Hunter (by hasherezade) are great tools for detecting live injection attempts.
Many Endpoint Detection and Response (EDR) solutions are now integrating similar live memory scanning capabilities.
-----------------------------------------------------------------------------------------------------------
How Attackers Perform DLL Injection
One of the simplest and most common code injection techniques is DLL injection. Here’s how it works:
Attach to the Target Process: The attacker uses the OpenProcess() function to gain access to a victim process. This requires the SeDebugPrivilege, which admin accounts usually have.
Allocate Memory: The attacker then uses VirtualAllocEx() to create a small memory space inside the victim process, where the malicious DLL’s path will be written using WriteProcessMemory().
Execute the Malicious Code: Finally, CreateRemoteThread() is used to force the victim process to load the malicious DLL via LoadLibraryA().
This method works well, but it has one major limitation: the DLL must exist on disk. Security tools can easily detect suspicious DLLs being loaded from unexpected locations (like a Temp folder instead of System32).
--------------------------------------------------------------------------------------------------------
Reflective Code Injection: A Stealthier Alternative
To bypass the requirement of having a DLL on disk, attackers developed reflective code injection. This method allows malware to load itself directly into memory without relying on Windows’ LoadLibrary() function. As a result, it doesn’t appear in standard DLL lists, making it much harder to detect.
Some of the most well-known attack tools use reflective injection:
Metasploit & Cobalt Strike: Use this technique for deploying their backdoors.
PowerSploit & Empire: Popular PowerShell frameworks that leverage reflective injection.
DoublePulsar: A powerful backdoor linked to nation-state actors, further advancing reflective injection techniques.
--------------------------------------------------------------------------------------------------------
I know I know theory theory and few will understand what the theory say. So make thing easy for you lets do practical
How to Spot Code Injection in Action
Even though attackers are getting smarter, memory forensics still provides excellent ways to uncover their tracks.
Command:
python3 vol.py -f /mnt/c/Users/Akash\'s/Downloads/solarmarker/solarmarker.img windows.ldrmodules > /mnt/c/Users/Akash\'s/Downloads/ldrmodules.txtLet’s take an example where a DLL is injected into powershell.exe:
Using the ldrmodules plugin in Volatility, you might see something like this:
Process: powershell.exe (PID 5352)
MappedPath: C:\Users\Admin\AppData\Temp\user32.dllMost legitimate DLLs are loaded from C:\Windows\System32 or C:\Program Files. A DLL from a Temp folder is a huge red flag.
Another trick is to check the InInit = False list column. If the process itself isn’t listed there, it could indicate malicious tampering.
Security tools like MemProcFS also help by comparing data structures like PEB (Process Environment Block) and VAD (Virtual Address Descriptor) to spot anomalies.
-------------------------------------------------------------------------------------------------------------
We will continue the discussion about code injection analysis and understanding through memory forensic in next article as well. Stay connected!
-------------------------------------------------------------------------------------------------------------
Wrapping Up
Code injection remains one of the most dangerous malware techniques, but with the right tools and approach, you can detect and stop these attacks. By leveraging forensic tools like Volatility, MemProcFS, and live memory scanners, security teams can identify suspicious activity before it escalates into a full-blown compromise.
---------------------------------------------Dean---------------------------------------------------
Comments