(...)
Common classes of stealthy process execution
On Windows systems, most methods attackers use to run code within another process fall within two classes:
process injection and
process hollowing. These classes allow attackers to run their code within another process without explicitly creating it from an executable, or making it load a dynamic link library (DLL). Similar classes of techniques are often also called process injection, but this term will be used in a more specific definition for clarity.
Process injection
Process injection, the widest and most common class, consists of different techniques that introduce attacker-supplied executable memory into an already running process. Techniques in this class consist of two main parts:
- Write primitive: A Windows API function, or a set of APIs, used to introduce malware into the target process.
- Execution primitive: A Windows API method to redirect the execution of the process to the code provided by the attacker.
An example of a classic process injection flow is malware using the
VirtualAllocEx API to allocate a buffer within a target process,
WriteProcessMemory to fill that buffer with the contents of a malware module, and
CreateRemoteThread to initiate a new thread in the target process, running the previously injected code.
Process hollowing
In process hollowing, instead of abusing an already running process, an attacker might start a new process in a suspended state and use a write primitive to introduce their malware module before the process starts running. By redirecting the entry point of the process before unsuspending, the attacker may run their code without using an explicit execution primitive.
Variants (and sometimes combinations) of both classes exist and differ from each other mostly by the APIs being used. The APIs vary because a different function used to achieve the goal of one of the steps may not go through the numerous points at which an endpoint protection product intercepts such behavior, which can break detection logic.
New stealth techniques
In the past few years, stealth techniques from a process execution class have emerged that don’t strictly fit into any of the previously mentioned classes. In this class, instead of modifying the memory of an already created (but perhaps not yet executing) process, a new process is created from the image section of a malware. By the time a security product is ready to scan the file, the malware bits aren’t there anymore, effectively pulling the rug from under antimalware scanners. This technique requires defenders to use a different detection method to catch attacks that use it. As of today, the following variations of this class are known publicly as the following:
- Process doppelganging1: Abusing transactional NTFS features to create a volatile version of an executable file used for process creation, with the file never touching the disk.
- Process herpaderping2: Utilizing a writable handle to an executable file to overwrite the malware bits on disk before antimalware services can scan the executable, but after a process has already been created from the malicious version.
- Process ghosting3: Abusing a handle with delete permissions to the process executable to delete it before it has a chance to be scanned.
This process execution class, including the variations mentioned above, takes advantage of the way the following functionalities in the operating system are designed to evade detection by security products:
- Antimalware engines don’t scan files after every single modification.
- Process creation callbacks, the operating system functionality that allows antimalware engines to scan a process when it’s created, is invoked only when the first thread is inserted into a process.
- NtCreateProcessEx, a legacy process creation syscall, allows the creation of a process without populating it with any thread.
The following sections explain in more detail how these functionalities are abused.
