============================================================
  Code Injection Analysis
============================================================

  Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading.

  Related FOR610 Labs: 4.9, 5.4

────────────────────────────────────────────────────────────

  Step 1: Capability Detection
  Tools: capa
  Run capa to identify injection techniques. Look for:
  'inject code', 'create suspended process', 'allocate
  RWX memory'. Note MITRE ATT&CK technique IDs.

    $ capa specimen.exe

  Step 2: Injection Type Classification
  Tools: ghidra, cutter
  Identify which technique: Classic DLL injection
  (LoadLibrary), Process Hollowing (CreateProcess
  SUSPENDED + NtUnmapViewOfSection), Reflective DLL
  (manual PE loading), APC injection (QueueUserAPC).

    $ ghidra
    $ cutter specimen.exe

  Step 3: Target Process Analysis
  Tools: ghidra
  How does malware choose its target? Look for:
  CreateToolhelp32Snapshot + Process32First/Next
  (enumeration), hardcoded process names (svchost.exe,
  explorer.exe), OpenProcess calls.

    $ ghidra

  Step 4: Payload Identification
  Tools: ghidra
  What gets injected? Trace data flow to
  WriteProcessMemory or NtWriteVirtualMemory. Is it:
  embedded PE, shellcode, encrypted blob? Check size and
  content.

    $ ghidra

  Step 5: Memory Allocation Analysis
  Tools: ghidra
  Examine VirtualAllocEx parameters: size (hints at
  payload type), protection flags
  (PAGE_EXECUTE_READWRITE = 0x40 = suspicious).
  Allocation address for base relocation.

    $ ghidra

  Step 6: Injection Verification [W]
  Tools: x32dbg, x64dbg
  Set breakpoint on WriteProcessMemory. When hit:
  examine lpBuffer (injected data), nSize (payload
  size). Dump the buffer to file for separate analysis.

    $ x32dbg.exe specimen.exe
    $ x64dbg.exe specimen.exe

  Step 7: Extracted Payload Analysis
  Tools: peframe, capa, strings
  Analyze the injected payload as standalone file. Route
  to: Static Analysis Workflow (if PE), Shellcode
  Workflow (if shellcode), .NET Workflow (if .NET
  assembly).

    $ peframe specimen.exe
    $ capa specimen.exe
    $ strings binary.exe

  Step 8: Document Technique
  Record: injection technique, target process criteria,
  payload type and hash, API call sequence, memory
  protection flags. Map to MITRE ATT&CK (T1055.x).

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
