# Code Injection Analysis > Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading. **FOR610 Labs:** 4.9, 5.4 ## Steps ### Step 1: Capability Detection **Tools:** [[tools/capa|capa]] Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs. ```bash capa specimen.exe ``` ### Step 2: Injection Type Classification **Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]] Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC). ```bash ghidra cutter specimen.exe ``` ### Step 3: Target Process Analysis **Tools:** [[tools/ghidra|ghidra]] How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls. ```bash ghidra ``` ### Step 4: Payload Identification **Tools:** [[tools/ghidra|ghidra]] What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content. ```bash ghidra ``` ### Step 5: Memory Allocation Analysis **Tools:** [[tools/ghidra|ghidra]] Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation. ```bash ghidra ``` ### Step 6: Injection Verification [W] **Tools:** [[tools/x32dbg|x32dbg]], [[tools/x64dbg|x64dbg]] Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis. ### Step 7: Extracted Payload Analysis **Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]], [[tools/strings|strings]] Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly). ```bash peframe specimen.exe capa specimen.exe strings binary.exe ``` ### Step 8: Document Technique Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x). #code-injection #process-hollowing #dll-injection #reflective-loading #workflow