============================================================ Code Injection Analysis ============================================================ Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading. Related FOR610 Labs: 4.9, 5.4 ──────────────────────────────────────────────────────────── Step 1: Capability Detection Tools: capa Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs. $ capa specimen.exe Step 2: Injection Type Classification Tools: ghidra, cutter Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC). $ ghidra $ cutter specimen.exe Step 3: Target Process Analysis Tools: ghidra How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls. $ ghidra Step 4: Payload Identification Tools: ghidra What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content. $ ghidra Step 5: Memory Allocation Analysis Tools: ghidra Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation. $ ghidra Step 6: Injection Verification [W] Tools: x32dbg, x64dbg Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis. $ x32dbg.exe specimen.exe $ x64dbg.exe specimen.exe Step 7: Extracted Payload Analysis Tools: peframe, capa, strings Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly). $ peframe specimen.exe $ capa specimen.exe $ strings binary.exe Step 8: Document Technique Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x). ──────────────────────────────────────────────────────────── Tip: 'fhelp cheat ' for full examples 'Ctrl+G' for interactive cheatsheet browser