irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
1d2427415eac4f4681d32dc6397b7a145ac5a958
docker_file_analysis/data/generated/wiki/workflows/code-injection-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.4 KiB
Raw Blame History

Code Injection Analysis

Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading.

FOR610 Labs: 4.9, 5.4

Steps

Step 1: Capability Detection

Tools: tools/capa

Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs.

capa specimen.exe

Step 2: Injection Type Classification

Tools: tools/ghidra, tools/cutter

Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC).

ghidra
cutter specimen.exe

Step 3: Target Process Analysis

Tools: tools/ghidra

How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls.

ghidra

Step 4: Payload Identification

Tools: tools/ghidra

What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content.

ghidra

Step 5: Memory Allocation Analysis

Tools: tools/ghidra

Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation.

ghidra

Step 6: Injection Verification [W]

Tools: tools/x32dbg, tools/x64dbg

Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis.

Step 7: Extracted Payload Analysis

Tools: tools/peframe, tools/capa, tools/strings

Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly).

peframe specimen.exe
capa specimen.exe
strings binary.exe

Step 8: Document Technique

Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x).

#code-injection #process-hollowing #dll-injection #reflective-loading #workflow

Reference in New Issue View Git Blame Copy Permalink