Executing Commands via Process Injection: A Comprehensive Guide

In the realm of computer science, particularly in cybersecurity and software development, there exist numerous powerful and intriguing techniques. One such method is known as “Process Injection.” This technique allows for the injection of foreign code or commands into a target process, enabling various manipulations of the target process. One of the Process Injection methods, “Remote Thread Injection,” creates a remote thread in the memory space of the target process, injecting and executing foreign code or commands. This article delves into this fascinating technique, exploring the topic of “Executing Commands via Process Injection,” the rationale behind the code’s development, and its operational mechanics.

What is Process Injection?

Process Injection is a cybersecurity and software development technique that enables the injection of foreign code or commands into a target process. This method can be used for various purposes, such as executing commands, injecting DLLs or shellcode, and monitoring the target process. However, it is often employed by attackers to create malicious software and harmful code.

Remote Thread Injection

Remote Thread Injection is a method used to create a new thread in a target process to execute a piece of foreign code remotely. This technique can inject code into an application’s memory from another process, enabling unwanted behaviors, additional functionality, or manipulation of the target process.

Executing Commands

Remote Thread Injection is used as a method to infiltrate and spread within target systems. An attacker can inject a malicious code snippet or a command via a cmd.exe command prompt into the target process, altering the target application’s functionality and gaining control over the system. This way, the attacker can seize the system and perform malicious activities.

The Reason Behind Code Development

A common scenario in local network penetration testing involves a client system within a domain with local administrator privileges. In this scenario, there is an active session of an authorized domain user on the system. To escalate privileges within the domain structure, it is necessary to impersonate the domain user with an active session or gain the ability to execute commands on their behalf.

In laboratory or Capture The Flag (CTF) environments, this scenario can be addressed by establishing a reverse connection with a Meterpreter session and then transitioning to the processes of the relevant user, impersonating them to proceed. However, in real-world scenarios, this process is not as straightforward due to various antivirus and Endpoint Detection and Response (EDR) solutions that can detect and terminate publicly known tools.

Manually writing the command that performs this operation in a Meterpreter session can help evade antivirus and EDR solutions while also providing insight into how it works.

Code Explanation

The provided code snippet demonstrates how to execute commands in a target process using the Remote Thread Injection method. The code is written in C++ and utilizes Windows APIs to perform its operations. No specific measures have been implemented in the code to evade antivirus or EDR solutions.

Code Analysis

The C++ code that executes commands in the target process using the Remote Thread Injection method takes two parameters: the Process ID (PID) of the target process where the remote command will be executed, and the command to be executed.

• OpenProcess Function: The target process is opened with full access rights using the OpenProcess function.
• VirtualAllocEx Function: A new memory area is reserved in the target process using the VirtualAllocEx function.
• Command Assignment: The second parameter taken by the code, which is the command to be executed by cmd.exe, is assigned to a variable named “command”.
• WriteProcessMemory Function: The command string in the “command” variable is written to the reserved area in the target process using the WriteProcessMemory function.
• GetProcAddress Call: A variable named “pThreadProc” is defined for the WinExec function by calling GetProcAddress with the kernel32.dll module. This function will be executed as a remote thread in the target process.
• CreateRemoteThread Function: A remote thread is created in the target process using the CreateRemoteThread function. The thread executes the command in the “remoteMem” variable with the “pThreadProc” (WinExec) function.
• WaitForSingleObject Function: The WaitForSingleObject function waits for the process to complete.
• Memory Release: If all operations are successful, the memory area reserved for the target process is released.

The developed code has been added to the tool called CrackMapExec, which is used in local network penetration tests, as the “pi” module and can be used publicly with the release of version 6.0.1.

Prevention and Defense Methods

• Attack Monitoring and Investigation: Detecting process injections using system logs and process monitoring tools.
• Memory Analysis Tools: Using memory analysis tools to monitor process memory and detect abnormal code injections.
• Behavioral Analysis: Identifying normal behaviors of processes running on the system to detect abnormal activities.
• Principle of Least Privilege: Running processes with the minimum privileges required.
• Memory Protection: Using memory protection mechanisms to protect process memory and prevent code injections.
• Application Whitelisting: Allowing only trusted and necessary applications to run, preventing malicious software from executing.

This article discussed the topic of “Executing Commands via Process Injection.” Executing commands in a target process is a powerful and impressive application area. However, it is crucial to use such techniques only for legal and ethical purposes. Taking security measures to protect against attacks and increasing cybersecurity awareness is an important task for computer users and system administrators. A conscious and careful approach will provide a safer experience in the digital world.