Skip to content

Threadless Process Injection using remote function hooking.

License

Notifications You must be signed in to change notification settings

CCob/ThreadlessInject

Repository files navigation

Threadless Process Injection

From my Bsides Cymru 2023 talk: Needles Without the Thread.

As red teamers, we always find ourselves in a cat and mouse game with the blue team. Many Anti-virus and EDR solutions over the past 10 years have become significantly more advanced at detecting fileless malware activity in a generic way.

Process injection, a technique used for executing code from within the address space of another process is a common method within the offensive operator’s toolbox. Commonly used to mask activity within legitimate processes such as browsers and instant messaging clients already running on the target workstation.

Within the last 2 years, tools such as Sysmon have added new detections and events for process injection along with big improvements in detections within commercial EDR space. With this in mind, a new method of injection was researched that would not fall foul to the traditional methods that are often detected today.

Possible Improvements

About

Threadless Process Injection using remote function hooking.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

 

Packages

No packages published

Languages