Process inject, hollow, thread hijack, and DLL injection techniques
Advanced Windows engagement: demonstrated tool-agnostic process injection, process hollowing, thread hijacking, and DLL injection against lab targets; documented APC/QueueUserAPC and TrickBot-style reflective hooking notes for detection engineering.
- Case files
- Process inject, hollow, thread hijack, and DLL injection techniques
Executed four injection labs (shellcode inject, hollow, thread hijack, DLL inject), then recorded APC execution APIs and TrickBot case-study hooks for the detection brief.
Documented four technique flags and the APC / TrickBot reference answers for the detection appendix.
Engagement summary
Executed four injection labs (shellcode inject, hollow, thread hijack, DLL inject), then recorded APC execution APIs and TrickBot case-study hooks for the detection brief.
ABUSING WINDOWS INTERNALS was a controlled technique lab for operators and detection engineers. Task track: (1) classic process injection — allocate/write/protect/create remote thread — recovered THM{1nj3c710n_15_fun!}; (2) process hollowing — create suspended process, unmap, write payload, resume — THM{7h3r35_n07h1n6_h3r3}; (3) thread hijacking / weaponized context switch — THM{w34p0n1z3d_53w1n6}; (4) DLL injection — THM{n07_4_m4l1c10u5_dll}. Memory execution alternatives: Asynchronous Procedure Call with QueueUserAPC; void function pointers are not valid for remote-process APC queuing (n). Case study: TrickBot used RtlCreateUserThread, reflective injection (y), and write_hook_iter for manual hooks. Briefing purpose: map each primitive to ETW/Sysmon telemetry (CrossProcess handle access, VirtualAllocEx, WriteProcessMemory, SetThreadContext, LoadLibrary remote) rather than tool names.
Business impact
Injection and hollowing let malware run under trusted process names and bypass naive path-based allowlists. Without behavioral telemetry on cross-process memory APIs, EDR gaps become persistent footholds. Train blue teams on the API sequences, not only on known malware families.
Injection lab artifacts and APC notes
Documented four technique flags and the APC / TrickBot reference answers for the detection appendix.
OPERATOR · WIN INTERNALS
savvy@lab:~$ # lab: inject shellcode → remote thread
THM{1nj3c710n_15_fun!}
savvy@lab:~$ # lab: process hollow + inject
THM{7h3r35_n07h1n6_h3r3}
savvy@lab:~$ # lab: hijack thread context
THM{w34p0n1z3d_53w1n6}
savvy@lab:~$ # lab: DLL inject
THM{n07_4_m4l1c10u5_dll}
DETECTION NOTES
win-injection-notes.txt
Async exec in thread context : Asynchronous Procedure Call
Queue APC : QueueUserAPC
Remote void fn pointer APC? : n
TrickBot thread API : RtlCreateUserThread
TrickBot reflective? : y
Manual hook writer : write_hook_iter
Watch: OpenProcess + VirtualAllocEx + WriteProcessMemory
+ CreateRemoteThread / NtCreateThreadEx / SetThreadContextRemediation
Enable Sysmon process-access and image-load logging; alert on cross-process VirtualAllocEx/WriteProcessMemory from non-browser parents. Use HVCI / code integrity where compatible. Isolate high-value sessions on hardened workstations; assume injection capability once an untrusted process runs as the user.