Process injection is a critical defense evasion and persistence technique covered in the CompTIA PenTest+ curriculum under the Attacks and Exploits domain. It involves a threat actor executing arbitrary code within the address space of a separate, live process. By migrating malicious code into a leβ¦Process injection is a critical defense evasion and persistence technique covered in the CompTIA PenTest+ curriculum under the Attacks and Exploits domain. It involves a threat actor executing arbitrary code within the address space of a separate, live process. By migrating malicious code into a legitimate process, attackers can camouflage their activities, making detection significantly harder for security controls like Antivirus (AV) and Endpoint Detection and Response (EDR) systems.
The primary objective is stealth. Security software often trusts system processes such as svchost.exe, notepad.exe, or explorer.exe. If malware runs as a standalone executable, it is easily flagged. However, if the malware injects itself into explorer.exe, the network traffic and behavior appear to originate from that trusted Windows component, effectively bypassing allowlists and behavioral monitoring.
The standard workflow for process injection generally follows a specific API sequence on Windows systems: first, the attacker retrieves a handle to the target process (OpenProcess); second, memory is reserved within the target process's virtual address space (VirtualAllocEx); third, the malicious payload, such as shellcode or the path to a malicious DLL, is written into that allocated memory (WriteProcessMemory); and finally, a new thread is created within the target process to execute the injected code (CreateRemoteThread).
Common variations include DLL Injection, where a process is forced to load a malicious Dynamic Link Library, and Process Hollowing, where a legitimate process is spawned in a suspended state, its memory is unmapped (hollowed out), and replaced with malicious code before resuming. For a penetration tester, understanding these mechanics is vital for simulating advanced persistent threats (APTs) and testing the resilience of host-based intrusion detection systems.
CompTIA PenTest+ Study Guide: Process Injection
What is Process Injection? Process injection is a method used by attackers and penetration testers to run malicious code within the address space of another running process. By injecting code into a legitimate process (such as explorer.exe, notepad.exe, or svchost.exe), the malicious activity can mask itself, effectively hiding in plain sight to evade detection by Antivirus (AV) and Endpoint Detection and Response (EDR) systems.
Why is it Important? Understanding process injection is vital for the CompTIA PenTest+ exam because it represents a sophisticated level of Defense Evasion and Persistence. It allows an attacker to: 1. Bypass whitelisting (since the host process is trusted). 2. Access memory and resources belonging to the target process. 3. Elevate privileges if the target process is running as System or Administrator.
How it Works (The Mechanism) While there are various techniques (such as DLL Injection, PE Injection, and Process Hollowing), the classic approach usually follows these four steps involving specific Windows API calls: 1. Open: The malware retrieves a handle to the target process using OpenProcess. 2. Allocate: Memory is reserved within the target process's address space using VirtualAllocEx. 3. Write: The malicious payload (shellcode or the path to a malicious DLL) is written into that allocated memory using WriteProcessMemory. 4. Execute: A new thread is created within the target process to run the injected code using CreateRemoteThread.
Exam Tips: Answering Questions on Process Injection To answer questions correctly on the exam, apply the following strategies: 1. Look for API Calls: If a question provides a log snippet or describes code execution involving VirtualAllocEx followed by CreateRemoteThread, the answer is almost certainly Process Injection. 2. Differentiate from Buffer Overflow: Do not confuse this with Buffer Overflows. A Buffer Overflow exploits a flaw to crash a program or hijack the instruction pointer by writing past memory boundaries. Process Injection intentionally allocates valid memory in a separate process to run code alongside it. 3. Identify DLL Injection: If the scenario mentions "loading a malicious library" or "forcing a process to load a DLL," select DLL Injection (a specific subset of process injection). 4. Process Hollowing: Watch for scenarios where a legitimate process is started in a suspended state, its code is unmapped, and malicious code is swapped in. This is a stealthy variant known as Process Hollowing.