Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / MALWARE REVERSE / ANALYSIS / STATIC / DANGEROUS FUNCS / WIN32

Process Injection

Classic Remote Injection (CreateRemoteThread chain)

  • OpenProcess

  • VirtualAllocEx

  • WriteProcessMemory

  • CreateRemoteThread

  • CreateRemoteThreadEx

  • NtCreateThreadEx

  • QueueUserAPC

Lower-Level Variants

  • NtWriteVirtualMemory

  • NtAllocateVirtualMemory

  • NtQueueApcThread

  • RtlCreateUserThread

Section Mapping / Advanced Injection

  • NtCreateSection

  • NtMapViewOfSection

  • MapViewOfFile

  • MapViewOfFileEx

Process Hollowing

  • CreateProcess (with CREATE_SUSPENDED)

  • ZwUnmapViewOfSection

  • NtUnmapViewOfSection

  • SetThreadContext

  • ResumeThread

Thread Context Manipulation

  • GetThreadContext

  • SetThreadContext