# Portable Execution Injection

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly  performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references.

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

**Example:**

In this demo will be working with a C++ code from iredteam.

In the Demo its demonstrated that we will need the PID of the process we want to inject to will focus on **notepad.exe.**

Once locating the PID of the process we will edit the code as necessary to inject.

![](/files/-MRhukFSOjK6W6vQqRmz)

Now edit the code as necessary to find the correct PID of the process.

![](/files/-MRhul2MirC_2umJySaO)

Once this is properly added we can compile and move the executable to the workstation, I lightly edited the code so It executes calc instead of a message box.

![](/files/-MRhulrxDbmWWFJWbOR9)

Once the binary is executed we have calc pop-up.

![](/files/-MRhun-B7JogYnKn_Q2z)

We can see above that calc becomes a child process of notepad.

![](/files/-MRhv-WphHV6JddvTumT)

Reference:

{% embed url="<https://www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes>" %}

{% embed url="<https://blog.sevagas.com/PE-injection-explained>" %}

{% embed url="<https://www.malwaretech.com/2013/11/portable-executable-injection-for.html?fbclid=IwAR0X-ukLYlVr3dxaQZaHIBRV8yFeXu13y-ykqbDBA64IeNHNdt2rswgK1JU>" %}

{% embed url="<https://github.com/r00t-3xp10it/pe-union?fbclid=IwAR0j3HKFvqFlsnpBnpI36KhguvvYTHUv1TW0vp1oLpZzyfkJOrvOG9wazP4>" %}

{% embed url="<https://bytecode77.com/pe-union>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1055-process-injection/portable-execution-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.