Portable Execution Injection

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references.

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.


In this demo will be working with a C++ code from iredteam.

In the Demo its demonstrated that we will need the PID of the process we want to inject to will focus on notepad.exe.

Once locating the PID of the process we will edit the code as necessary to inject.

Now edit the code as necessary to find the correct PID of the process.

Once this is properly added we can compile and move the executable to the workstation, I lightly edited the code so It executes calc instead of a message box.

Once the binary is executed we have calc pop-up.

We can see above that calc becomes a child process of notepad.


Last updated