Centralized resource for listing and organizing known injection techniques and POCs

• Introduction
• Linux Injection
  • Process Spawning
    • LD_PRELOAD
  • Process Injection
    • PTRACE
    • Proc Memory
• Windows Injection
  • Process Spawning
    • Process Hollowing
    • Transacted Hollowing
    • Process Doppelganging
    • Process Herpaderping
    • Process Ghosting
    • Early Bird
    • EntryPoint Patching
    • Ruy-Lopez
  • Process Injection
    • Classic Dll Injection
    • Dll Injection via SetWindowsHookEx
    • Reflective Dll Injection
    • PE Injection
    • Section Mapping Injection
    • APC Queue Injection
    • Thread Execution Hijacking
    • Atom Bombing Injection
    • Mocking jay Injection
    • ListPlanting Injection
    • Extra Window Memory Injection
    • ThreadlessInject
    • EPI
    • DllNotification Injection
    • D1rkInject
    • NtQueueAPCThreadEx Gadget Injection
    • Dirty-Vanity
    • Function Stomping
    • Caro-Kann
    • Stack Bombing
    • Ghost Writing

Introduction

I've been thinking about putting together a list of process injection techniques and ingenious POCs because I haven't found a decent one. This list focuses on process-spawning injection methods and actual process injection, excluding pre-execution techniques (e.g. AppCert and AppInit Dlls), and self-injection techniques.

Linux Injection

Process Spawning

LD_PRELOAD

• https://attack.mitre.org/techniques/T1574/006/

Process Injection

PTRACE

• https://attack.mitre.org/techniques/T1055/008/
• https://github.com/kubo/injector

Proc Memory

• https://attack.mitre.org/techniques/T1055/009/
• https://github.com/DavidBuchanan314/dlinject
• https://github.com/AonCyberLabs/Cexigua

Windows Injection

Process Spawning

Process Hollowing

• https://attack.mitre.org/techniques/T1055/012/
• https://github.com/m0n0ph1/Process-Hollowing

Transacted Hollowing

• https://github.com/hasherezade/transacted_hollowing

Process Doppelganging

• https://attack.mitre.org/techniques/T1055/013/
• https://github.com/hasherezade/process_doppelganging

Process Herpaderping

• https://github.com/jxy-s/herpaderping

Process Ghosting

• https://github.com/hasherezade/process_ghosting

Early Bird

• https://www.cyberbit.com/endpoint-security/new-early-bird-code-injection-technique-discovered/
• https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection

EntryPoint Patching

• https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx

Ruy-Lopez

• https://github.com/S3cur3Th1sSh1t/Ruy-Lopez

Process Injection

Classic Dll Injection

• https://attack.mitre.org/techniques/T1055/001/
• https://www.ired.team/offensive-security/code-injection-process-injection/dll-injection

Dll Injection via SetWindowsHookEx

• https://github.com/DrNseven/SetWindowsHookEx-Injector

Reflective Dll Injection

• https://attack.mitre.org/techniques/T1055/001/
• https://github.com/stephenfewer/ReflectiveDLLInjection
• https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection

PE Injection

• https://attack.mitre.org/techniques/T1055/002/
• https://www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes

Section Mapping Injection

• https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection

APC Queue Injection

• https://attack.mitre.org/techniques/T1055/004/
• https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection

Thread Execution Hijacking

• https://attack.mitre.org/techniques/T1055/003/
• https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking

Atom Bombing Injection

• https://github.com/BreakingMalwareResearch/atom-bombing

Mocking jay Injection

• https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution

ListPlanting Injection

• https://attack.mitre.org/techniques/T1055/015/
• https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html

Extra Window Memory Injection

• https://attack.mitre.org/techniques/T1055/011/
• https://github.com/BreakingMalware/PowerLoaderEx

ThreadlessInject

• https://github.com/CCob/ThreadlessInject

EPI

• https://github.com/Kudaes/EPI

DllNotification Injection

• https://github.com/ShorSec/DllNotificationInjection

D1rkInject

• https://github.com/TheD1rkMtr/D1rkInject

NtQueueAPCThreadEx Gadget Injection

• https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection

Dirty-Vanity

• https://github.com/deepinstinct/Dirty-Vanity

Function Stomping

• https://github.com/Idov31/FunctionStomping

Caro-Kann

• https://github.com/S3cur3Th1sSh1t/Caro-Kann

Stack Bombing

• https://github.com/maziland/StackBombing

Ghost Writing

• https://github.com/c0de90e7/GhostWriting
• https://blog.sevagas.com/IMG/pdf/code_injection_series_part5.pdf