Process injection
Definition
A technique used by malware and attackers to execute code inside the address space of a legitimate running process. Common methods include CreateRemoteThread, APC injection, and reflective DLL loading. The injected code inherits the host process's privileges and is invisible to filesystem scanners.
Related terms
- LiME (Linux Memory Extractor)
- A loadable kernel module that acquires physical memory from Linux, macOS, and Android systems. It maps the physical address space and either...
- Order of volatility
- The sequence in which digital evidence should be collected, ranked from most to least transient. Defined in RFC 3227. CPU registers and...
- Physical memory image
- A byte-for-byte copy of all installed RAM on a running system, acquired at the hardware or kernel level. Contains all data structures,...
- Reflective DLL loading
- A technique that loads a Windows DLL directly from memory without registering it with the OS loader. The DLL resolves its own...
- Volatility Framework
- An open-source memory forensics framework written in Python. It parses raw memory images using OS-specific symbol information to reconstruct kernel data structures...
Explained in
- Memory Acquisition and Analysis in Incident ResponseA technique used by malware and attackers to execute code inside the address space of a legitimate running process. Common methods include CreateRemoteThread,...