Process Manipulation: A Technique for Stealthy Malware Evasion
Posted Oct 11, 2023 10:36 PM
Process Manipulation: A Technique for Stealthy Malware EvasionProcess manipulation, a favored technique employed by malware to skirt detection, hinges on the injection of malevolent code into a genuine process. This artful stratagem entails the inception of a fresh instance of a legitimate process, eventually superseding its authentic code with the nefarious payload.
The process unfolds as follows:
1. CreateProcess: The technique commences by launching the target process in a suspended state, achieved by setting the CreationFlag parameter at 0x0000 0004. This step effectively holds the process in abeyance, preventing its execution.
2. GetThreadContext: With the target process in suspension, the malware retrieves the context of a designated thread within the process. This context encompasses essential information about the thread's state and registers.
3. ZwUnmapViewOfSection: In this step, the malware utilizes ZwUnmapViewOfSection to effectively unmap a designated section's view from the virtual address space of the target process. By doing so, it removes the original code, creating space for the injected payload.
4. VirtualAllocEx: Having cleared space within the suspended process's address space, the malware proceeds to allocate memory for its malicious payload. This step ensures that there is sufficient room to execute the injected code.
5. WriteProcessMemory: The nefarious code, usually contained within a Portable Executable (PE) file, is transferred into the newly allocated memory space within the suspended process. This step allows the malware to seamlessly integrate its payload.
6. SetThreadContext: To initiate execution of the injected code, the malware adjusts the EAX register to point to the entry point of the written executable. This critical modification directs the processor to the malicious code when execution resumes.
7. ResumeThread: Finally, the malware resumes execution of the suspended process's thread, thereby initiating the malicious payload. This marks the completion of the process manipulation technique, with the malware now operating stealthily within the context of the legitimate process.
Process manipulation is a sophisticated evasion technique that allows malware to operate discreetly within the guise of a legitimate process, making it challenging for security measures to detect and mitigate. Security professionals must remain vigilant and employ advanced detection methods to identify and combat such stealthy threats effectively.
