Exploring Process Injection, Hollowing, and Shellcode Execution in Windows

Since reverse shell files typically transmit non-HTTP requests, I developed a separate payload to dump the lsass.exe process.

Dump lsass

First, I obtain a snapshot to locate the PID of lsass.exe, then use OpenProcess to establish a handle:

// 2. Call OpenProcess (PROCESS_ALL_ACCESS), get lsass.exe handle

let lsass_handle = OpenProcess(
    PROCESS_ALL_ACCESS,
    0,
    lsass_pid
);

I then utilize the MiniDumpWriteDump function

let success = MiniDumpWriteDump(
    lsass_handle,
    lsass_pid,
    dump_file.as_raw_handle() as windows_sys::Win32::Foundation::HANDLE,
    dump_type,
    null(),
    null(),
    null()
);

The dump of lsass.exe was successfully obtained.

Using PEStudio to analyze the Import Address Table (IAT)

As shown here, the Import Address Table (IAT) clearly contains suspicious function calls such as MiniDumpWriteDump, which are easily identifiable indicators of malicious behavior.

VirusTotal Analysis:

Detection rate: 8/72

Notably, Microsoft's Defender flagged the sample on VirusTotal, while most other AV and EDR vendor engines did not mark it as malicious.

The analysis also flagged the dumping of sensitive information files.

---

Valloc

The executable file was converted into a raw binary format.

I leveraged VirtualAlloc to allocate a region of memory with executable permissions, into which the shellcode was written and subsequently executed.

VirusTotal:

Detection rate: 36/72

By using x64dbg’s trace feature, it is easy to quickly observe when kernel32.dll calls VirtualAlloc.

Valloc pointer

Detection rate: 30/72

Also easy to observe kernel32.dll calls VirtualAlloc by x64dbg.

Process Injection

I use OpenProcess open a handle, allocate executable memory, then write shellcode into the allocated memory. Execute the shellcode with a remote thread.

VirusTotal:

Detection rate: 23/72

Using x64dbg, it is straightforward to observe kernel32.dll invoking VirtualAlloc.

WriteProcessMemory

CreateRemoteThread

Process Hollowing

VirusTotal:

Detection rate: 22/72

Similarly as process injection, but not use VirtualAlloc.

Process Hollowing Antistring

In order to evade EDR monitoring, I employ unhooking methods to bypass hooked APIs.

VirusTotal:

Detection rate: 5/72 (!)

I rename the dump file to txt extension file. But still get rate 5/72

CrowdStrike Falcon change Win/malicious_confidence_70% (D) to Win/malicious_confidence_60% (D)

Bypass Sigma Rules!

The Next

Leveraging Windows APIs in combination with unhooking techniques proves to be highly effective. Moving forward, I prefer to minimize reliance on MiniDumpWriteDump, opting instead for direct use of native APIs or enumerate memory.