Explain process injection, give a couple of techniques, and say how a blue team detects it.
Short answer
Process injection runs attacker code inside the memory space of a legitimate process so the activity blends in and inherits that process's trust. Classic techniques include DLL injection (CreateRemoteThread + LoadLibrary), process hollowing (start a benign process suspended, unmap it, write malicious code), and APC injection. Defenders detect it via EDR API hooks, anomalous parent/child or memory regions (RWX, unbacked executable memory), and Sysmon CreateRemoteThread events.
Process injection is a core defense-evasion technique: instead of running as its own suspicious process, malware executes inside a trusted process (like explorer.exe or svchost.exe). That gives it two wins — it hides among normal activity, and it inherits the host process's permissions and network reputation. Interviewers ask this to test depth on Windows internals and EDR detection.
Common techniques
- DLL injection — write the path of a malicious DLL into a target process's memory and force it to load via
CreateRemoteThreadcallingLoadLibrary. Simple and well-known. - Process hollowing (RunPE) — launch a legitimate process suspended, unmap (hollow out) its image, write malicious code into that space, fix the entry point, and resume. The process looks legit on the outside but runs attacker code.
- APC injection — queue an Asynchronous Procedure Call to a thread so the payload runs when the thread enters an alertable state.
- Reflective DLL loading / thread hijacking / "early bird" — variants that avoid touching disk or LoadLibrary to dodge hooks.
The typical Windows call chain is OpenProcess → VirtualAllocEx → WriteProcessMemory → CreateRemoteThread, which EDRs hook closely.
Detection
EDR products hook these APIs and flag suspicious sequences. Memory scanning catches RWX regions and unbacked executable memory (code not mapped from a file on disk). Sysmon Event ID 8 logs CreateRemoteThread, and Event ID 10 logs ProcessAccess to sensitive processes like LSASS. Anomalous parent/child relationships (e.g., Word spawning a process that injects elsewhere) are strong signals.
Why this matters
A senior-level answer names a couple of techniques accurately, explains why injection evades file- and process-based detection, and points to memory and behavioral telemetry for detection — while noting that legitimate software also injects, so context matters to avoid false positives.
Likely follow-ups
- How does process hollowing differ from classic DLL injection?
- Why is RWX or unbacked executable memory a red flag?
- What legitimate software also injects code, complicating detection?