Process injection is a core technique for malware authors to evade detection and enhance stealth. Despite its widespread use and importance in malware analysis, process injection remains underexplored in academic research, with prior work often limited to specific techniques or lacking a systematic approach. This paper proposes a principled analysis methodology centered on fundamental operational steps inherent to all known process injection variants. By looking for the co-occurrence of a minimal set of said steps and correlating them via memory address identity, our approach overcomes the accuracy and overhead limitations of prior studies, enables reliable detection and fine-grained analysis of process injection attacks with tenable run-time costs. We provide fresh insights into how threat actors leverage this technique by analyzing malware spotted in the wild from 2017 to 2023. An analysis of 56,340 representative samples from 2,667 malware families estimates process injection as a dominant evasion strategy, and suggests that threat actors continuously adapt their choices and implementation variants in response to evolving defense mechanisms and community knowledge. Comparative experiments then show that our method outperforms dedicated solutions and mainstream sandboxes in identifying injection activity. To foster future research, we share with the community the implementation, dataset, and experimental logs from this study.
Can You Run My Code? A Close Look at Process Injection in Windows Malware / Di Pietro, Giorgia; D'Elia, Daniele Cono; Querzoni, Leonardo. - (2025), pp. 1600-1616. (Intervento presentato al convegno Asia Conference on Information, Computer and Communications Security tenutosi a Hanoi, Vietnam) [10.1145/3708821.3736206].
Can You Run My Code? A Close Look at Process Injection in Windows Malware
Di Pietro, Giorgia
;D'Elia, Daniele Cono;Querzoni, Leonardo
2025
Abstract
Process injection is a core technique for malware authors to evade detection and enhance stealth. Despite its widespread use and importance in malware analysis, process injection remains underexplored in academic research, with prior work often limited to specific techniques or lacking a systematic approach. This paper proposes a principled analysis methodology centered on fundamental operational steps inherent to all known process injection variants. By looking for the co-occurrence of a minimal set of said steps and correlating them via memory address identity, our approach overcomes the accuracy and overhead limitations of prior studies, enables reliable detection and fine-grained analysis of process injection attacks with tenable run-time costs. We provide fresh insights into how threat actors leverage this technique by analyzing malware spotted in the wild from 2017 to 2023. An analysis of 56,340 representative samples from 2,667 malware families estimates process injection as a dominant evasion strategy, and suggests that threat actors continuously adapt their choices and implementation variants in response to evolving defense mechanisms and community knowledge. Comparative experiments then show that our method outperforms dedicated solutions and mainstream sandboxes in identifying injection activity. To foster future research, we share with the community the implementation, dataset, and experimental logs from this study.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
