Business logic: why an attacker covert introduction of the code
Process Injection (T1055, Defense Evasion / Privilege Escalation) - one of the most exploited techniques by both APT groups and commodity-malwarri operators. Purpose: to run arbitrary code on behalf of the legitimate process, inherit its privileges, network connections, and reputation in the eyes of EDR. According to Red Canary (Tier-2), the process of the emission of the "a versatile tool that adversaries elena on to evade controls and defensive gains to adapt to systems""a universal tool that opponents use to bypass protective equipment and gain access to sensitive systems
At the post-exploitation stage, an injection into a long-lived system process (e.g. svchost.exe) gives a stable beacon for the C2 channel. When lateral movement - starting a credential-dumping payload in the context lsass.exe without a suspicious child process. With exfiltration, network connections from the browser process, which already generates outbound traffic.
Classic process cleaning injection equipment - DLL Injection (T1055.001), Process Hollowing (T1055.012), Thread Execution Hijacking (T1055.003) - rely on API-calls that EDR monitor at the core level. EntryPoint Hijacking offers to circumvent this limitation.
Place in kill chain: from foothold to persistence
[Applicable to: internal pentest, grey box / white box, Windows 10/11/Server 2019+]
EntryPoint Hijacking - post-exploitation. For use you need a received foothold: RCE on the host, session via the starter bootloader or physical access. Typical chain:
1. Initial access - phishing, exploiting vulnerability, supply chain
2. Foothold - primary downloader with minimal functionality
3. EntryPoint Hijacking - Payload migration into a legitimate process (current stage)
4. Post-exploitation - launch of beacon, credential dumping, lateral movement
5. Exfiltration - output data via C2-channel from the context of the trusted process
The technique does not give persistence on its own - after rebooting the patch of LDR-structures is reset. To fix, you need a bundle with a separate mechanism (task, run registry key, COM hijacking)
Why classic process injection equipment detects EDR
CreateRemoteThread and DLL Injection (T1055.001)
Chapel VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread with address LoadLibrary - tutorial on stealth exhaust injection, and detects accordingly. According to Elastic (Tier-1), this technique "it is tracked and flagged by many security products""Tracked and Marked by Many Safety Products". CrowdStrike Falcon and SentinelOne register kernel callback through PsSetCreateThreadNotifyRoutine, which works when creating any flow. In the processor, EDR defines a cross-process creation (PID of the creator ! = PID of the flow owner) and generates a telemetry that does not bypass the userland. In SigmaHQ by tag T1055.001 10 rules, including the Cobalt Strike beacon detect by Sysmon EventID (CreateRemoteThatread) (create_remote_thread_win_hktl_cobaltstrike.yml)
Process Hollowing (T1055.0212)
Pattern CreateProcess(CREATE_SUSPENDED) -> NtUnmapViewOfSection -> WriteProcessMemory -> SetThreadContext -> ResumeThread caught by the sequence of calls. Elastic describes that a constitutive combination of a suspended process is already suspicious, followed by a change in the flow context. SentinelOne detects the substitution of entrypoint by comparing the contents of PE on disk and memory.
APC Injection (T1055.004)
NtQueueApcThread / QueueUserAPC In the alertable stream, a technique that Atomic Red Team tests three options: through C#, EarlyBird in Go and NtQueueApcThreadEx. Elastic Defend via ETW-TI (Micropis-Windows-Threat-Intelligence, requires PPL subscription) receives events ThreatIntQueueApcThread for calls NtQueueApcThread(Ex). By D3FEND, key countermeasures - System Call Analysis (D3-SCA) and Process Spawn Analysis (D3-PSA)
The General Pattern of Detect
All listed malware injection techniques combines one thing: they explicitly initiate the execution of the code in the target process through API-chip. EDRs intercept the moment of transfer of control - the creation of flow, the call of APC, change the context. It is this pattern EntryPoint Hijacking that breaks.
EntryPoint Hijacking: Injecting Processes Through DLL Entrance Point
How Windows Causes DllMain
Each downloaded module (DLL) has a function DllMain()which the OS automatically causes when creating and completing streams (DLL_THREAD_ATTACH / DLL_THREAD_DETACH) Windows bootloader stores information about each module in the lists PEB_LDR_DATA (structures LDR_DATA_TABLE_ENTRY), including the field EntryPoint - address DllMain(). During the events DLL_THREAD_ATTACH Function ntdll!LdrpCallInitRoutine bypasses these lists and calls EntryPoint each module.
When the process creates a new stream, the bootloader passes through the list of loaded modules and pulls DllMain() each with a parameter DLL_THREAD_ATTACH. This is the mechanic that EntryPoint Hijacking operates.
Consistency of attack
1. The attacker receives the task force for the target process ( OpenProcesswith rights PROCESS_VM_WRITE | PROCESS_VM_READ)
2. Through NtQueryInformationProcessreceive the PEB target process address
3. Bypassing the list InMemoryOrderModuleListin PEB_LDR_DATA, finds the right DLL (usually kernelbase.dll)
4. Records shellcode or runner function in process memory through WriteProcessMemory
5. Replaces the field EntryPointin LDR_DATA_TABLE_ENTRYto the address of the recorded code
6. Waiting - the code will be executed automatically when the process creates a new flow
7. After the execution of EntryPoint is restored to the original value for stability
Key point: the only "aggressive" API-challenge - WriteProcessMemory. None CreateRemoteThread, NtQueueApcThread, SetThreadContext. Shellcode injection is hidden, and EDR, building a detecting the intercepting API, skip the technique.
What you can see in WinDbg
To analyze LDR-structures in the debugger (according to the iPurple Team):
Code:
lm m kernelbase
dt ntdll!_LDR_DATA_TABLE_ENTRY <адрес_из_PEB>
Field EntryPoint will show the current address of the module input point. If it does not coincide with DllBase + IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint - structure modified. It's simple: a discrepancy = someone has already been.
PoC tools: EPI and LdrShuffle - bypassing antivirus injection
Now two public PoCs are available to implement EntryPoint Hijacking with different implementation approaches.
EPI - EntryPoint Injection (2023)
Author: Kurosh Dabbagh Escalante. Repository: Kudaes/EPI/.
EPI Patchet EntryPoint Uploaded kernelbase.dll. When creating a new flow by the target process, intercepted DllMain is performed in the context of this stream; so as not to rest on the loader lock, EPI immediately through QueueUserWorkItem transfers the main payload to the system thread pool, where it is executed. After PEB is executed, it is restored to the previous state. Launch: epi.exe -p <PID>.
LdrShuffle (x33fcon 2025)
Author: Hugo Valette. Repository: RWXstoned/LdrShuffle.
LdrShuffle implements the same idea, but with a different execution mechanism - Runner function, which is stored in heap and determines which Windows API to call. Key requirement for DLL selection for hike (from the source code LdrShuffle):
C:
(pDte->EntryPoint != NULL && pDte->DontCallForThreads == 0 && i > 5)
DontCallForThreads == 0 checks that DLL accepts thread notifications, and i > 5 passes the first five modules - their patch causes the instability of the process. Logically: the first five are ntdll, kernel32 and a company that is more expensive to touch. LdrShuffle works in two modes: local injection (LdrShuffle.exe) and deleted (LdrInject.exe <PID> <shellcode>.bin)
Limitations of both PoCs
• Deadlock with complex APIs. InternetOpenWand similar functions of wininet/ winhttpcause deadlock due to thread-syronment inside DllMain(Lopper lock). For C2-callback, a separate flow is needed - which partially reduces the advantage of technology
• Race condition. There is a window in between the record of shellcode and the patch EntryPoint in which another stream can cause DllMain with the already modified, but not yet ready-made EntryPoint
• Integrity of the process. Incorrect patch or unrebuilt EntryPoint leads to the collapse of the process. On real engagement crashing the target process is an incident that SOC will notice instantly
Process Injection (T1055, Defense Evasion / Privilege Escalation) - one of the most exploited techniques by both APT groups and commodity-malwarri operators. Purpose: to run arbitrary code on behalf of the legitimate process, inherit its privileges, network connections, and reputation in the eyes of EDR. According to Red Canary (Tier-2), the process of the emission of the "a versatile tool that adversaries elena on to evade controls and defensive gains to adapt to systems""a universal tool that opponents use to bypass protective equipment and gain access to sensitive systems
At the post-exploitation stage, an injection into a long-lived system process (e.g. svchost.exe) gives a stable beacon for the C2 channel. When lateral movement - starting a credential-dumping payload in the context lsass.exe without a suspicious child process. With exfiltration, network connections from the browser process, which already generates outbound traffic.
Classic process cleaning injection equipment - DLL Injection (T1055.001), Process Hollowing (T1055.012), Thread Execution Hijacking (T1055.003) - rely on API-calls that EDR monitor at the core level. EntryPoint Hijacking offers to circumvent this limitation.
Place in kill chain: from foothold to persistence
[Applicable to: internal pentest, grey box / white box, Windows 10/11/Server 2019+]
EntryPoint Hijacking - post-exploitation. For use you need a received foothold: RCE on the host, session via the starter bootloader or physical access. Typical chain:
1. Initial access - phishing, exploiting vulnerability, supply chain
2. Foothold - primary downloader with minimal functionality
3. EntryPoint Hijacking - Payload migration into a legitimate process (current stage)
4. Post-exploitation - launch of beacon, credential dumping, lateral movement
5. Exfiltration - output data via C2-channel from the context of the trusted process
The technique does not give persistence on its own - after rebooting the patch of LDR-structures is reset. To fix, you need a bundle with a separate mechanism (task, run registry key, COM hijacking)
Why classic process injection equipment detects EDR
CreateRemoteThread and DLL Injection (T1055.001)
Chapel VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread with address LoadLibrary - tutorial on stealth exhaust injection, and detects accordingly. According to Elastic (Tier-1), this technique "it is tracked and flagged by many security products""Tracked and Marked by Many Safety Products". CrowdStrike Falcon and SentinelOne register kernel callback through PsSetCreateThreadNotifyRoutine, which works when creating any flow. In the processor, EDR defines a cross-process creation (PID of the creator ! = PID of the flow owner) and generates a telemetry that does not bypass the userland. In SigmaHQ by tag T1055.001 10 rules, including the Cobalt Strike beacon detect by Sysmon EventID (CreateRemoteThatread) (create_remote_thread_win_hktl_cobaltstrike.yml)
Process Hollowing (T1055.0212)
Pattern CreateProcess(CREATE_SUSPENDED) -> NtUnmapViewOfSection -> WriteProcessMemory -> SetThreadContext -> ResumeThread caught by the sequence of calls. Elastic describes that a constitutive combination of a suspended process is already suspicious, followed by a change in the flow context. SentinelOne detects the substitution of entrypoint by comparing the contents of PE on disk and memory.
APC Injection (T1055.004)
NtQueueApcThread / QueueUserAPC In the alertable stream, a technique that Atomic Red Team tests three options: through C#, EarlyBird in Go and NtQueueApcThreadEx. Elastic Defend via ETW-TI (Micropis-Windows-Threat-Intelligence, requires PPL subscription) receives events ThreatIntQueueApcThread for calls NtQueueApcThread(Ex). By D3FEND, key countermeasures - System Call Analysis (D3-SCA) and Process Spawn Analysis (D3-PSA)
The General Pattern of Detect
All listed malware injection techniques combines one thing: they explicitly initiate the execution of the code in the target process through API-chip. EDRs intercept the moment of transfer of control - the creation of flow, the call of APC, change the context. It is this pattern EntryPoint Hijacking that breaks.
EntryPoint Hijacking: Injecting Processes Through DLL Entrance Point
How Windows Causes DllMain
Each downloaded module (DLL) has a function DllMain()which the OS automatically causes when creating and completing streams (DLL_THREAD_ATTACH / DLL_THREAD_DETACH) Windows bootloader stores information about each module in the lists PEB_LDR_DATA (structures LDR_DATA_TABLE_ENTRY), including the field EntryPoint - address DllMain(). During the events DLL_THREAD_ATTACH Function ntdll!LdrpCallInitRoutine bypasses these lists and calls EntryPoint each module.
When the process creates a new stream, the bootloader passes through the list of loaded modules and pulls DllMain() each with a parameter DLL_THREAD_ATTACH. This is the mechanic that EntryPoint Hijacking operates.
Consistency of attack
1. The attacker receives the task force for the target process ( OpenProcesswith rights PROCESS_VM_WRITE | PROCESS_VM_READ)
2. Through NtQueryInformationProcessreceive the PEB target process address
3. Bypassing the list InMemoryOrderModuleListin PEB_LDR_DATA, finds the right DLL (usually kernelbase.dll)
4. Records shellcode or runner function in process memory through WriteProcessMemory
5. Replaces the field EntryPointin LDR_DATA_TABLE_ENTRYto the address of the recorded code
6. Waiting - the code will be executed automatically when the process creates a new flow
7. After the execution of EntryPoint is restored to the original value for stability
Key point: the only "aggressive" API-challenge - WriteProcessMemory. None CreateRemoteThread, NtQueueApcThread, SetThreadContext. Shellcode injection is hidden, and EDR, building a detecting the intercepting API, skip the technique.
What you can see in WinDbg
To analyze LDR-structures in the debugger (according to the iPurple Team):
Code:
lm m kernelbase
dt ntdll!_LDR_DATA_TABLE_ENTRY <адрес_из_PEB>
Field EntryPoint will show the current address of the module input point. If it does not coincide with DllBase + IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint - structure modified. It's simple: a discrepancy = someone has already been.
PoC tools: EPI and LdrShuffle - bypassing antivirus injection
Now two public PoCs are available to implement EntryPoint Hijacking with different implementation approaches.
EPI - EntryPoint Injection (2023)
Author: Kurosh Dabbagh Escalante. Repository: Kudaes/EPI/.
EPI Patchet EntryPoint Uploaded kernelbase.dll. When creating a new flow by the target process, intercepted DllMain is performed in the context of this stream; so as not to rest on the loader lock, EPI immediately through QueueUserWorkItem transfers the main payload to the system thread pool, where it is executed. After PEB is executed, it is restored to the previous state. Launch: epi.exe -p <PID>.
LdrShuffle (x33fcon 2025)
Author: Hugo Valette. Repository: RWXstoned/LdrShuffle.
LdrShuffle implements the same idea, but with a different execution mechanism - Runner function, which is stored in heap and determines which Windows API to call. Key requirement for DLL selection for hike (from the source code LdrShuffle):
C:
(pDte->EntryPoint != NULL && pDte->DontCallForThreads == 0 && i > 5)
DontCallForThreads == 0 checks that DLL accepts thread notifications, and i > 5 passes the first five modules - their patch causes the instability of the process. Logically: the first five are ntdll, kernel32 and a company that is more expensive to touch. LdrShuffle works in two modes: local injection (LdrShuffle.exe) and deleted (LdrInject.exe <PID> <shellcode>.bin)
Limitations of both PoCs
• Deadlock with complex APIs. InternetOpenWand similar functions of wininet/ winhttpcause deadlock due to thread-syronment inside DllMain(Lopper lock). For C2-callback, a separate flow is needed - which partially reduces the advantage of technology
• Race condition. There is a window in between the record of shellcode and the patch EntryPoint in which another stream can cause DllMain with the already modified, but not yet ready-made EntryPoint
• Integrity of the process. Incorrect patch or unrebuilt EntryPoint leads to the collapse of the process. On real engagement crashing the target process is an incident that SOC will notice instantly