Dynamic Process Injection Techniques

Badger has a very powerful set of memory allocation and injection techniques. These include multiple WinAPI, NTAPI and direct syscall executions all while evading the ETW syscall hooks implemented in userland by an EDR which were discussed in the 0.8 release. All the injection techniques support PPID Spoofing, DLL Blocking and custom child processes.

Changing Memory Allocation Technique

When you perform a memory injection, you would need to allocate some RX regions in the target process. Badger provides the below options to allocate the RX region in memory.

  • VirtualAllocEx, VirtualProtectEx, WriteProcessMemory (WINAPI)
  • NtCreateSection, NtMapViewOfSection, RtlCopyMemory (NTAPI)
  • NtAllocateVirtualMemory, NtProtectVirtualMemory, NtWriteVirtualMemory (NTAPI)
  • NtCreateSection, NtMapViewOfSection, RtlCopyMemory (Obfuscated Indirect Syscalls - x64 only)
  • NtAllocateVirtualMemory, NtProtectVirtualMemory, NtWriteVirtualMemory (Obfuscated Indirect Syscalls - x64 only)

These techniques can be switched on the go using the set_malloc command. To check which technique is currently active, you can use the get_malloc command.

Changing Memory Execution Technique

Similar to set_malloc, you can use set_threadex/get_threadex command to change and view the thread execution techniques on the go. This gives the operator, a power of having a number of different combinations for thread executions when combined with set_malloc.

  • CreateRemoteThread (WINAPI)
  • RtlCreateUserThread (NTAPI)
  • NtCreateThreadEx (NTAPI)
  • QueueUserAPC, ResumeThread (WINAPI)
  • QueueUserAPC, NtResumeThread (WINAPI+NTAPI)
  • QueueUserAPC, NtAlertResumeThread (WINAPI+NTAPI)
  • NtQueueApcThread, ResumeThread (NTAPI+WINAPI)
  • NtQueueApcThread, NtResumeThread (NTAPI)
  • NtQueueApcThread, NtAlertResumeThread (NTAPI)
  • NtCreateThreadEx (Obfuscated Indirect Syscalls - x64 only)
  • NtQueueApcThread, NtResumeThread (Obfuscated Indirect Syscalls - x64 only)
  • NtQueueApcThread, NtAlertResumeThread (Obfuscated Indirect Syscalls - x64 only)

These process injection techniques can be used for all sorts of injections such as powershell reflection, C# injection, reflective DLLs and shellcode. Below is a quick example of using Syscalls for NtAllocateVirtualMemory and NtCreateThreadEx with the pcinject command to inject a badger into the target process.