Injection techniques

← maldev README · docs/index

The inject/ package supplies a unified Windows + Linux injection surface: 16 Windows methods, 3 Linux methods, plus a Pipeline pattern for custom memory + executor combinations. Every method implements Injector; self-process methods additionally implement SelfInjector so the freshly-allocated region can be wired into evasion/sleepmask or cleanup/memory.WipeAndFree without re-deriving address and size.

TL;DR

flowchart LR
    SC[shellcode] --> M{target}
    M -->|self| S[CreateThread / Fiber / EtwpCreateEtwThread / ThreadPool / Callback]
    M -->|child suspended| C[EarlyBird APC / Thread Hijack / spoofed args]
    M -->|existing PID| R[CRT / NtQueueApcThreadEx / SectionMap / KCT / PhantomDLL]
    S -->|via SelfInjector| SM[evasion/sleepmask]
    S -->|via SelfInjector| WM[cleanup/memory.WipeAndFree]

Primer — vocabulary

Seven terms recur across this page and the per-method docs:

Self / Local / Remote / Child — the four "target" classes any injection method falls into. Driven entirely by where the shellcode ends up running. See the table below for the per-class API surface.

Injector — interface every method implements: Inject(shellcode []byte) error. The constructor (NewWindowsInjector(cfg) or NewLinuxInjector(cfg)) wires the right method based on Config.Method.

SelfInjector — extension interface for self-process methods: Region() (addr, size uintptr). Lets downstream consumers (sleepmask, WipeAndFree) recover the allocation without re-deriving it.

*wsyscall.Caller — optional knob (SyscallMethod) selecting how every NTAPI call resolves: WinAPI proc table (default) / direct syscall (asm stub) / indirect syscall (resolve SSN at runtime). nil = WinAPI fallback. See win/syscall.

APC (Asynchronous Procedure Call) — Windows queue every thread carries; functions enqueued fire when the thread next enters an alertable wait. Several methods (Early Bird, NtQueueApcThreadEx) use the APC delivery path to avoid creating a new thread.

CREATE_SUSPENDED — CreateProcess flag that spawns the child in the suspended state. Threads are created but never resumed until the implant finishes mutating memory. Used by Early Bird, Thread Hijack, and Process Arg Spoofing.

Stealth tier — qualitative ranking column in the index below. Combines target class + thread creation + WPM use: low (loud, easy to detect), medium (loses one of the three tells), high (avoids cross-process or thread creation entirely). Not a guarantee against any specific EDR.

Target categories

The target column drives the OPSEC trade-off and the API surface the implant pays for.

Stealth ranking by target (general): Local > Child (suspended) > Remote. Local avoids cross-process primitives; Child is acceptable because the process tree is predictable; Remote is the loudest — WriteProcessMemory into an unrelated running process is a textbook EDR trigger.

Per-method index

Decision flow

flowchart TD
    Start([Need to run shellcode]) --> Q1{Self or remote?}
    Q1 -->|self-inject| Q2{Need memory stealth?}
    Q1 -->|remote process| Q3{Can spawn a new process?}

    Q2 -->|yes — image-backed| MS[Module Stomping]
    Q2 -->|no| Q4{Avoid thread creation?}

    Q4 -->|yes| CB[Callback execution]
    Q4 -->|pool is fine| TP[Thread Pool]
    Q4 -->|thread is fine| ETW[EtwpCreateEtwThread]

    Q3 -->|yes — cover for the spawn| Q5{Need APC stealth?}
    Q3 -->|no — existing PID| Q6{Avoid WriteProcessMemory?}

    Q5 -->|yes| EB[Early Bird APC]
    Q5 -->|register-mutate| TH[Thread Hijack]
    Q5 -->|disguise args too| AS[Process Arg Spoofing + EB/TH]

    Q6 -->|yes| SM[Section Mapping]
    Q6 -->|WPM is OK| Q7{Win10 1903+?}
    Q7 -->|yes| APCEX[NtQueueApcThreadEx]
    Q7 -->|either way| Q8{Target has windows?}
    Q8 -->|yes| KC[KernelCallbackTable]
    Q8 -->|no| CRT[CreateRemoteThread]

    style MS fill:#2d5016,color:#fff
    style SM fill:#2d5016,color:#fff
    style CB fill:#2d5016,color:#fff
    style TP fill:#2d5016,color:#fff
    style KC fill:#2d5016,color:#fff

Quick decision tree

Architecture

All methods implement Injector:

type Injector interface {
    Inject(shellcode []byte) error
}

Build() returns a fluent *InjectorBuilder that selects syscall mode (WinAPI / NativeAPI / direct / indirect with arbitrary SSNResolver), pins target, stacks middleware (WithValidation, WithCPUDelay, WithXOR), and emits an Injector.

inj, err := inject.Build().
    Method(inject.MethodEarlyBirdAPC).
    ProcessPath(`C:\Windows\System32\svchost.exe`).
    IndirectSyscalls().
    Use(inject.WithCPUDelayConfig(inject.CPUDelayConfig{MaxIterations: 10_000_000})).
    Create()

The Pipeline pattern separates memory setup from execution, allowing mix-and-match combinations the named methods do not cover:

p := inject.NewPipeline(
    inject.RemoteMemory(hProcess, caller),
    inject.CreateRemoteThreadExecutor(hProcess, caller),
)
return p.Inject(shellcode)

SelfInjector — recovering the region

Self-process injectors (MethodCreateThread, MethodCreateFiber, MethodEtwpCreateEtwThread on Windows; MethodProcMem on Linux) place the shellcode inside the current process. The base Injector interface throws the address away. The optional SelfInjector interface exposes it:

type Region struct {
    Addr uintptr
    Size uintptr
}

type SelfInjector interface {
    Injector
    InjectedRegion() (Region, bool)
}

Type-assert and feed the region directly into evasion/sleepmask:

inj, _ := inject.NewWindowsInjector(&inject.WindowsConfig{
    Config:        inject.Config{Method: inject.MethodCreateThread},
    SyscallMethod: wsyscall.MethodIndirect,
})
if err := inj.Inject(shellcode); err != nil { return err }

if self, ok := inj.(inject.SelfInjector); ok {
    if r, ok := self.InjectedRegion(); ok {
        mask := sleepmask.New(sleepmask.Region{Addr: r.Addr, Size: r.Size})
        for {
            mask.Sleep(30 * time.Second)
        }
    }
}

Contract:

• Returns (Region{}, false) before the first successful Inject.
• Returns (Region{}, false) on cross-process methods (CRT, APC, EarlyBird, ThreadHijack, Rtl, NtQueueApcThreadEx) — the region lives in the target, not the implant.
• A failed Inject does not clobber a previously-published region.
• Decorators (WithValidation, WithCPUDelay, WithXOR) and Pipeline forward InjectedRegion transparently.

[!WARNING] MethodCreateFiber notice — ConvertThreadToFiber permanently transforms the calling OS thread; Go's M:N scheduler is unaware of fibers, and any goroutine multiplexed onto that thread observes fiber state instead of goroutine state. Real shellcode that calls ExitThread kills the host runtime. Spawn a true OS thread via kernel32!CreateThread (not go func() — runtime.LockOSThread is not enough), let it run the fiber dance, let it die when the shellcode exits. The matrix test TestFiber_RealShellcode is permanently skipped — see the comment in inject/realsc_windows_test.go.

Syscall modes

Every Windows injection method routes through one of the four modes on the configured *wsyscall.Caller:

Pair with evasion/unhook to defeat ntdll inline hooks before the inject fires.

MITRE ATT&CK

See also

• Operator path: deciding the injection method
• Researcher path: per-method primitives
• Detection eng path: injection telemetry
• win/syscall — Caller interface and SSN resolvers.
• evasion/sleepmask — pair with SelfInjector to mask the region during sleep.
• cleanup/memory — pair to wipe the region on exit.