A comprehensive reference of process injection techniques implemented in Cloakware, with analysis of detection methods and evasion strategies.
API Chain: OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
The most straightforward injection method. The injector opens the target process, allocates memory in its address space, writes shellcode or a DLL path, and creates a remote thread to execute it.
- NtCreateThreadEx: Uses the undocumented ntdll function instead of kernel32 CreateRemoteThread, bypassing some user-mode hooks.
- Direct Syscall: Issues the syscall instruction directly, avoiding ntdll hooks entirely.
- LoadLibrary: Writes a DLL path and uses LoadLibraryW as the thread start address.
| Indicator | Detection Method |
|---|---|
| Cross-process handle with VM_WRITE | ETW / kernel callbacks |
| VirtualAllocEx with PAGE_EXECUTE_* | Sysmon Event ID 8 |
| WriteProcessMemory to allocated region | API hooking |
| CreateRemoteThread to non-module address | Thread creation callbacks |
| Unbacked executable memory in target | Memory scanning |
Control Flow Guard validates indirect call targets. When CFG is enabled,
CreateRemoteThread to shellcode fails unless the address is registered as
a valid call target via SetProcessValidCallTargets.
- Allocate as RW, write, then change to RX (avoid direct RWX allocation)
- Use direct syscalls to bypass ntdll inline hooks
- Call SetProcessValidCallTargets for CFG-enabled targets
API Chain: OpenThread -> VirtualAllocEx -> WriteProcessMemory -> QueueUserAPC
User-mode APCs (Asynchronous Procedure Calls) execute when a thread enters an alertable wait state (SleepEx, WaitForSingleObjectEx, etc.). The injector queues an APC pointing to shellcode in the target process.
- Standard APC: Queues to an existing alertable thread
- Early Bird APC: Creates a process suspended, queues APC to main thread before any user-mode code runs, then resumes
- Special User APC: Uses NtQueueApcThreadEx with QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC flag, which executes without requiring an alertable wait (Windows 10 RS5+)
| Indicator | Detection Method |
|---|---|
| QueueUserAPC to remote thread | API monitoring |
| Process created suspended then resumed | Sysmon Event ID 1 + 10 |
| APC routine in unbacked memory | Memory scanning |
| NtQueueApcThreadEx with special flag | Kernel callback |
Early Bird APC is particularly effective because:
- The APC runs before any user-mode code, including security product hooks
- The process appears legitimate (e.g., svchost.exe) to parent process checks
- EDR might not have injected its monitoring DLL yet
API Chain: OpenThread -> SuspendThread -> GetThreadContext -> SetThreadContext -> ResumeThread
Suspends an existing thread in the target process, saves its context, modifies the instruction pointer (RIP/EIP) to point to shellcode, then resumes execution.
- Simple RIP Redirect: Sets RIP directly to shellcode
- Context-Restoring: Builds a trampoline that saves/restores the original context so the thread continues normally after shellcode execution
- Stack Pivot: Allocates a new stack to avoid corrupting the original
| Indicator | Detection Method |
|---|---|
| SuspendThread + SetThreadContext combo | API sequence monitoring |
| RIP pointing to unbacked memory | Thread context inspection |
| Stack pivot to non-stack region | Stack integrity checks |
API Chain: NtCreateSection -> NtMapViewOfSection (local + remote) -> memcpy -> CreateRemoteThread
Creates a shared memory section, maps it into both the injector and target processes. Writing to the local mapping immediately reflects in the remote mapping, bypassing WriteProcessMemory entirely.
| Indicator | Detection Method |
|---|---|
| NtCreateSection + double mapping | ETW provider |
| Section mapped into multiple processes | Kernel callbacks |
| Executable section from non-file source | Memory scanning |
- No WriteProcessMemory call (avoids WPM hooks)
- Memory appears as a mapped section, not private allocation
- Can look like legitimate shared memory
API Chain: CreateProcess(SUSPENDED) -> NtUnmapViewOfSection -> VirtualAllocEx -> WriteProcessMemory -> SetThreadContext -> ResumeThread
Creates a legitimate process (e.g., svchost.exe) in suspended state, unmaps its original image, maps the malicious PE in its place, fixes relocations, updates the PEB, and resumes execution.
- Standard Hollowing: Full PE replacement
- TLS-Aware: Handles TLS callbacks in the replacement PE
- Transacted Hollowing: Uses NTFS transactions (TxF) for stealth
| Indicator | Detection Method |
|---|---|
| NtUnmapViewOfSection on process image | Kernel callback |
| Image in memory differs from disk | Memory vs. disk comparison |
| PEB ImageBaseAddress mismatch | PEB inspection |
| Process created suspended | Process creation monitoring |
| Technique | Sysmon | ETW | Memory Scan | Kernel CB | API Hook |
|---|---|---|---|---|---|
| Classic RT | Yes | Yes | Yes | Yes | Yes |
| APC | Partial | Yes | Yes | Yes | Yes |
| Early Bird | Partial | Partial | Yes | Partial | No |
| Thread Hijack | No | Partial | Yes | Partial | Yes |
| Section Map | No | Yes | Partial | Yes | No |
| Hollowing | Partial | Yes | Yes | Yes | Partial |
- Ten Process Injection Techniques - Elastic
- Process Injection - MITRE ATT&CK T1055
- Windows Internals, 7th Edition
Copyright (c) 2018-2026 BypassCore Labs. For research purposes only.