1. MITRE ATT&CK

https://attack.mitre.org/techniques/T1055/

출처 : https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740

            출처 : [<https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740>](<https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740>)

1.1 과정

S1. Get Target Process Handle

새로운 프로세스 생성 또는 실행 중인 프로세스의 핸들 획득
- CreateProcess / OpenProcess
- svchost.exe, rundll32.exe, ...

S2. Alloc Virtual Address Memory for Target Process

타겟프로세스의 가상주소공간에 새로운 메모리 영역(DLL 삽입 공간) 할당
- 상황에 따라 토큰 활성화 필요
  - SeDebugPrivilege
  - OpenProcessToken
  - LookupPrivilegeValue
  - AdjustTokenPrivilege
- 메모리 할당
  - VirtualAllocEx

S3. Wirte Injection Code

할당 받은 메모리 영역에 Injection 할 Code / DLL 경로를 삽입
- WriteProcessMemory
- ReadProcessMemory
- ...

S4. Execute Injection Code

삽입한 코드 실행
- CreateRemoteThread
  - LoadLibrary
  - GetModuleHandle
  - GetProcAddress
  - CreateRemoteThread
- Switching Thread Context(Register Set)
  - GetThreadContext : Thread Context 획득
  - SetThreadContext
  - ResumeThread
- Using APC(Asynchoronous Procedure Call) Injection
  - OpenThread
  - QueueUserAPC
- ...

ID: T1055 Process Injection