0x00 Opening

I didn’t set out to write about process injection. I was knee-deep in a reverse-engineering task when a sample named RustDog kept pulling me back — not because it was flashy, but because it quietly did what many modern trojans do: slip code into other processes and hide in plain sight. Over a few late-night debugging sessions I tracked how it reached into legitimate processes and manipulated them. That little detour turned into a full mini-project: I decided to map out common injection techniques, why many defenses miss them, and how the RustDog example ties everything together.

0x01 why this matters

Process injection is one of those techniques that sits at the intersection of elegance and menace. From a defender’s point of view it’s elegant because it lets attackers reuse trusted processes (so their code looks “normal” to casual inspection). From a defender’s point of view it’s annoying because the injected code can:

  • run inside another process’s address space (so file-based scanners may miss it),
  • hide its module metadata or erase PE headers (making discovery harder),
  • and use legitimate Windows APIs and mechanisms (APCs, remote threads, message hooks, IME mechanisms) to execute without obvious signs.

Because of that, simple heuristics (e.g., “scan the PEB for unexpected modules”) often get bypassed. In some cases attackers will strip or unlink their modules; in others they’ll avoid modules altogether and run raw shellcode in memory. That’s why I wanted to step back and write a concise, practical summary — one that mixes intuition, concrete techniques, and the real RustDog case I analyzed.

0x02 Process Injection Mechanism

Other than injection forms like DLL and shellcode, according to the mechanism of injection exploitation, we can broadly categorize them into two types: injection methods based on cross-process access, injection methods based on system mechanisms.

2.1 Injection Methods Based on Cross-Process Access

Process tampering typically achieves code injection and modification through module injection, which is the core technique used by Trojans in this category. The attack process involves first injecting a malicious DLL into the target process. The DLL’s entry function executes the malicious code. Then, malicious functionalities are implemented through methods such as hooking Windows API, setting timers to monitor process states, and creating child threads.

Usually, there are three common approaches:

  1. Remote Thread Injection: Creating a new thread in the target process.
  2. Thread Hijacking: Utilizing an existing thread in the target process.
  3. APC (Asynchronous Procedure Call) Injection: Leveraging the APC feature in threads.

2.1.1 Remote Thread Injection

This method involves creating a remote thread in the target process and utilizing this thread to perform the necessary operations for loading the DLL

image-20251019221911095

2.1.2 Thread Hijacking

This method first suspends a specific thread within the game process, then modifies the instruction pointer (EIP or RIP) of that thread. This pointer is directed towards a section of memory allocated by the malicious program within the game process. In this area, a piece of code (referred to as shellcode) is written, which achieves module injection.

image-20251019222034004

2.1.3 APC (Asynchronous Procedure Call) Injection

“APC” is an abbreviation for Asynchronous Procedure Call, which is a thread-based callback mechanism provided by Windows.

APC Injection Principle:

  1. When a thread within an executable reaches functions like SleepEx, SignalObjectAndWait, WaitForSingleObjectEx, WaitForMultipleObjectsEx, or MsgWaitForMultipleObjectsEx, the system generates a software interrupt.
  2. When the thread is awakened again, it first executes the functions registered in the APC queue.
  3. Using the QueueUserAPC() API, a function pointer can be inserted into the thread’s APC queue during the software interrupt. If we insert a pointer to the, LoadLibrary() function, it can achieve the goal of DLL injection.

image-20251019222200371

2.2 Injection methods based on system mechanisms

These methods utilize certain special system mechanisms existing in the Windows operating system to achieve injection.

Common methods include two types:

  1. Hooking Windows Messages
  2. Input Method Injection

2.2.1 Hooking Windows Messages

This method utilizes the SetWindowsHookEx function provided by Windows to register a global message hook for a specific type of message event. When a thread in the system triggers the specified message event, Windows automatically calls the Hook function specified during registration. If this function resides in a DLL, Windows first injects the DLL into the process where the message event is triggered, and then calls the Hook function.

image-20251019222345568

2.2.2 Input Method Injection

On the Windows platform, when switching input methods, the Input Method Manager imm32.dll loads the Input Method Editor (IME) module. This creates the necessary conditions for input method injection. The IME file, essentially a special DLL stored in the C:\WINDOWS\system32 directory, allows us to utilize this feature. Inside the IME file, we can use the LoadLibrary() function to inject the desired DLL file. When switching to the maliciously crafted input method, the input method injection is execute.

image-20251019222557356

0x03 Process Injection Protection

Based on the previous analysis of process injection techniques, a defensive approach centered on Windows kernel events is proposed. The system monitors kernel-level events to detect and prevent attempts to modify a target process’s memory or to load unauthorized modules, preserving process integrity. In addition, lightweight anti-injection DLLs are injected into system processes to provide an application-layer safeguard. These DLLs use API hooks to monitor mouse and keyboard simulation functions and block simulated input from other processes. Together, kernel-event monitoring and system-wide DLL guards create a layered defense against a range of injection techniques.

3.1 Defense Against Cross-Process Access Injection

Cross-process injection typically follows three steps: allocate memory in the target process, write payload data into that memory, and create a thread to execute the payload. Common Windows APIs used for this sequence include VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, all of which require a handle to the target process with appropriate permissions. Detecting and intercepting illegitimate handle creation and suspicious access patterns prevents the cross-process access chain from completing, thereby blocking this class of module injection.

image-20251019222900731

3.2 Defending Against System Mechanism Injection

Injection methods utilizing Windows system mechanisms do not require acquiring process handles. To defend against such injections, monitoring the loading events of modules at the kernel level can be implemented to check whether unauthorized modules have been loaded into the target process. Utilizing blacklists, whitelists, and signature verification can ensure the validity of DLLs.

image-20251019223005612

0x04 Process Injection Case Study

Process injection has become an essential evasion technique for many modern trojans. Traditional antivirus software often struggles to detect these trojans effectively. We recently analyzed a trojan targeting financial personnel, which employed numerous anti-detection measures to bypass antivirus scans. However, leveraging the methods described earlier, we were still able to detect it.

4.1 RustDog Phishing Trojan

RustDog is a phishing Trojan that targeted finance professionals in the first half of 2023. It operated by sending phishing emails to users, luring them to a fake website where the Trojan was downloaded. The main functionality of this Trojan was to modify SunLogin(A popular remote control tool widely used in China) configuration files, enabling remote control through SunLogin and thereby stealing sensitive user information.

image-20251019223140718

Once the Trojan is activated, it undergoes a series of checks and initializations. The Trojan attempts to receive payload content sent from the server and loads and executes it. The executed payload decrypts a DLL file in memory, which is a fully functional remote control Trojan. If the program is started with a single parameter or includes the string -Puppet, it injects the payload into the notepad.exe or explorer.exe process.

image-20251019223321440

image-20251019223336405

In the final step, the Trojan replaces the configuration file of SunLogin, enabling remote control over the user’s system. Through reverse analysis of this Trojan, we observed its use of APC injection, which involves illegal handle permissions across processes. Therefore, by monitoring common processes within the system, we can promptly detect such injection behaviors and identify potential attack incidents.