Abstract

Process injection (PI) in Windows has been a well-known security topic for many years. It is used to gain more stealth because it does not create additional processes in the system that could attract unwanted attention from the defender. It is also used to bypass security products that have limited visibility into the injection behaviors. Since PI techniques use legitimate windows APIs, detecting them becomes a challenging task.

FalconEye provides comprehensive detection for true PI techniques in real-time. True PIs inject into target processes which are already running. Pre-execution injections such as AppInit and process hollowing are not in scope. To the best of our knowledge, we analyzed all the publicly known PI techniques and our tool is able to detect all of them without false positives during our testing.

We identify PI behavior invariants that are unique compared to benign program behaviors but are common between various PI techniques. Based on the behavior invariants, we divide PI detections into three classes: (1) Stateless detection (2) Stateful detection (3) Floating code detection

We propose a comprehensive detection algorithm to detect these behavior invariants classes. Our detection algorithm relies on two instrumentation primitives: (1) System call interception (2) Kernel callbacks

Based on our testing, the detection is compatible with Windows 10 1903 and previous versions. Evaluation results show that the detection is effective and has low overhead. Additionally, the generic detection mechanisms are also proven to detect newer PI techniques.