New Process Injection Technique Evades EDR by Injecting Malicious Code into Windows Processes

Researchers revealed this method exploits shared memory regions and thread context manipulation to execute malicious payloads without triggering standard detection heuristics.

Novel process injection technique leveraging execution-only primitives has demonstrated the ability to bypass leading Endpoint Detection and Response (EDR) systems by avoiding traditional memory allocation and modification patterns.

Modern EDR solutions typically monitor for the triad of process injection: memory allocation (VirtualAllocEx), modification (WriteProcessMemory), and execution triggers (CreateRemoteThread).

The new approach eliminates the first two steps by repurposing existing in-process memory structures and Windows API functions.

One variant uses LoadLibraryA with pointers to static strings like “0” in the universally mapped ntdll.dll.

By dropping a malicious 0.dll file in a privileged directory, attackers initiate DLL loading through remote thread creation alone.

Researchers confirmed this method evaded detection in multiple commercial EDR products, unlike conventional DLL injection that writes memory.

The Proof‑of‑Concept below demonstrates the minimal steps required to turn that idea into a working process‑injection primitive.

Another technique employs SetThreadContext to hijack suspended remote threads. By configuring register states (RCX-R9) and instruction pointers, attackers chain WinAPI calls like VirtualAlloc and RtlFillMemory through ROP gadgets found in the target process.

This enables full shellcode execution while appearing as benign self-modification to security tools.

The research team released RedirectThread, an open-source tool implementing five injection variants:

1. Pointer-only DLL injection using shared library offsets.
2. CreateRemoteThread with subsequent context hijacking.
3. NtCreateThread with direct CONTEXT structure control.
4. APC queueing methods (QueueUserAPC, NtQueueApcThreadEx).
5. Two-step thread recycling for multiple payload deliveries.

The tool searches target processes for reusable code fragments like push; push; ret sequences, enabling parameterized API calls without memory writes.

Notably, the NtCreateThread method bypasses kernel-level thread initialization checks by supplying preconfigured stack and register states.

Detection Challenges and Defense Implications

According to the Report, This research exposes critical gaps in current injection detection paradigms. EDR systems relying on the “2-of-3” rule (detecting allocation + execution or modification + execution) fail to recognize attacks using only execution primitives.

Key challenges include:

• Thread creation noise: Legitimate tools create remote threads for debugging and profiling
• Context manipulation ambiguity: SetThreadContext serves both malicious and benign purposes
• Local memory operations: Self-allocation within hijacked threads appears non-suspicious

The authors propose defenders monitor for rapid thread creation bursts paired with context modifications.

However, implementing causal analysis between remote triggers and local memory operations remains technically demanding for real-time detection.

As attackers shift focus to execution vector innovation, this research underscores the need for behavioral analysis extending beyond API monitoring to thread lifecycle correlation and deep call stack inspection.

The battle against process injection increasingly depends on distinguishing weaponized thread activity from legitimate system operations, a challenge requiring fundamental advances in runtime telemetry analysis.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!