4.2 KiB
Detection Methods
This document details the techniques used by Ghost to detect process injection.
Memory-Based Detection
RWX Memory Regions
MITRE ATT&CK: T1055
Executable memory with write permissions is a strong indicator of code injection. Legitimate processes rarely need RWX pages except during JIT compilation.
Detection Logic:
- Enumerate all memory regions in target process
- Flag regions with PAGE_EXECUTE_READWRITE protection
- Confidence increases with number of RWX regions
False Positives:
- .NET/Java JIT compiler regions
- V8/SpiderMonkey JavaScript engines
- Legitimate debugging scenarios
Private Executable Memory
Private memory regions (not backed by files) with execute permissions often contain injected shellcode.
Detection Logic:
- Check for MEM_PRIVATE regions with EXECUTE protection
- Correlate with unsigned code patterns
- Higher confidence if multiple regions present
Thread-Based Detection
Abnormal Thread Creation
MITRE ATT&CK: T1055.001 (DLL Injection), T1055.002 (Portable Executable Injection)
Monitors thread count changes over time. Sudden increases may indicate CreateRemoteThread injection.
Detection Logic:
- Baseline thread count for each process
- Alert on new threads created between scans
- Cross-reference with memory analysis
Remote Thread Detection
Threads created by external processes via CreateRemoteThread or NtCreateThreadEx.
Detection Logic:
- Enumerate threads using CreateToolhelp32Snapshot (Windows) or /proc/[pid]/task (Linux)
- Get thread start addresses via NtQueryInformationThread (Windows) or /proc syscall file (Linux)
- Get thread creation times via GetThreadTimes (Windows) or stat parsing (Linux)
- Track thread state (Running, Waiting, Suspended, Terminated)
- Flag threads starting in private memory regions
Hook Detection
Inline API Hooks
MITRE ATT&CK: T1055.003
Detects JMP patches at the start of critical API functions.
Detection Logic:
- Enumerate loaded modules in target process (EnumProcessModulesEx)
- Check entry points of critical APIs (ntdll, kernel32, user32)
- Detect common hook patterns:
- JMP rel32 (E9 xx xx xx xx)
- JMP [rip+disp32] (FF 25 xx xx xx xx)
- MOV RAX, imm64; JMP RAX (48 B8 ... FF E0)
- PUSH imm32; RET (68 xx xx xx xx C3)
Critical APIs Monitored:
- NtCreateThread, NtCreateThreadEx
- NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory
- VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
- LoadLibraryA, LoadLibraryW
- SetWindowsHookExA, SetWindowsHookExW
Heuristic Analysis
Confidence Scoring
Ghost uses weighted confidence scoring:
| Indicator | Weight | Description |
|---|---|---|
| RWX regions | 0.3 | Per region detected |
| Private exec | 0.4 | >2 regions |
| New threads | 0.2 | Per thread created |
| Unsigned code | 0.5 | In executable region |
Thresholds:
- Clean: < 0.3
- Suspicious: 0.3 - 0.7
- Malicious: >= 0.7
Technique Coverage
Windows
- Classic DLL injection detection
- Memory region analysis (VirtualQueryEx)
- Memory reading (ReadProcessMemory)
- Thread enumeration (CreateToolhelp32Snapshot)
- Thread start addresses (NtQueryInformationThread)
- Thread creation times (GetThreadTimes)
- Inline hook detection (JMP pattern scanning)
- Process hollowing heuristics
- APC injection detection
- SetWindowsHookEx chain enumeration
- Reflective DLL injection signature matching
Linux
- Process enumeration (/proc filesystem)
- Memory region analysis (/proc/[pid]/maps)
- Memory reading (/proc/[pid]/mem)
- Thread enumeration (/proc/[pid]/task)
- Thread state detection (stat parsing)
- ptrace injection detection
- LD_PRELOAD detection
- process_vm_writev monitoring
- Shared memory inspection
macOS
- Process enumeration (sysctl KERN_PROC_ALL)
- Process path retrieval (proc_pidpath)
- Memory enumeration (vm_region)
- Memory reading (vm_read)
- Thread enumeration (task_threads)
- DYLD_INSERT_LIBRARIES detection
- task_for_pid monitoring
- Mach port analysis
References
- MITRE ATT&CK T1055: Process Injection
- Windows Internals 7th Edition
- "Process Injection Techniques" - Elastic Security