This repository documents and demonstrates different Windows process injection methods. Each technique leverages low-level Windows APIs to run arbitrary shellcode inside a target process.
Method: Uses NtCreateSection, NtMapViewOfSection, and RtlCreateUserThread.
Reference: phasetw0 – Section Code Injection
- Launch a host process (e.g.,
notepad.exe) that will execute the shellcode. - Create a memory section with RWX permissions via
NtCreateSection. - Map the section into the local process with RW permissions using
NtMapViewOfSection. - Map the same section into the remote target process with RX permissions.
- Write the shellcode into the local mapped view → this change is reflected in the remote mapped section.
- Start execution by creating a remote thread in the target process via
RtlCreateUserThread, pointing it to the injected shellcode.
Method: Uses Asynchronous Procedure Calls (APCs) to run code inside an alertable thread of a target process.
Reference: Modexp – APC Injection
Reference: ired.team – APC Queue Injection
- Identify the PID of a target process (
explorer.exe). - Allocate memory inside the target process with RWX permissions.
- Write the shellcode into that allocated memory.
- Enumerate threads of the target process, then find an alertable thread (by checking its context/state).
- Queue an APC pointing to the injected shellcode. When the thread enters an alertable state, the shellcode executes.