Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiondetecting-process-injection-techniquesExecute the skills CLI command in your project's root directory to begin installation:
Fetches detecting-process-injection-techniques from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate detecting-process-injection-techniques. Access via /detecting-process-injection-techniques in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | detecting-process-injection-techniques |
| description | 'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection. ' |
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | - malware - process-injection - detection - memory-forensics - defense-evasion |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis |
| nist_csf | - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 |
Do not use for standard DLL loading analysis; injection implies unauthorized code placement in a process without that process's cooperation.
Use Volatility to detect injected code in process memory:
# malfind: Primary injection detection plugin
vol3 -f memory.dmp windows.malfind
# malfind detects:
# - Memory regions with PAGE_EXECUTE_READWRITE (RWX) protection
# - PE headers (MZ signature) in non-image VAD entries
# - Executable memory not backed by a file on disk
# Filter by specific process
vol3 -f memory.dmp windows.malfind --pid 852
# Dump injected memory regions for analysis
vol3 -f memory.dmp windows.malfind --dump
# Check VAD (Virtual Address Descriptor) tree for anomalies
vol3 -f memory.dmp windows.vadinfo --pid 852
# Detect hollowed processes (mapped image doesn't match disk)
vol3 -f memory.dmp windows.hollowfind
Identify which injection method was used based on artifacts:
Process Injection Techniques and Detection Artifacts:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Classic DLL Injection
APIs: OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
Artifact: Loaded DLL in target process not present in known-good baseline
Detection: New DLL in dlllist not matching disk hash, CreateRemoteThread event
2. Process Hollowing (RunPE)
APIs: CreateProcess(SUSPENDED) -> NtUnmapViewOfSection -> VirtualAllocEx ->
WriteProcessMemory -> SetThreadContext -> ResumeThread
Artifact: Process image in memory doesn't match file on disk
Detection: hollowfind plugin, mismatched PE headers vs disk file
3. APC Injection
APIs: OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> QueueUserAPC
Artifact: Alertable thread has queued APC pointing to injected code
Detection: Thread start addresses outside known modules
4. Thread Hijacking
APIs: OpenProcess -> VirtualAllocEx -> WriteProcessMemory ->
SuspendThread -> GetThreadContext -> SetThreadContext -> ResumeThread
Artifact: Thread instruction pointer changed to injected code
Detection: Thread context modification, EIP/RIP outside module boundaries
5. Reflective DLL Injection
APIs: VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread (to reflective loader)
Artifact: DLL loaded in memory but NOT in loaded module list
Detection: malfind (PE in non-image memory), module not in ldrmodules
6. Process Doppelganging
APIs: NtCreateTransaction -> NtCreateFile(transacted) -> NtWriteFile ->
NtCreateSection -> NtRollbackTransaction -> NtCreateProcessEx
Artifact: Process created from transacted file that was rolled back
Detection: Process with no corresponding file on disk
7. AtomBombing
APIs: GlobalAddAtom -> NtQueueApcThread (with GlobalGetAtomName)
Artifact: Code stored in global atom table, APC triggers copy to target
Detection: Unusual atom table entries, APC injection indicators
Analyze Sysmon and Windows Event Log data:
# Sysmon Event ID 8: CreateRemoteThread
# Detect when one process creates a thread in another
wevtutil qe "Microsoft-Windows-Sysmon/Operational" \
/q:"*[System[EventID=8]]" /f:text /c:20
# Sysmon Event ID 10: ProcessAccess
# Detect suspicious access rights to other processes
# DesiredAccess containing PROCESS_VM_WRITE (0x0020) + PROCESS_CREATE_THREAD (0x0002)
wevtutil qe "Microsoft-Windows-Sysmon/Operational" \
/q:"*[System[EventID=10]]" /f:text /c:20
# Sysmon Event ID 1: Process Creation
# Detect process hollowing via suspicious parent-child relationships
wevtutil qe "Microsoft-Windows-Sysmon/Operational" \
/q:"*[System[EventID=1]]" /f:text /c:20
# Parse Sysmon events for injection indicators
import xml.etree.ElementTree as ET
import subprocess
# Query CreateRemoteThread events
result = subprocess.run(
["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational",
"/q:*[System[EventID=8]]", "/f:xml", "/c:100"],
capture_output=True, text=True
)
suspicious_injections = []
for event_xml in result.stdout.split("</Event>"):
if not event_xml.strip():
continue
try:
root = ET.fromstring(event_xml + "</Event>")
ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"}
data = {}
for d in root.findall(".//e:EventData/e:Data", ns):
data[d.get("Name")] = d.text
source = data.get("SourceImage", "")
target = data.get("TargetImage", "")
# Flag injections from unusual sources into system processes
system_procs = ["svchost.exe", "explorer.exe", "lsass.exe", "winlogon.exe"]
if any(p in target.lower() for p in system_procs):
if not any(p in source.lower() for p in ["csrss.exe", "services.exe", "lsass.exe"]):
print(f"[!] Suspicious injection: {source} -> {target}")
suspicious_injections.append(data)
except:
pass
Examine the injected payload to understand its purpose:
# Dump injected code from Volatility malfind
vol3 -f memory.dmp windows.malfind --pid 852 --dump
# Analyze the dumped region
file malfind.*.dmp
# If it contains a PE (MZ header), analyze as a standalone executable
python3 << 'PYEOF'
import pefile
# Attempt to parse as PE
try:
pe = pefile.PE("malfind.852.0x400000.dmp")
print("Injected PE detected!")
print(f" Architecture: {'x64' if pe.FILE_HEADER.Machine == 0x8664 else 'x86'}")
print(f" Imports:")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(f" {entry.dll.decode()}: {len(entry.imports)} functions")
except:
print("Not a valid PE - likely shellcode")
# Analyze as shellcode
with open("malfind.852.0x400000.dmp", "rb") as f:
shellcode = f.read()
print(f" Size: {len(shellcode)} bytes")
print(f" First bytes: {shellcode[:32].hex()}")
PYEOF
# Disassemble shellcode
python3 -c "
from capstone import Cs, CS_ARCH_X86, CS_MODE_64
with open('malfind.852.0x400000.dmp', 'rb') as f:
code = f.read()[:256]
md = Cs(CS_ARCH_X86, CS_MODE_64)
for insn in md.disasm(code, 0x400000):
print(f' 0x{insn.address:X}: {insn.mnemonic} {insn.op_str}')
"
# Scan with YARA for known payloads
vol3 -f memory.dmp yarascan.YaraScan --pid 852 --yara-file malware_rules.yar
Classify detected techniques in the ATT&CK framework:
MITRE ATT&CK Process Injection Sub-Techniques (T1055):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
T1055.001 Dynamic-link Library Injection
T1055.002 Portable Executable Injection
T1055.003 Thread Execution Hijacking
T1055.004 Asynchronous Procedure Call (APC)
T1055.005 Thread Local Storage
T1055.008 Ptrace System Calls (Linux)
T1055.009 Proc Memory (/proc/pid/mem - Linux)
T1055.011 Extra Window Memory Injection
T1055.012 Process Hollowing
T1055.013 Process Doppelganging
T1055.014 VDSO Hijacking (Linux)
T1055.015 ListPlanting
Build detection rules for the identified technique:
# Sigma rule for CreateRemoteThread injection
title: Suspicious CreateRemoteThread into System Process
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetImage|endswith:
- '\svchost.exe'
- '\explorer.exe'
- '\lsass.exe'
filter:
SourceImage|endswith:
- '\csrss.exe'
- '\services.exe'
- '\svchost.exe'
condition: selection and not filter
level: high
| Term | Definition |
|---|---|
| Process Injection | Technique of executing code within the address space of another process, typically to evade detection and inherit the target's trust level |
| Process Hollowing | Creating a legitimate process in suspended state, unmapping its memory, writing malicious code, and resuming execution to masquerade as the legitimate process |
| Reflective DLL Injection | Loading a DLL into a process's memory without using the Windows loader, so the DLL does not appear in the loaded module list |
| APC Injection | Queuing an Asynchronous Procedure Call to a thread in the target process, causing it to execute injected code when the thread enters an alertable state |
| VAD (Virtual Address Descriptor) | Windows kernel structure describing memory regions in a process; anomalous VAD entries (RWX permissions, non-image PE) indicate injection |
| CreateRemoteThread | Windows API creating a thread in another process; the primary mechanism for classic DLL injection and many other injection techniques |
| PAGE_EXECUTE_READWRITE | Memory protection allowing read, write, and execute; rarely used by legitimate applications, common indicator of injected code |
Context: EDR alerts on svchost.exe making HTTPS connections to an external IP. Svchost.exe should only communicate with Microsoft services. Memory analysis is needed to confirm process hollowing.
Approach:
malfind to detect injected PE in the process memorynetscan to confirm the network connections from the hollowed processPitfalls:
PROCESS INJECTION ANALYSIS REPORT
====================================
Dump File: memory.dmp
Analysis Tool: Volatility 3.2 + Sysmon
INJECTION DETECTED
Target Process: svchost.exe (PID: 852)
Source Process: malware.exe (PID: 2184) [terminated]
Technique: Process Hollowing (T1055.012)
EVIDENCE
malfind Results:
PID 852 (svchost.exe):
Address: 0x00400000
Size: 184,320 bytes
Protection: PAGE_EXECUTE_READWRITE
Header: MZ (PE32 executable)
NOT backed by disk file
Process Verification:
Expected Image: C:\Windows\System32\svchost.exe (SHA-256: aaa...)
In-Memory Image: Unknown PE (SHA-256: bbb...)
Result: MISMATCH - HOLLOWED PROCESS
Sysmon Events:
[4688] malware.exe (PID 2184) created svchost.exe (PID 852) SUSPENDED
[10] malware.exe accessed svchost.exe with PROCESS_VM_WRITE
[8] malware.exe created remote thread in svchost.exe
INJECTED PAYLOAD ANALYSIS
SHA-256: bbb123def456...
YARA Match: CobaltStrike_Beacon_x64
Type: Cobalt Strike Beacon (HTTP)
C2: hxxps://185.220.101[.]42/updates
MITRE ATT&CK
T1055.012 Process Hollowing
T1071.001 Web Protocols (HTTPS C2)
T1036.005 Match Legitimate Name (svchost.exe)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Keeps context tight: detecting-process-injection-techniques is the kind of skill you can hand to a new teammate without a long onboarding doc.
detecting-process-injection-techniques fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: detecting-process-injection-techniques is focused, and the summary matches what you get after install.
detecting-process-injection-techniques is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for detecting-process-injection-techniques matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: detecting-process-injection-techniques is focused, and the summary matches what you get after install.
detecting-process-injection-techniques is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
We added detecting-process-injection-techniques from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Registry listing for detecting-process-injection-techniques matched our evaluation — installs cleanly and behaves as described in the markdown.
Keeps context tight: detecting-process-injection-techniques is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 59