EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationcode-injectiondll-injectionprocess-hollowing

Code Injection Techniques

The four primary code injection techniques — classic DLL injection, reflective DLL injection, process hollowing, and APC injection — with API sequences, detection indicators, and analyst countermeasures.

Ashish Revar12 May 202618 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Malicious Process Lifecycle: From Execution to Evasion

How malware executes, establishes persistence, injects into legitimate processes, and evades detection inside modern operating systems.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK — Process Injection (T1055)

Full ATT&CK entry for T1055 with all sub-techniques, real-world procedure examples, and detection guidance.

reference
hasherezade — Process Injection Demos on GitHub

Educational C++ implementations of classic DLL injection, process hollowing, and APC injection for lab study.

tool
More articlesTest your knowledge

What is Code Injection?

Code injection forces another process to execute code it did not originally contain. The goal is to run malicious code inside a legitimate, trusted process — hiding it from Task Manager, AV scanners, and firewall rules that whitelist by process name.

svchost.exe is trusted and whitelisted.
If malware injects into svchost.exe, its network traffic
appears to come from a legitimate Windows service.

Technique 1: Classic DLL Injection

The most common injection technique. Forces the target process to load a malicious DLL using LoadLibraryA as the thread start address.

API sequence

; Step 1: Open target process
push  PROCESS_ALL_ACCESS
push  FALSE
push  dwTargetPID           ; obtained from CreateToolhelp32Snapshot
call  OpenProcess           ; returns hProcess in EAX

; Step 2: Allocate memory in target for DLL path string
push  PAGE_READWRITE
push  MEM_COMMIT
push  dwPathLength
push  0
push  hProcess
call  VirtualAllocEx        ; returns remote address in EAX

; Step 3: Write DLL path into allocated memory
push  0
push  dwPathLength
push  offset szDllPath      ; "C:\malware.dll"
push  remoteAddr
push  hProcess
call  WriteProcessMemory

; Step 4: Create remote thread calling LoadLibraryA
push  0
push  0
push  remoteAddr            ; DLL path as argument to LoadLibraryA
push  LoadLibraryA          ; thread start address
push  0
push  0
push  hProcess
call  CreateRemoteThread

Detection indicators:

  • OpenProcess with PROCESS_ALL_ACCESS targeting a system process
  • VirtualAllocEx creating a writeable region in another process
  • WriteProcessMemory writing a file path string
  • CreateRemoteThread with LoadLibraryA as start address

MITRE ATT&CK: T1055.001 — Process Injection: Dynamic-link Library Injection

Technique 2: Reflective DLL Injection

The DLL loads itself using a custom loader embedded within it — without calling LoadLibraryA. No import table entry is created. The DLL does not appear in the target process's PEB module list.

How it works

  1. The attacker writes the raw DLL bytes into target process memory using WriteProcessMemory
  2. Execution transfers to a ReflectiveLoader function inside the DLL bytes
  3. ReflectiveLoader performs its own PE loading: fixes relocations, resolves imports, calls DllMain

Detection

The DLL is not in the PEB module list — EnumProcessModules and Task Manager's DLL tab will not show it. However, Volatility's malfind plugin detects it: a private, executable, allocated (not mapped) memory region containing an MZ header is exactly what reflective injection produces.

vol -f memory.dmp windows.malfind
# Shows: svchost.exe  0x00340000  PAGE_EXECUTE_READWRITE  MZ header

MITRE ATT&CK: T1055.001

Technique 3: Process Hollowing

Creates a legitimate process in suspended state, replaces its executable image with malicious code, then resumes it. The process appears legitimate to every user-mode tool.

API sequence

; Step 1: Create target in suspended state
push  CREATE_SUSPENDED
push  ...
push  offset szLegitApp     ; "C:\Windows\System32\svchost.exe"
call  CreateProcessA        ; creates suspended process

; Step 2: Unmap legitimate image from process memory
push  baseAddress           ; from reading PEB of suspended process
push  hProcess
call  NtUnmapViewOfSection  ; removes svchost.exe code from memory

; Step 3: Allocate and write malicious payload
push  PAGE_EXECUTE_READWRITE
push  MEM_COMMIT | MEM_RESERVE
push  payloadSize
push  preferredBase
push  hProcess
call  VirtualAllocEx

push  ...
push  payloadSize
push  pPayload
push  remoteBase
push  hProcess
call  WriteProcessMemory

; Step 4: Set entry point and resume
; Update thread context EIP/RIP to point to payload entry point
call  SetThreadContext
call  ResumeThread          ; payload now executes

Detection indicators:

  • CreateProcessA with CREATE_SUSPENDED flag
  • NtUnmapViewOfSection call on a process other than self
  • WriteProcessMemory writing a full PE into another process
  • SetThreadContext followed by ResumeThread

MITRE ATT&CK: T1055.012 — Process Injection: Process Hollowing

Technique 4: APC Injection

Queues an Asynchronous Procedure Call (APC) to a thread in the target process. The APC executes when the thread enters an alertable wait state.

; Queue APC to all threads of target process
push  remoteShellcodeAddr   ; APC routine address
push  0
push  0
push  hThread               ; thread handle
call  QueueUserAPC

Requirement: the target thread must be in an alertable wait state for the APC to execute. Functions that put threads into alertable wait: SleepEx, WaitForSingleObjectEx, MsgWaitForMultipleObjectsEx.

Variant — Early Bird APC: Queue the APC to a process created suspended, before any security product hooks are installed. Resume the process — the APC executes immediately as the first action before any user code runs.

Detection indicators:

  • OpenThread followed by QueueUserAPC
  • Combined with VirtualAllocEx and WriteProcessMemory
  • Early Bird variant: CREATE_SUSPENDED + QueueUserAPC + ResumeThread

MITRE ATT&CK: T1055.004 — Process Injection: Asynchronous Procedure Call

Detection Summary

TechniqueKey API SequenceVolatility Plugin
Classic DLL injectionOpenProcess → VirtualAllocEx → WriteProcessMemory → CreateRemoteThreaddlllist (DLL appears)
Reflective DLL injectionOpenProcess → VirtualAllocEx → WriteProcessMemory → CreateRemoteThread (no LoadLibrary)malfind (RWX + MZ)
Process hollowingCreateProcessA(SUSPENDED) → NtUnmapViewOfSection → WriteProcessMemory → SetThreadContext → ResumeThreadmalfind, pslist (image path mismatch)
APC injectionOpenThread → QueueUserAPCmalfind

Analyst Countermeasures

In x64dbg:

  • Set breakpoints on CreateRemoteThread, NtUnmapViewOfSection, QueueUserAPC
  • When any fires, inspect the arguments to identify the target process and payload address
  • Dump the remote process memory at the injected region using Process Hacker → right-click process → Dump → Memory Region