Detecting Thread Injection by ETW & One Simple Technique

Detecting Thread Injection by ETW & One Simple Technique

In this Article I want to talk about ETW and Thread Injection in this case “Remote Thread Injection”.

I made simple C# code “ETWMonThread.cs” for Monitoring Meterpreter Payload/Thread Injection in 2018.

this code was simple & my goal was to Show how We can use ETW very simple and useful…

in this code we have something like this :

Picture 1: ETWEventsFilters with ID 3.

With This code you can have all New Created Thread IDs (TIDs) with ETW then you need to get only Injected Thread which means Thread Created by Process A into Process B so with this simple Code you can get this:

Picture 2: Detecting Injector PID.

it seams everything is ok & I tested this code with some Technique like these:

ETW test with Process Hollowing Technique:

As you can see in this picture we have shell but this Meterpreter session and Thread ID Detected by ETW.

Thread Injection Detected & you can see Session Closed…

Picture 3: Process & TID Detected by ETW (Process Hollowing Technique).

ETW test with APC Queue Technique:

Again you can see in this picture we have shell but this Meterpreter session and Thread ID Detected by ETW .

Thread Injection Detected & you can see Session Closed…

Picture 4: Process & TID Detected by ETW (APC-Q Technique).

After these tests you can see this code “ETWMonThread.cs” was worked good.

but something in these Tests was same which is all of them have OpenProcess, CreateRemoteThread, WriteProcessMemory & … in one code/exe

it means Malware/Injector Code Will Detect at least with PID by ETW Events.

In the Picture 3 Malware/Injector Code PID was “Process Exited:1048”.

In the Picture 4 Malware/Injector Code PID was “Process Exited:3964”

Chunking Codes:

In this simple technique I want to use Thread Injection method with two Steps, it means I want to run this Injection Technique with two code/exe file.

As you can see I made “NativePayload_TId2.exe” and this is Step1 of Thread Injection Method/Code.

In this step1 we have (OpenProcess, VirtualAllocEx, WriteProcessMemory) API functions only and don’t have CreateRemoteThread Function.

Picture 5: “NativePayload_TId2” Payload Injection into Target Process Without CreateRemoteThread.

mportant Point :

As you can see in the “Picture 5“, we “don’t have any Detection” for Payload Injection or Writing Payload via API Function WriteProcessMemory into Target Process

(Notepad.exe:3796) by ETW code because in this [step1] with “NativePayload_TId2.exe” we did not have CreateRemoteThread Function.

So with this “NativePayload_TId2.exe” we don’t have new Thread but Target Process Infected by This Code very Simple & Malware Payload was injected to Notepad (In-memory).

In the Next Picture you can see I used “NativePayload_TId3.exe” which is Part2 of Attack/Code.

In this step2 of code Target Process in this case “Notepad” Opened with API function OpenProcess & Remote Thread created by “Intptr Pointer Address” from Step1

Which is in this case “002B0000”.

Picture 6: “NativePayload_TId3” Creating Remote Thread.

Now in this Step2, Code Detected by ETW and you can see “NativePayload_TId3.exe” as Thread Injector Detected by ETW but this is Part2 of Code,

This is not all of them.

Part1 of code which was (OpenProcess, VirtualAllocEx, WriteProcessMemory) executed by “NativePayload_TId2.exe” and Not Detected by ETW code and still is undetectable for this C# ETW code.

In the next “Picture 7” you can see this Session Detected/Closed.

Picture 7: “NativePayload_TId3” Creating Remote Thread

Another important thing is in this technique after [step1], your payload is in-memory of Notepad Process and you can Execute that any time you want with/without delay

And more than once so in the next Pictures you can see I used this Technique for Bypassing AVIRA Anti-viruses and these Codes

[step1 & step2] worked very well but in this case I Used [step2] two times and I had two sessions too, very simple.

Picture 8: this simple method not detected by AVIRA.
Picture 9: this simple method not detected by AVIRA


Video ETWMonThread.cs [step by step]:

as you can see this ETW is very useful thing for Thread Monitoring also is useful to show Injected Threads also Injector Processes… (Sometimes) and I think Some Anti-viruses need to use this ETW or something like this but always attackers have some Methods for bypassing your things….

Last Update: 8 Jun 2020




Security Researcher , Pentester

Love podcasts or audiobooks? Learn on the go with our new app.

Feedback loops and DevOps (Part 2)

Integrating k6 with Apache Kafka

Discovery Rancher’s Harvester : A new easy-to-use open-source HCI tool

Monitoring With Prometheus: Experiments With a Raspberry Pi

Make yourself a Go web server with MongoDb. Go on, Go on, Go on…

Android fundamentals 10.1 Part B: Deleting data from a Room database

“Connect all 2d in search” doesn’t work

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Damon Mohammadbagher

Damon Mohammadbagher

Security Researcher , Pentester

More from Medium

CS373 Spring 2022: Anish Roy

Password Salting/Hashing Technique

Building an E-commerce Website With ExpressionEngine, Part 1

Defacing the Web application using Stored XSS