Process injection in kernel mode
Process injection in kernel mode is a popular technique used by multiple malware families, including Stuxnet (with its MRxCls rootkit), to create another way of maintaining persistence and disguising malware activities under a legitimate process name. For a device driver to be able to read and write memory inside a process, it needs to attach itself to this process's memory space.
Once the driver is attached to this process's memory space, it can see this process's virtual memory, and it becomes possible to read and write directly to it. For example, if the process executable's ImageBase is 0x00400000
, then the driver can access it normally, as follows:
CMP WORD PTR [00400000h], 'ZM' JNZ <not_mz>
For a driver to be able to attach to the process memory, it needs to get its EPROCESS
using the PsLookupProcessByProcessId
API and then use the KeStackAttachProcess
API to attach to this process's memory space...