This approach of antivirus evasion aims to inject malicious code into a benign process’s memory. A common way to do this on Windows is to use OpenProcess
to obtain a handle of an accessible process. Using the handle, the attacker can allocate memory in that process with APIs such as VirtualAllocEX
. The malicious code could be injected into the allocated process with WriteProcessMemory
. The code can then be executed with CreateRemoteThread
.