Process injections are popular techniques for executing malicious payloads without the knowledge of users or defense tools. However, EDR solutions have had a major impact on the reliability of these techniques.
The aim of this talk is to present a way out of the standard patterns of process injection by mixing several techniques such as Module Stomping, threadless injection to eliminate the use of certain Windows APIs and the use of HWBP to bypass EDR hooks.
All along the talk, some dive in the Windows internals and the impact of the different techniques on EDR alerts will be seen to understand the pros and cons of each technique.
