Injection Detection
ObRegisterCallbacksDetect process injection attempts via handle operations and remote thread creation.
Overview
Injection detection monitors for suspicious cross-process operations that are commonly used in injection techniques. This includes handle operations with dangerous access rights and remote thread creation.
Detection Methods
| Method | Detection |
|---|---|
| Remote Thread | Thread created in another process |
| Process Handle | Handle with PROCESS_VM_WRITE access |
| Thread Handle | Handle with THREAD_SET_CONTEXT access |
| Handle Duplicate | Cross-process handle duplication |
Suspicious Access Rights
The following access rights are flagged as potentially suspicious:
Process Access
- PROCESS_VM_WRITE
- PROCESS_VM_OPERATION
- PROCESS_CREATE_THREAD
- PROCESS_DUP_HANDLE
Thread Access
- THREAD_SET_CONTEXT
- THREAD_SUSPEND_RESUME
- THREAD_GET_CONTEXT
False Positives
Some legitimate software (debuggers, security tools, game anti-cheat) may trigger injection detection. Use IPS rules to whitelist known good processes.
Captured Information
- • Source process — Process attempting the operation
- • Target process — Process being targeted
- • Access rights — Requested access mask
- • Operation — Handle create, duplicate, thread create
UI Features
- • Injection tab — View all injection-related events
- • Remote thread filter — Show only remote thread events
- • Process filter — Focus on specific source/target
- • Severity indicator — Color-coded by risk level
IPS Rule Examples
Injection: RemoteThread | Target: lsass.exe | Action: Block
Injection: * | Source: powershell.exe | Action: Alert