- by x32x01 ||
Process injection is when malicious code is inserted into a running process to evade detection, persist longer, or escalate privileges. Instead of running standalone malware (which is easy to spot), attackers piggyback on trusted processes like sshd, bash, or even system daemons.
Why Do Attackers Use It?
Stealth - Security tools see the process as legitimate. Persistence - Injected code survives until the process ends. Privilege Abuse - Code runs with the target process’s permissions. Bypassing Monitoring - Hides from simple “process list” checks.
Common Linux Injection Techniques
ptrace Injection 
The ptrace syscall (used by debuggers like gdb) lets one process control another.Attackers abuse it to modify memory/registers of target processes.
LD_PRELOAD Hijacking 
Environment variable LD_PRELOAD forces the system to load a custom shared library before others.Malware injects malicious functions into legitimate programs.
/proc Memory Injection 
By writing directly into /proc/<pid>/mem, attackers can overwrite process memory.Process Hollowing 
Replace the memory of a legitimate process with malicious code while keeping the same PID/name.Signal & Code Injection 
Using signals (SIGTRAP, SIGSEGV, etc.) combined with handlers to trigger malicious payloads.
Defense Against Process Injection
To reduce the risk, defenders can:
Enable SELinux/AppArmor → Restricts what processes can do.Use Seccomp → Limits syscalls like ptrace.
Monitor /proc Access → Watch for unusual writes to /proc/<pid>/mem.
Check Loaded Libraries → Spot malicious LD_PRELOAD usage.
Behavioral Detection → Look for suspicious process interactions.
Key Takeaway
Linux process injection is not theoretical - it’s actively used in modern malware campaigns. Attackers exploit trust in system processes to stay hidden. Defenders must monitor memory, syscalls, and libraries to detect these stealthy techniques.
Pro Tip for Hackers & Defenders:If you’re learning offensive security → Try implementing safe demos of ptrace or LD_PRELOAD in a lab.
If you’re defending → Build detection rules around unexpected process manipulation.
Stay sharp, stay curious, and remember: Attackers hide in plain sight - inside your processes.