100 Days of Red Team

100 Days of Red Team

Share this post

100 Days of Red Team
100 Days of Red Team
How process injection works in Linux vs Windows?

How process injection works in Linux vs Windows?

Learn about key differences between how process injection works in Linux and Windows.

Uday Mittal's avatar
Uday Mittal
Mar 02, 2025

Share this post

100 Days of Red Team
100 Days of Red Team
How process injection works in Linux vs Windows?
1
Share

Process injection is a technique used by attackers to execute arbitrary code within the address space of another process, often for purposes such as evading detection, escalating privileges, or maintaining persistence. While both Windows and Linux support process injection, their architectures and system call mechanisms result in significant differences in how injection is performed.

To help understand the differences, lets look at the following analogy first.

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Imagine you want to increase the RAM in your laptop (i.e. inject more memory). How you do it will depend upon the design of the motherboard of your laptop. If the motherboard has an extra slot for RAM, you can just plug-in another RAM stick in that slot. However, if the motherboard has only one slot, you will have to remove the existing RAM stick and replace it with a higher capacity stick.

What is this got to do with process injection in Windows and Linux?

Well, as far as process injection is concerned, Windows is like a motherboard with an extra RAM slot, wherein a piece of code can be injected into a process by allocating a memory slot in a process’s memory and writing to it. Whereas, Linux is like motherboard with a single RAM slot, wherein a piece of code can be injected into a process by identifying an existing memory slot in a process’s memory and replacing its content.

The fundamental differences between process injection in Windows and Linux arise from their respective architectures, security models and API availability. Windows is designed to support extensive inter-process communication, debugging, and remote execution, making injection techniques more accessible. Linux, on the other hand, emphasizes process isolation and security, restricting direct manipulation of remote processes.

Windows provides explicit APIs (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread) that make it easy to inject into a process, whereas Linux requires the use of debugging interfaces like ptrace and /proc due to its lack of direct remote memory manipulation capabilities. Consequently, the flow of injection differs: Windows follows an allocate-write-execute model, whereas Linux follows an overwrite-execute-recover model. Additionally, while Windows allows for straightforward thread creation in remote processes, Linux necessitates the use of control flow hijacking techniques, such as modifying the instruction pointer or employing return-oriented programming (ROP) chains.

Ultimately, while both Windows and Linux are susceptible to process injection, Windows provides red team operators with well-defined tools for manipulating remote processes, making injection more direct but also easier to detect. Linux, on the other hand, requires red team operators to work within stricter constraints, leading to more subtle and complex injection methods that exploit existing process structures rather than adding new ones.

Red Team Notes
Key differences between how process injection works on Linux vs Windows:
- Windows provides explicit APIs that make it easy to inject into a process, whereas Linux requires the use of debugging interfaces.
- Windows allows for straightforward thread creation in remote processes, Linux necessitates the use of control flow hijacking techniques.
- Windows follows an allocate-write-execute model, whereas in Linux it follows an overwrite-execute-recover model.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

Share this post

100 Days of Red Team
100 Days of Red Team
How process injection works in Linux vs Windows?
1
Share

Discussion about this post

User's avatar
Using Havoc C2 to bypass UAC
Demonstration of couple of UAC bypass methods using Havoc C2.
Feb 16 • 
Uday Mittal
1

Share this post

100 Days of Red Team
100 Days of Red Team
Using Havoc C2 to bypass UAC
Let's write a Beacon Object File for Havoc C2 - Part 1
Learn how to use Windows APIs in a Beacon Object File (BOF).
Feb 27 • 
Uday Mittal
2

Share this post

100 Days of Red Team
100 Days of Red Team
Let's write a Beacon Object File for Havoc C2 - Part 1
Red Team Infrastructure - Deploying Havoc C2 via Terraform
Learn how to deploy Havoc C2 (team server and client) in AWS via Terraform.
May 17 • 
Uday Mittal
2

Share this post

100 Days of Red Team
100 Days of Red Team
Red Team Infrastructure - Deploying Havoc C2 via Terraform

Ready for more?

© 2025 Uday Mittal
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.