Process injection is a technique used by attackers to execute arbitrary code within the address space of another process, often for purposes such as evading detection, escalating privileges, or maintaining persistence. While both Windows and Linux support process injection, their architectures and system call mechanisms result in significant differences in how injection is performed.

To help understand the differences, lets look at the following analogy first.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Imagine you want to increase the RAM in your laptop (i.e. inject more memory). How you do it will depend upon the design of the motherboard of your laptop. If the motherboard has an extra slot for RAM, you can just plug-in another RAM stick in that slot. However, if the motherboard has only one slot, you will have to remove the existing RAM stick and replace it with a higher capacity stick.

What is this got to do with process injection in Windows and Linux?

Well, as far as process injection is concerned, Windows is like a motherboard with an extra RAM slot, wherein a piece of code can be injected into a process by allocating a memory slot in a process’s memory and writing to it. Whereas, Linux is like motherboard with a single RAM slot, wherein a piece of code can be injected into a process by identifying an existing memory slot in a process’s memory and replacing its content.

The fundamental differences between process injection in Windows and Linux arise from their respective architectures, security models and API availability. Windows is designed to support extensive inter-process communication, debugging, and remote execution, making injection techniques more accessible. Linux, on the other hand, emphasizes process isolation and security, restricting direct manipulation of remote processes.

Windows provides explicit APIs (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread) that make it easy to inject into a process, whereas Linux requires the use of debugging interfaces like ptrace and /proc due to its lack of direct remote memory manipulation capabilities. Consequently, the flow of injection differs: Windows follows an allocate-write-execute model, whereas Linux follows an overwrite-execute-recover model. Additionally, while Windows allows for straightforward thread creation in remote processes, Linux necessitates the use of control flow hijacking techniques, such as modifying the instruction pointer or employing return-oriented programming (ROP) chains.

Ultimately, while both Windows and Linux are susceptible to process injection, Windows provides red team operators with well-defined tools for manipulating remote processes, making injection more direct but also easier to detect. Linux, on the other hand, requires red team operators to work within stricter constraints, leading to more subtle and complex injection methods that exploit existing process structures rather than adding new ones.

Red Team Notes
Key differences between how process injection works on Linux vs Windows:
- Windows provides explicit APIs that make it easy to inject into a process, whereas Linux requires the use of debugging interfaces.
- Windows allows for straightforward thread creation in remote processes, Linux necessitates the use of control flow hijacking techniques.
- Windows follows an allocate-write-execute model, whereas in Linux it follows an overwrite-execute-recover model.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.