This project provides a proof-of-concept implementation of the "Process Overwriting" (a form of Process Hollowing) technique in plain C. The injector launches a legitimate target process in a suspended state and then overwrites its main executable module in memory with a custom payload. The main thread's context is then updated to point to the payload's entry point, and the process is resumed.
This method allows the payload to run under the guise of a legitimate process, providing a layer of stealth.
- Tested on Windows [Version 10.0.20348.3807]
Major Minor Build Revision
----- ----- ----- --------
10 0 20348 0 The core steps of the injection are as follows:
- Create Suspended Target: A specified target process (e.g.,
calc.exe) is created in aCREATE_SUSPENDEDstate. - Map Payload: The payload executable is read from disk and mapped into a virtual memory layout that mirrors how the OS would load it.
- Check Compatibility: The injector verifies that the payload and target share the same architecture (32-bit or 64-bit) and that the payload's virtual size does not exceed the target's.
- Overwrite Memory: The injector gains access to the target process's memory space, overwriting the original executable's image with the payload's image.
- Update Entry Point: The entry point of the target process's main thread is modified to point to the entry point of the injected payload.
- Resume Process: The suspended main thread is resumed, causing the payload's code to be executed instead of the original program.
https://deepwiki.com/grisuno/OverRide
- Written in self-contained C with no external dependencies.
- Supports both 32-bit and 64-bit payloads.
- Automatically handles architecture differences between a 64-bit injector and a 32-bit target process (using Wow64 APIs).
- Includes compatibility checks to prevent common injection failures.
The injector is a command-line tool.
injector.exe <path_to_payload> [path_to_target]
<path_to_payload>: (Required) The path to the executable file you want to inject.[path_to_target]: (Optional) The path to the legitimate executable that will be used as the host process. If not provided, it defaults toC:\Windows\System32\calc.exe.
.\injector.exe .\my_payload_x64.exe C:\Windows\System32\svchost.exeIf your payload is 32-bit, you must provide a 32-bit target process when running on 64-bit Windows.
.\injector.exe .\my_payload_x86.exe C:\Windows\SysWOW64\calc.exehttps://www.youtube.com/shorts/utiQ3QDFtvU
The project can be compiled using the MinGW-w64 toolchain.
x86_64-w64-mingw32-gcc injector.c -o injector.exeThis tool is intended for educational and research purposes only. The techniques demonstrated here can be used for legitimate purposes, such as software testing and analysis, but can also be abused by malware. The author is not responsible for any misuse of this code. Always ensure you have permission to inject code into a process or system.
