# Code Injection

use the -forensics 1 flag and check the M:\forensics\forensic

Including a `pagefile.sys` can help **reduce False positives**&#x20;

### Common process irregularities:

**PROC\_NOLINK**\
A process that is not present in the `EPROCESS` doubly-linked list. could be due to process termination, memory image issue or indicate of maliciously unlinked process

**PROC\_PARENT**\
Checks for deviations from the commonly expected parents of some system processes

**PROC\_USER**\
Checks for processes named as system components running with the wrong account token

### Unusual properties of memory pages:

**PE\_INJECT**\
Memory location with a PE header (`EXE/DLL`) not present in [image mapped memory ](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/memory-analysis/..#image-mapped-memory)similar to looking for MZ header in HEX data.&#x20;

**NOIMAGE\_RWX**\
Memory sections with `READWRITE_EXECUTE` outside of [mapped memory](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/memory-analysis/..#image-mapped-memory)

**NOIMAGE\_RX**\
Memory sections with `READ_EXECUTE` outside of [mapped memory](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/memory-analysis/..#image-mapped-memory)

**PRIVATE\_RWX**\
Memory sections with `READWRITE_EXECUTE` in [private memory](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/memory-analysis/..#private-memory)

**PRIVATE\_RX**\
Memory sections with `READ_EXECUTE` in [private memory](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/memory-analysis/..#private-memory)

### Manipulated Memory Structures:&#x20;

**PEB\_MASQ**\
**targets** [#process-environment-block-peb](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/windows#process-environment-block-peb "mention") masquerade attacks where the PEB is modified to change name and/or file path of orignal loaded code. Accomplished by comparing information between the PEB and VAD tree for same image memory section

**PE\_NOLINK**\
indicates a DLL with a PE header (MZ) is present in memory section tracked by VAD tree, but is not present in PEB lists. can identify many different types of process injection.&#x20;

**PE\_PATCHED**\
locate executable pages that have been 'patched' or modified **after** executable code is loaded (*targets more advanced hollowing techniques).* This technique patches itself to legitimate processes. [#page-table-entries-pte](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/windows#page-table-entries-pte "mention") track modified pages via structures called prototype PTEs. checks for each active image memory page within the VAD tree with any PTEs indicating modification.

### Common false positives

#### PE\_PATCHED:

.NET code often uses JIT (Just-In-Time) libraries so  code can be legitimately loaded and changed. Also loading of 32-bit code via SysWOW64

### Types of memory pages:&#x20;

A = Active page\
T= Transient page (non-active but still in memory) \
Z = Zero page\
C = Compressed Page (may or may not be backed by memory or paged out to the `pagefile`)\
Pf = `PageFile`