A recent technical deep dive by Yehuda Smirnov, Hoshea Yarden, Hai Vaknin, and Noam Pomerantz has exposed a novel class of process injection on Windows, dubbed the “CONTEXT-only attack surface.”
Unlike classic methods that follow the pattern of memory allocation, writing, and execution—typically monitored by Endpoint Detection & Response (EDR) solutions—this approach bypasses the allocation and write phases entirely, focusing solely on execution primitives1.
Traditionally, process injection involves APIs such as VirtualAllocEx memory allocation, WriteProcessMemory modification, and CreateRemoteThread or Asynchronous Procedure Calls (APCs) for execution.
Security products often correlate these events to flag suspicious activity.
However, the researchers questioned whether malicious code could be executed in a target process by triggering only the execution step, skipping both allocation and writing.
Their findings reveal that, under certain conditions, this is indeed possible, challenging the core assumptions of EDR detection logic.
Pointer-Only LoadLibrary Injection and Context Hijacking
The team demonstrated a “pointer-only” DLL injection technique using the Windows API LoadLibraryA/W.
Instead of writing a new DLL path into the target process’s memory, the attacker locates an existing ASCII string (such as "0") within a shared system DLL like ntdll.dll.
Since this DLL is mapped at the same virtual address in all processes, the attacker can drop a malicious DLL named 0.dll somewhere in the search path and instruct the target process to load it by pointing LoadLibraryA to the in-memory string.
Here’s a simplified code snippet illustrating the core of this technique:
cHANDLE hThread = CreateRemoteThread(
hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA"),
(LPVOID)0x7FFE0300, // pointer to shared NUL byte inside ntdll
0,
NULL);
This method effectively bypasses the need for remote memory allocation or writing, as the only requirement is to point to an existing string in the process’s address space.
The researchers found that this technique successfully evaded detection by leading EDRs, unlike standard DLL injection, which was flagged immediately.
To further extend this approach, the researchers leveraged thread context manipulation using APIs like SetThreadContext and NtCreateThread.
By controlling the thread’s CONTEXT structure—specifically the instruction pointer (RIP) and argument registers (RCX, RDX, R8, R9) under the Windows x64 calling convention—they could execute arbitrary WinAPI functions with full parameter control, enabling advanced payload delivery without typical memory operations1.
Implications for Detection and Defensive Strategies
This CONTEXT-only attack surface exposes a significant blind spot in current EDR models, which often rely on detecting at least two of three activities: remote allocation, modification, and execution.
Since the new technique triggers only execution, it can slip past correlation-based detection systems.
The research highlights that remote thread creation is common in benign software (e.g., performance profilers, debuggers), making it impractical to flag all such events as malicious.
To counter these advanced techniques, defenders may need to:
- Monitor for rapid sequences of thread creation and context manipulation events.
- Correlate thread creation with subsequent use of APIs like
SetThreadContext. - Consider deeper telemetry and data-flow analysis to trace the true origin of memory writes and execution triggers, though this is challenging at scale and in real time1.
The researchers have released a tool, RedirectThread, to demonstrate these injection methods, supporting various delivery and context manipulation strategies for testing and defense validation.
As process injection tradecraft evolves, defenders must adapt their detection logic and monitoring to address these emerging execution-only attack surfaces.
Technical Terms Used:
- Process Injection
- EDR (Endpoint Detection & Response)
- CreateRemoteThread
- SetThreadContext
- NtCreateThread
- CONTEXT structure
- Windows x64 Calling Convention (RCX, RDX, R8, R9)
- DLL Injection
- LoadLibraryA/W
- Remote Procedure Call (APC)
- ROP (Return-Oriented Programming) Gadget
- Memory Allocation (VirtualAllocEx)
- WriteProcessMemory
Example Code:
cHANDLE hThread = CreateRemoteThread(
hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA"),
(LPVOID)0x7FFE0300, // pointer to shared NUL byte inside ntdll
0,
NULL);
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Traditionally, process injection involves APIs such as VirtualAllocEx memory allocation, WriteProcessMemory modification.){kind=link}