• Advanced Code Injection Technique for x32 / x64
• More Info: http://goo.gl/3CdZHw

• Known since ~2013
• Loader used in many different dropper families (Gapz / Redyms / Carberp / Vabushky ...)
• First injection technique via Return Oriented Programming technique (ROP).
• “explorer.exe” is injected using Shell_TrayWnd / NtQueueApcThread (32bit / 64bit)

• Injection via shared desktop heap
• Remove dependency in Explorer.exe shared sections (more generic)
• Injection without reading memory from the target process
• 32 and 64-bit versions (same technique)

#Tested Environments

• Windows 7 32 and 64 bit.

• BreakingMalware.com