Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

MITRE ATT&CK T1055.009 Process Injection: Proc Memory

Huseyin Can YUCEEL | February 28, 2025

The Red Report 2025

Defend Against the Top 10 MITRE ATT&CK TTPs.

DOWNLOAD

Proc Memory is a process injection technique that adversaries use to read from or write to a process' memory space, allowing them to inject and execute malicious code without creating a new process. This technique takes advantage of the /proc filesystem in Linux and Unix-based systems, which provides an interface to process-related information, including memory mappings and permissions. By manipulating the memory of a running process, attackers can hijack execution, modify application behavior, or extract sensitive data such as credentials and encryption keys.

In this blog post, we explain the T1055.009 Proc Memory technique of the MITRE ATT&CK® framework and explore how adversaries employ proc memory injection with real-world attack examples in detail.

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques
Used by Adversaries

GET THE REPORT


What is Proc Memory?

In Unix-like operating systems, the /proc filesystem is a virtual filesystem that provides access to information about processes running on a system. Proc memory injection involves enumerating the process' memory through the /proc filesystem and constructing a return-oriented programming (ROP) payload. ROP is a technique that involves using small blocks of code, known as "gadgets," to execute arbitrary code within the context of another process.

As mentioned, the /proc filesystem is implemented as a virtual filesystem, meaning that it does not exist on a physical storage device. Instead, it is a representation of the system's processes and their status, and the information it contains is generated on demand by the kernel.

One of the things that the /proc filesystem provides access to is the memory of the processes that are running on the system. For example, the /proc/[pid]/mem file can be used to access the memory of a process with the specified pid (process ID). The /proc/[pid] directory contains several files that provide information about the process, such as its memory mappings, open file descriptors, and so on. This can be useful for tasks such as debugging or reverse engineering, as well as for detecting and mitigating vulnerabilities in a process' memory.

Adversary Use of Proc Memory

To perform proc memory injection, an attacker first enumerates the process' memory by accessing the /proc/[pid] directory for the target process. Upon accessing the /proc/[pid], the attacker can examine the process' memory mappings to locate gadgets, which are small blocks of code that can be used to execute arbitrary code within the context of the process. Gadgets are typically found in the process' code segments, such as the text segment, which contains the instructions that make up the program. 

Here is an example gadget that can be used to execute arbitrary code in the context of a process:

# pop the address of the code to execute into the rdi register
pop rdi 
# return to the address in rdi
ret  

This gadget consists of two instructions: a "pop" instruction that pops an address off the top of the stack and stores it in the rdi register, and a "ret" instruction that returns to the address stored in the rdi register.

To use this gadget, an attacker could redirect the execution flow of the process to the gadget and then push the address of their own code onto the stack. The pop instruction would then pop this address off the stack and store it in the rdi register, and the ret instruction would return to the address stored in the rdi register, causing the attacker's code to be executed.

Gadgets are useful for an attacker because they allow them to execute code without having to inject their own code into the process' memory. Instead, they can use gadgets that are already present in the process' code segments to execute their own code. To find gadgets, an attacker can use tools (such as ROPgadget, Ropper, and ROPChain) that search the process' memory mappings for specific instructions or instruction sequences. 

For instance, adversaries can leverage the ROPgadget tool with the following attack lifecycle:

  • The first step for the attacker will be finding the target process where he wants to inject the code.

  • Then the attacker uses ROPgadget to find gadgets in the binary of the target process, looking for gadgets that can be used to change the flow of execution, such as gadgets that can be used to jump to a specific memory address or gadgets that can be used to call a specific function.

  • Once the attacker has identified a sufficient number of gadgets, they can construct an ROP payload by chaining together the gadgets in a specific order. 

  • The payload can then be injected into the process' memory using techniques such as Ptrace System Calls or by exploiting a vulnerability in the process. 

  • Once the payload is executed, it allows the attacker to execute arbitrary code within the context of the process.
MITRE ATT&CK T1055.009 Process Injection: Proc Memory
MITRE ATT&CK MITRE ATT&CK T1055.009 Process Injection: Proc Memory
Learn More
MITRE ATT&CK T1055.008 Process Injection: Ptrace System Calls
MITRE ATT&CK MITRE ATT&CK T1055.008 Process Injection: Ptrace System Calls
Learn More
MITRE ATT&CK T1055.004 Process Injection: Asynchronous Procedure Call
MITRE ATT&CK MITRE ATT&CK T1055.004 Process Injection: Asynchronous Procedure Call
Learn More
MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection
MITRE ATT&CK MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection
Learn More
MITRE ATT&CK T1055.001 Process Injection: DLL Injection
MITRE ATT&CK MITRE ATT&CK T1055.001 Process Injection: DLL Injection
Learn More
MITRE ATT&CK T1055 Process Injection
MITRE ATT&CK MITRE ATT&CK T1055 Process Injection
Learn More