This repository contains source code and evaluation materials for the ASIACCS 2025 paper "Can You Run My Code? A Close Look at Process Injection in Windows Malware" [PDF].
The artifact supports the dynamic detection and classification of process injection techniques in Windows malware by tracing injection-related Windows API calls at runtime and analyzing execution traces to identify injection primitives and techniques.
The repository is organized as follows:
-
src/: Source code required to run experiments and analyze samples.-
analyzer/: Analysis module for parsing execution traces, detecting process injection behavior, and classifying injection technique(s). -
bluepill/: Monitoring module for dynamically trace Windows API calls related to process injection, built atop the BluePill framework for potentially evasive malware.
-
-
data/: Annotated dataset information, including sample hashes and detected injection techniques, organized by year.
Note: The repository does not distribute live malware binaries. This artifact is intended strictly for research purposes. Malware samples should be executed in an isolated Windows environment with appropriate containment measures.
The monitor component is an extended version of BluePill, which builds on Intel Pin (v3.5 recommended) and requires Visual Studio 2017 or later for compilation. Use the provided Locals.props file to configure paths to the Pin installation and SDK.
Due to the license terms, we cannot distribute the specific Pin release used in our experiments as part of this artifact. If you encounter difficulties reproducing the recommended setup with a compatible Pin version, please contact us by email for guidance.
After successful compilation, a bluepill32.dll library will be generated inside the Pin directory.
To run a sample with BluePill:
pin.exe -mt -follow_execv -t bluepill32.dll -evasions -leak -- <sample.exe>
Options:
-evasions: Enables detection and handling of evasion attempts.-leak: Mitigates leaks of the real EIP during DBI evasions.
Details of intercepted injection-related API calls can be found in the evasions.log file that BluePill creates in the Pin installation folder. To change the log output directory, modify the LOGPATH variable in pintool/src/logging.h.
The analyzer processes execution traces produced by the monitor module to identify and classify injection behavior.
Requirements:
- Python 3.8.x
- Python packages listed in
requirements.txt
To run it:
python3 log_parser.py -d path/to/sample_log_folder
Use the --help flag to obtain extended usage information.
The analyzer generates a report summarizing the observed behavior. If a process injection attempt is detected, the report includes: the relevant API operations observed, the injection primitives involved (memory allocation, writing, execution), and the identified process injection technique(s).
If you are referencing our work in your research, please consider using the following BibTeX entry:
@inproceedings{injectionStudy25,
author = {Di Pietro, Giorgia and D'Elia, Daniele Cono and Querzoni, Leonardo},
title = {Can You Run My Code? A Close Look at Process Injection in Windows Malware},
year = {2025},
isbn = {9798400714108},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3708821.3736206},
doi = {10.1145/3708821.3736206},
booktitle = {Proceedings of the 20th ACM Asia Conference on Computer and Communications Security},
pages = {1600–1616},
numpages = {17},
series = {ASIA CCS '25}
}
This work has partially been supported by project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU.