// Threadless Process Injection Masterclass
Master threadless process injection through remote function hooking — executing shellcode inside a target process without ever creating a new thread. By CCob / EthicalChaos. Learn the complete technique from inline hook fundamentals through one-shot shellcode execution, BOF integration, and detection engineering.
Why CreateRemoteThread and NtCreateThreadEx are heavily monitored. Kernel callbacks, ETW telemetry, and the detection surface of traditional injection.
02 BeginnerInline hooking basics, trampoline patterns, and the key insight: hooking a remote function triggers execution on existing threads.
03 BeginnerChoosing frequently-called exports, sleep-based vs event-driven triggers, stability considerations for reliable injection.
04 IntermediateNtAllocateVirtualMemory cross-process, writing shellcode and hook stubs, memory protection management with NtProtectVirtualMemory.
05 IntermediateThe trampoline: save registers, call shellcode, restore state, jump to original. Position-independent hook construction at the byte level.
06 IntermediateOverwriting the target function prologue, atomic write considerations, dealing with thread safety during hook installation.
07 AdvancedOne-shot execution pattern, restoring original bytes after first trigger, avoiding repeated execution and ensuring stability.
08 AdvancedComplete flow walkthrough, Cobalt Strike BOF version, detection vectors: memory scanning, hook detection, ETW tracing.
github.com/CCob/ThreadlessInjectethicalchaos.devsafebreach.com/research/process-injection-using-windows-thread-poolsProcess injection via existing RWX sections in legitimate DLLs, avoiding memory allocation and protection changesired.team/offensive-security/code-injection-process-injectiongithub.com/microsoft/Detourshstechdocs.helpsystems.com/manuals/cobaltstrikegithub.com/elastic/detection-rules