No injector remains undetected forever. Here’s why:
Thus, an “undetected” injector is always a temporary state—usually lasting from a few hours to several weeks before being signatured or behaviorally flagged.
If you are a security professional or system administrator, you cannot rely on simple signature scans. Implement these detections:
Register a PsSetCreateThreadNotifyRoutine to inspect every thread creation. If a thread starts in svchost.exe whose start address is not within a known system DLL, it is likely injected shellcode.
Instead of using a public injector binary, an undetected injector is often custom-coded in C, C++, or Rust. The binary is obfuscated—junk instructions are added, control flow is flattened, and strings (like "kernel32.dll") are encrypted at rest. Polymorphic code changes the injector’s signature every time it is compiled, rendering signature detection useless.
