In the previous chapter, we looked at the different persistence mechanisms used by malware to remain on a victim system. In this chapter, you will learn how malicious programs inject code into another process (called target process or remote process) to perform malicious actions. The technique of injecting malicious code into a target process's memory and executing the malicious code within the context of the target process is called code injection (or process injection).

An attacker typically chooses a legitimate process (such as explorer.exe or svchost.exe) as the target process. Once the malicious code is injected into the target process, it can then perform malicious actions, such as logging keystrokes, stealing passwords, and exfiltrating data, within the context of the target process. After injecting the code into the memory of the target process, the malware component responsible for injecting code can either continue to persist on the system, thereby injecting code into the target process every time the system reboots, or it can delete itself from the filesystem, keeping the malicious code in memory only.

Before we delve into the malware code injection techniques, it is essential to understand the virtual memory concept.