As mentioned earlier, the objective of a code injection technique is to inject code into the remote process memory and execute the injected code within the context of a remote process. The injected code could be a module such as an executable, DLL, or even shellcode. Code injection techniques provide many benefits for attackers; once the code is injected into the remote process, an adversary can do the following things:

• Force the remote process to execute the injected code to perform malicious actions (such as downloading additional files or stealing keystrokes).
• Inject a malicious module (such as a DLL) and redirect the API call made by the remote process to a malicious function in the injected module. The malicious function can then intercept the input parameters of the API call, and also filter the output parameters. For example, Internet Explorer uses HttpSendRequest() to send a request containing an optional POST payload to the web server, and it uses InternetReadFile() to fetch the bytes from the server's response to display it in the browser. An attacker can inject a module into Internet Explorer's process memory and redirect the HttpSendRequest() to the malicious function within the injected module to extract credentials from the POST payload. In the same manner, it can intercept the data received from the InternetReadFile() API to read the data or modify the data received from the web server. This enables an attacker to intercept the data (such as banking credentials) before it reaches the web server, and it also allows an attacker to replace or insert additional data into the server’s response (such as inserting an extra field into the HTML content) before it reaches the victim's browser.
• Injecting code into an already running process allows an adversary to achieve persistence.
• Injecting code into trusted processes allows an attacker to bypass security products (such as whitelisting software) and hide from the user.

In this section, we will mainly focus on the code injection techniques in the user-space. We will look at various methods used by the attackers to perform code injection into the remote process.

In the following code injection techniques, there is a malware process (launcher or loader) that injects code, and a legitimate process (such as explorer.exe) into which the code will be injected. Before performing code injection, the launcher needs to first identify the process to inject the code. This is typically done by enumerating the processes running on the system; it uses three API calls: CreateToolhelp32Snapshot(), Process32First(), and Process32Next(). CreateToolhelp32Snapshot() is used to obtain the snapshot of all of the running processes; Process32First() gets the information about the first process in the snapshot; Process32Next() is used in a loop to iterate through all of the processes. The Process32First() and Process32Next() APIs get information about the process, such as the executable name, the process ID, and the parent process ID; this information can be used by malware to determine whether it is the target process or not. Sometimes, instead of injecting code into an already running process, malicious programs launch a new process (such as notepad.exe) and then inject code into it.

Whether the malware injects code into an already running process or launches a new process to inject code, the objective in all the code injection techniques (covered next) is to inject malicious code (either DLL, executable, or Shellcode) into the address space of the target (legitimate) process and force the legitimate process to execute the injected code. Depending on the code injection technique, the malicious component to be injected can reside on the disk or in the memory. The following diagram should give you a high-level overview of code injection techniques in the user-space: