If you recall from Chapter 8, Code Injection and Hooking, code injection is a technique used for injecting malicious code (such as EXE, DLL, or shellcode) into legitimate process memory and executing the malicious code within the context of a legitimate process. To inject code into the remote process, a malware program normally allocates a memory with a protection of Read, Write, and Execute permission (PAGE_EXECUTE_READWRITE), and then injects the code into the allocated memory of the remote process. To detect the code that is injected into the remote process, you can look for the suspicious memory ranges based on the memory protection and content of the memory. The compelling question is, what is the suspicious memory range and how do you get information about the process memory range? If you recall from the previous chapter (in the Detecting Hidden DLL using ldrmodules section), Windows maintains a binary tree structure named Virtual Address Descriptors (VADs) in the kernel space, and each VAD node describes a virtually contiguous memory region in the process memory. If the process memory region contains a memory-mapped file (such as an executable, DLL, and so on), then one of VAD nodes stores information about its base address, file path, and the memory protection. The following depiction is not an exact representation of VAD, but it should help you understand the concept. In the following screenshot, one of the VAD nodes in the kernel space is describing the information about where the process executable (explorer.exe) is loaded, its full path, and the memory protection. Similarly, other VAD nodes will describe process memory ranges, including the ones that contain mapped executable images such as DLL. What this means is that VAD can be used to determine the memory protections of each contiguous process memory range, and it can also give information about a memory region containing a memory-mapped image file (such as an executable or DLL):