Malware can inject its own code into an already running legitimate process, then make the legitimate code execute malicious code. This can be implemented using traditional thread injection, DLL injection, and process hollowing.

A traditional thread injection is implemented through the following steps:

1. Open the target process using openProcess api(). The target process is mostly a clean process already executing on the system, such as svchost.exe or explorer.exe.
2. Allocate space to the target process using the VirtualAllocEx() API.
3. Write malicious code to the remote process using the WriteProcessMemory() API.
4. The injected code is executed as a thread in the target process using the CreateRemotethread() API.

Today, most malware uses a technique called process hollowing or Runpe. Though the method has existed for more than a decade, its usage seems to have picked up in the past few years. The reason could be that it's hard for malware analysts to debug process hollowing. Process hollowing launches a process in suspended mode and then writes its own binary into the newly created process. Then it resumes the target process. This technique is used by most ransomware packers today.