In this informatics guide we talk about a little known technique that allows to alter software and functionality of Windows. The Code Injection (code injection) is a computer code that is injected into the applications installed on your PC (browser, operating system, client e-mail and games), to change or alter the operation of some features. This technique is often used by authoritative programs, to carry out their tasks naturally. For example, antivirus software uses Code Injection to monitor browser navigation and PC network traffic. However, this is a feature that even some malware exploit to infect your computer. Let’s find out more about Code Injection with the best techniques to find out and eradicate it.

How Code Injection works

We will use simple words to understand how Code Injection works on Windows. The injection of code can be practiced in different ways, among which the use of some DLL files ( we will focus on this type ). At the base of its functionality, there are the Windows API and the possibility to connect different processes between them. Basically, it is possible that software can execute certain instructions within other processes and programs. The software involved in this technique is not directly modified. Code Injection waits for the application to be loaded to inject the code inside it. In the next paragraph, we mention five case studies that use code injection to work. Although it is a practice used by many official programs, it can pose a threat to our security , as it is the basis for the functioning of many viruses and malware.

Some practical examples of Code Injection

Here are five cases in which the Code Injection technique is frequently used:

  • Antivirus and Antimalware like Comodo Antivirus, Avast, Bitdefenter and Kaspersky, to monitor network traffic or block certain dangerous websites;
  • Windows theme management software;
  • Malware and Viruses , to alter the browser and monitor users’ browsing or capture information such as passwords, conversations or credit card numbers;
  • Translation programs like Babylon translation, to activate the language translator with the mouse or keyboard keys;
  • Some system drivers such as video from Intel, to perform particular tasks and optimize peripherals.

This Process Explorer Screenshot shows how in Outlook 2016 a couple of INTEL driver Injection DLLs are invoked.

How to check Code Injection on Windows

The best way to check for Code Injection on your computer is to use the Process Explorersoftware. On Technological Passion we have already explained how to find out if the PC is infected by viruses, using just this free program released by Microsoft.

To check for possible injections of DLL code on Windows, follow this procedure:

  1. Download the “Process Explorer” software from the official link;
  2. Unpack the downloaded package and run the executable file (procexp64.exe for 64-bit Windows);
  3. Click on “View” in the application menu bar;
  4. Click on “Lower Pane View” and select “DLLs”;
  5. At this point, click on the process to be checked (e.g. Google Chrome), in the central part of the window;
  6. Carefully check the DLLs loaded with the application in the lower part of “Process Explorer”.

From this image we discover that the Kaspersky antivirus injects its code within Google Chrome with two DLLs signed AO Kaspersky Lab

In addition to the DLL name, you will be able to view a description, the manufacturer and the file path. Since we are working in the Windows environment, it will be quite common to find numerous DLLs signed by Microsoft Corporation. By clicking on the menu bar, under “Company Name”, you can filter the list of results to easily discover unwanted ones, coming from unknown sources.

To understand each other well, let’s take a concrete example of how Code Injection works; let’s imagine having a computer with the Google Chrome applications installed to surf the internet and Kaspersky Antivirus Free edition for PC security. If we look for DLL injection with Process Explorer, we will notice that the Kaspersky antivirus injects its code into Google Chrome with a couple of DLLs signed AO Kaspersky Lab. The purpose of this “injection” is to monitor navigation and the blocking of the most dangerous sites.