Code Injection

Malware places a trojan DLL in a directory searched before the legitimate library location, causing Windows to load the malicious version when the target application starts.

Malware stores shellcode in the Windows global Atom Table via GlobalAddAtom, then uses NtQueueApcThread to force a target process to copy and execute it, bypassing traditional injection defences.

Malware suspends an existing thread in a target process, overwrites its instruction pointer via SetThreadContext, and resumes it to redirect execution to injected shellcode.

Malware installs a global Windows message hook via SetWindowsHookEx to force its DLL into target processes, executing code whenever a hooked event fires.

Malware queues a shellcode pointer to a target thread's APC queue via QueueUserAPC, executing it when the thread enters an alertable wait state.

Loading a DLL straight from memory by implementing the Windows loader inside the payload itself, so no DLL is ever written to disk or registered in the process module list.

Spawning a legitimate process in a suspended state, unmapping its image and replacing it with malicious code before resuming — runs malware under a trusted process name.