Let's say that I am quite surprised that in 2018 still there are AVs that don't detect DLL injection on Windows 64bit using well documented APIs.
We know that MS in the last years, starting from Windows Vista, has developed a system protection at kernel level, which provides, to the running processes an integrity level (WIC).
The primary goal of WIC is to ensure that only objects with an integrity level equal or greater than the target object can interact with it.
Even when a process has administrative privileges, if this has a lower WIC level of the process target, it can't interact because the permissions of the NTFS files are ignored and are considered the ones of WIC.
But many malware use the injection technique by using an injector which has a level of execution equal or greater than the target process.
Simply they use some APIs to execute code in the context of another process. This code will modify, into the same process in which it is injected, the structure of some portions of memory by installing, for example, a monitor that intercepts the call to some APIs (hooking).
Thus, it is possible to intercept a series of activities. (for example network activity, disk activity, activity with peripheral devices, data used etc....). This depends on what the malware wants to monitor.
