Dynamic-linked-library (“DLL”) injection is one of the most popular techniques used by various types of user mode computer viruses to affect computer systems. Some applications, such as Microsoft Internet Explorer and Microsoft Windows Explorer, have very open and extensible architectures to allow third parties to create extensions for the software applications. Applications are allowed to register a DLL as an application extension. However, malware may load or inject DLLs with malicious code. Loaded or injected DLLs may make changes to the application execution environment to collect user data, spy on user activities, making phishing attacks, pop up unwanted windows, or conduct other unwanted activities. Some malware, such as downloaders, inject their DLLs into a legitimate Windows process or service to hide from system administrators, end users, and anti-malware software.