I wrote a small tool to detect a possible code injection even if it is done by only section APIs.
A few weeks ago, I had an opportunity to analyze ransomware referred as Urausy. At a very initial stage of analysis, its behaviour seemed to be nothing surprising to me; it injected code into explorer.exe, and the injected code spawned svchost.exe hosting malicious code and initiated main ransom activities
more here..........http://standa-note.blogspot.ca/2015/03/section-based-code-injection-and-its.html