Protecting against malware code injections in trusted processes

What is claimed is: 1. A computer-implemented method for detecting a malicious application, comprising: detecting a first process has been launched on a computing device; monitoring at least one thread associated with the first process using one or more control points of the first process; receiving from the first process an execution stack associated with the one or more control points of the first process; and responsive to detecting activity on the one or more control points of the first process, wherein the one or more control points are associated with a system call to create a remote thread that runs in a virtual address space of a second process, which is a shared-service process configured to import third-party processes to be embedded in the shared-service process as separate threads, generating an indication that the execution of the first process is malicious by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process. 2. The method of claim 1 , wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring. 3. The method of claim 1 , wherein the detecting the first process has launched and the monitoring the at least one thread associated with the first process is performed by a file protector driver module. 4. The method of claim 1 , wherein the one or more control points are further associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread. 5. The method of claim 1 , further comprising: responsive to receiving the indication that the execution of the first process is malicious, performing a remedial action comprising restoration of a file modified by the first process and termination of the first process. 6. A system for detecting a malicious application, comprising: a memory device; and a processor coupled to the memory device and configured to: detect a first process has been launched on a computing device; monitor at least one thread associated with the first process using one or more control points of the first process; receive from the first process an execution stack associated with the one or more control points of the first process; and responsive to detecting activity on the one or more control points of the first process, wherein the one or more control points are associated with a system call to create a remote thread that runs in a virtual address space of a second process, which is a shared-service process configured to import third-party processes to be embedded in the shared-service process as separate threads, generate an indication that the execution of the first process is malicious by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process. 7. The system of claim 6 , wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring. 8. The system of claim 6 , wherein the detecting the first process has launched and the monitoring the at least one thread associated with the first process is performed by a file protector driver module. 9. The system of claim 6 , wherein the one or more control points are further associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread. 10. The system of claim 6 , further comprising: responsive to receiving the indication that the execution of the first process is malicious, performing a remedial action comprising restoration of a file modified by the first process and termination of the first process. 11. A non-transitory computer readable medium comprising computer executable instructions for detecting a malicious application, including instructions for: detecting a first process has been launched on a computing device; monitoring at least one thread associated with the first process using one or more control points of the first process; receiving from the first process an execution stack associated with the one or more control points of the first process; and responsive to detecting activity on the one or more control points of the first process, wherein the one or more control points are associated with a system call to create a remote thread that runs in a virtual address space of a second process, which is a shared-service process configured to import third-party processes to be embedded in the shared-service process as separate threads, generating an indication that the execution of the first process is malicious by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process. 12. The computer readable medium of claim 11 , wherein the monitoring the at least one thread associated with the first process is performed using trace monitoring. 13. The computer readable medium of claim 11 , wherein the detecting the first process has launched and the monitoring the at least one thread associated with the first process is performed by a file protector driver module. 14. The computer readable medium of claim 11 , wherein the one or more control points are further associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread. 15. The computer readable medium of claim 11 , further comprising: responsive to receiving the indication that the execution of the first process is malicious, performing a remedial action comprising restoration of a file modified by the first process and termination of the first process.