Disclosed are methods and systems for detecting malicious codes in the address space of processes. The described method detects a launching of a process from an executable file executing on a computer, detects access to a address within a memory area in an address space of the trusted process, wherein the memory area is a memory area that lies outside the boundaries of the trusted executable image representing the executable file and is an executable memory area, analyzes memory areas within a vicinity of the address space to determine whether another executable image is located in the memory areas, analyzing the another executable image to determine whether the other executable image contains malicious code, concluding malicious code is contained in the address space of the trusted process when the another executable image contains malicious code and performing one of removing, halting or quaranting the malicious code from the address space.