Hollows Hunter Detects Code Injection in Windows Processes

Code injection is one of the techniques used by malicious programs to hijack your running programs. When you run a program, its code is copied in the memory for execution. But a malicious program can inject its own code into the running instance of other harmless programs. This code injection technique makes it very difficult for anyone to view if any malicious program is running. If you enumerate the running processes they will all look harmless.

Process hollowing is a special type of code injection technique in which the entire instruction set section of a harmless running process in memory is replaced by malicious code. The original harmless process is called a hollow process. Fortunately there are many tools available using which you can detect possibly hollow processes running on your system. One of such tools is Hollows Hunter that can detect code injection in the running processes on your Windows PC.

Hollows Hunter

Hollows Hunter is a command line program. You can give the command hollows_hunter.exe /help to view a list of commands used by this program. Basically you can choose a specific program to monitor, you can detects hook as well as shellcode. You can also give some command-line parameters that govern how the hollow processes are to be terminated or they should be kept running. You can also use a parameter /quiet which basically runs the program without showing any progress and shows the summary at the very end.

Hollows Hunter

You do not have to use any of these command line parameters, you can just right-click on hollows_hunter.exe and select Run as administrator to run the scan. The program scans all the running processes and gives you a brief summary in the end with a list of all the detected suspicious processes. You can then further analyze these processes and determine if they have been really hollowed out.

You can download Hollows Hunter from https://github.com/hasherezade/hollows_hunter/releases.