Hollows Hunter is an open source memory inspection tool developed by Hasherezade that focuses on detecting malicious process manipulation techniques. It is designed to identify process hollowing, reflective DLL injection, replaced images, and other stealthy in memory attacks commonly used by modern malware.

Hollows Hunter is widely used by malware analysts, DFIR teams, and blue team researchers to detect fileless threats and advanced evasion techniques that bypass traditional disk based detection.

First time seeing this?

What Hollows Hunter Does

Hollows Hunter scans live Windows processes and memory dumps to detect inconsistencies between a process image in memory and its corresponding executable on disk. By comparing memory mapped sections, headers, and execution regions, it identifies tampering that indicates malicious injection or hollowing.

The tool is particularly effective against malware that abuses legitimate Windows processes to hide malicious payloads in memory.

Find Tool

Key Features of Hollows Hunter

• Process Hollowing Detection
  Identifies processes where the original executable image has been replaced in memory.

• Injected Code Identification
  Detects reflective DLL injection, shellcode, and manually mapped modules.

• Memory Versus Disk Comparison
  Compares in memory images with on disk executables to find discrepancies.

• Live System and Dump Analysis
  Supports scanning of live systems and memory dumps.

• Detailed Detection Output
  Provides granular information about suspicious memory regions.

• Portable and Lightweight
  Runs without installation and with minimal system impact.

• Malware Focused Heuristics
  Optimized for real world malware techniques and evasion patterns.

• Standalone or Pipeline Use
  Can be used independently or integrated into DFIR workflows.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

Fileless Malware Detection

Expose malware that executes entirely in memory without dropping files.

Incident Response

Identify compromised processes during live response operations.

Malware Research

Analyze injection techniques and stealth execution methods.

Threat Hunting

Detect anomalous processes that evade signature based detection.

EDR Validation

Validate whether security tools are detecting in memory attacks.

Report Incident

Latest Updates (as of 2026)

Recent developments and maintenance include:

• Continued updates to detection heuristics for modern malware

• Improved handling of packed and obfuscated processes

• Ongoing compatibility with modern Windows versions

• Regular community driven improvements

• Continued relevance in fileless malware research

Hollows Hunter remains actively maintained and widely referenced in memory forensics and malware analysis communities.

Check Jobs

Why It Matters

Modern malware increasingly avoids disk based artifacts and operates entirely in memory. Hollows Hunter provides visibility into these stealthy techniques by detecting manipulation at the process level.

For defenders and analysts, it is a critical capability for uncovering advanced threats that traditional tools often miss.

Visit Book Club

Requirements and Platform Support

Hollows Hunter runs on:

• Windows

It requires:

• Administrative privileges for live system scanning

• Optional memory dumps for offline analysis

Official repository and documentation:
https://github.com/hasherezade/hollows_hunter