To detect hollow process injection, you can look for the discrepancies created between PEB and VAD, as well as the memory protection discrepancy. You can also look for the discrepancy in the parent-child process relationship. In the following Stuxnet example, you can see that there are two lsass.exe processes running on the system. The first lsass.exe process (pid 708) has a parent process of winlogon.exe (pid 652), whereas the second lsass.exe process (pid 1732) has a parent process (pid 1736) which is terminated. Based on the process information, you can tell that lsass.exe with a pid of 1732 is the suspicious process because, on a clean system, winlogon.exe will be the parent process of lsass.exe ...