In the case of code injection techniques covered in the previous sections, the malicious code is injected into the process address space of a legitimate process. Hollow Process Injection (or Process Hollowing) is also a code injection technique, but the difference is that in this technique, the process executable of a legitimate process in the memory is replaced with a malicious executable. Before getting into the detection of hollow process injection, let's understand how it works in the next section. The detailed information on hollow process injection was covered in Chapter 8, Code Injection and Hooking (section). You can also look at the author's presentation and video demos on hollow process injection (https://cysinfo.com/7th-meetup-reversing-and-investigating-malware-evasive-tactics-hollow-process-injection/) for a better understanding of the subject.