RunPE/ProcessHollowing/ProcessReplacement is one of the most common attack methods used by Malware Authors. This type of Memory-Resident malware is actually easy to detect if correct tools/knowledge is used. RunPE-Detector scans all the processes running and compares the PE headers of the running process with its counter image on disk.