Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
hollows_hunter
Hollows Hunter is a command-line application based on PE-sieve passive memory scanner. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). While in case of PE-sieve you can select the process only by its PID, Hollows Hunter allows to select them by various criteria, such as:
- list of PIDs
- list of names
- the time of creation (relatively to the Hollows Hunter execution time)
Hollows Hunter allows also for continuous memory scanning, via /loop argument, or by being run as an ETW listener: in /etw mode (64-bit version only).
[!IMPORTANT]
The available arguments are documented on Wiki. They can also be listed using the argument /help.
๐ฆ Uses: PE-sieve (the library version).
โ PE-sieve FAQ - Frequently Asked Questions
๐ Read Wiki
Clone
Use recursive clone to get the repo together with all the submodules:
git clone --recursive https://github.com/hasherezade/hollows_hunter.git
Builds
Download the latest release, or read more.
Available also via Chocolatey