Skip to content
/ hollows_hunter Public

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

github.com/hasherezade/hollows_hunter/wiki

License

BSD-2-Clause license
2.1k stars 264 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hasherezade/hollows_hunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

758 Commits
.github/workflows
.github/workflows
 
 
krabsetw @ 6b3152d
krabsetw @ 6b3152d
 
 
logo
logo
 
 
paramkit @ fbead40
paramkit @ fbead40
 
 
params_info
params_info
 
 
pe-sieve @ 87240b6
pe-sieve @ 87240b6
 
 
util
util
 
 
.appveyor.yml
.appveyor.yml
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CMakeLists.txt
CMakeLists.txt
 
 
Doxyfile
Doxyfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
etw_listener.cpp
etw_listener.cpp
 
 
etw_listener.h
etw_listener.h
 
 
etw_settings.cpp
etw_settings.cpp
 
 
etw_settings.h
etw_settings.h
 
 
hh_params.cpp
hh_params.cpp
 
 
hh_params.h
hh_params.h
 
 
hh_report.cpp
hh_report.cpp
 
 
hh_report.h
hh_report.h
 
 
hh_res.rc
hh_res.rc
 
 
hh_scanner.cpp
hh_scanner.cpp
 
 
hh_scanner.h
hh_scanner.h
 
 
hh_ver_short.h
hh_ver_short.h
 
 
main.cpp
main.cpp
 
 
mingw_build.sh
mingw_build.sh
 
 
resources.h
resources.h
 
 
resources.rc
resources.rc
 
 
term_util.cpp
term_util.cpp
 
 
term_util.h
term_util.h
 
 

Repository files navigation

hollows_hunter

Build status Codacy Badge Commit activity Last Commit

GitHub release GitHub release date Github All Releases Github Latest Release

License Platform Badge

Hollows Hunter is a command-line application based on PE-sieve passive memory scanner. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). While in case of PE-sieve you can select the process only by its PID, Hollows Hunter allows to select them by various criteria, such as:

  • list of PIDs
  • list of names
  • the time of creation (relatively to the Hollows Hunter execution time)

If no specific target is selected, it proceeds to scan all available processes.

Hollows Hunter allows also for continuous memory scanning, via /loop argument, or by being run as an ETW listener: in /etw mode (64-bit version only).

Important

The available arguments are documented on Wiki. They can also be listed using the argument /help.

📦 Uses: PE-sieve (the library version).

PE-sieve FAQ - Frequently Asked Questions

📖 Read Wiki

Clone

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/hollows_hunter.git

Builds

Download the latest release, or read more.

Available also via Chocolatey

About

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

github.com/hasherezade/hollows_hunter/wiki

Topics

anti-malware malware-analysis memory-forensics malware-detection pe-sieve

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

2.1k stars

Watchers

67 watching

Forks

264 forks
Report repository

Releases 44

v0.4.0 Latest
Dec 14, 2024
+ 43 releases

Packages

No packages published

Contributors 3

Languages