{"id":13511118,"url":"https://github.com/monnappa22/HollowFind","last_synced_at":"2025-03-30T19:30:43.139Z","repository":{"id":216714144,"uuid":"69104882","full_name":"monnappa22/HollowFind","owner":"monnappa22","description":"Hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques. The plugin detects such attacks by finding discrepancy in the VAD and PEB, it also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting any injected code.","archived":false,"fork":false,"pushed_at":"2022-09-29T20:03:37.000Z","size":4,"stargazers_count":129,"open_issues_count":6,"forks_count":31,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-01T12:36:01.674Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/monnappa22.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-09-24T13:47:26.000Z","updated_at":"2024-10-15T01:42:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"d60b9977-d69b-4e83-a99d-d383cc2311e5","html_url":"https://github.com/monnappa22/HollowFind","commit_stats":null,"previous_names":["monnappa22/hollowfind"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monnappa22%2FHollowFind","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monnappa22%2FHollowFind/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monnappa22%2FHollowFind/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monnappa22%2FHollowFind/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/monnappa22","download_url":"https://codeload.github.com/monnappa22/HollowFind/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246368633,"owners_count":20766054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T03:00:34.801Z","updated_at":"2025-03-30T19:30:43.124Z","avatar_url":"https://github.com/monnappa22.png","language":"Python","funding_links":[],"categories":["Volatility 2"],"sub_categories":["Plugins"],"readme":"# HollowFind\nHollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques. The plugin detects such attacks by finding discrepancy in the VAD and PEB, it also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting any injected code.\n\nFull details can be found in the link:\nhttps://cysinfo.com/detecting-deceptive-hollowing-techniques/\n\n### Running the Plugin\n\nCopy the plugin to volatility/plugins directory\n\nRun the plugin against memory image as shown below\n\n```sh\n$ python vol.py -f infected.vmem --profile=Win7SP0x86 hollowfind\n```\n\n### Other Options\n\nTo filter on a specic process id use -p option\n\n```sh\n$ python vol.py -f infected.vmem --profile=Win7SP0x86 hollowfind -p 1820\n```\n\nTo filter on multiple process ids use -p followed by comma seperated process ids\n\n```sh\n$ python vol.py -f infected.vmem --profile=Win7SP0x86 hollowfind -p 1820,868\n```\n\nTo dump the suspicious memory regions use -D followed by directory name\n\n```sh\n$ python vol.py -f infected.vmem --profile=Win7SP0x86 hollowfind -p 1820 -D dump/\n```\n\nTo redirect the output to file use --output-file option\n\n```sh\n$ python vol.py -f infected.vmem --profile=Win7SP0x86 hollowfind --output-file=output.txt\n```\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonnappa22%2FHollowFind","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmonnappa22%2FHollowFind","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonnappa22%2FHollowFind/lists"}