Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/hasherezade/hollows_hunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
https://github.com/hasherezade/hollows_hunter
anti-malware malware-analysis malware-detection memory-forensics pe-sieve
Last synced: 6 days ago
JSON representation
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
- Host: GitHub
- URL: https://github.com/hasherezade/hollows_hunter
- Owner: hasherezade
- License: bsd-2-clause
- Created: 2018-01-11T17:07:17.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2024-12-30T15:32:29.000Z (15 days ago)
- Last Synced: 2025-01-02T09:05:50.986Z (13 days ago)
- Topics: anti-malware, malware-analysis, malware-detection, memory-forensics, pe-sieve
- Language: C
- Homepage: https://github.com/hasherezade/hollows_hunter/wiki
- Size: 13.8 MB
- Stars: 2,078
- Watchers: 67
- Forks: 264
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - hasherezade/hollows_hunter - Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). (C)
- awesome-lists - hollows hunter
README
# hollows_hunter
[](https://ci.appveyor.com/project/hasherezade/hollows-hunter)
[](https://app.codacy.com/gh/hasherezade/hollows_hunter/dashboard?branch=master)
[](https://github.com/hasherezade/hollows_hunter/commits)
[](https://github.com/hasherezade/hollows_hunter/commits)
[](https://github.com/hasherezade/hollows_hunter/releases)
[](https://github.com/hasherezade/hollows_hunter/releases)
[](https://github.com/hasherezade/hollows_hunter/releases)
[](https://github.com/hasherezade/hollows_hunter/releases)
[](https://github.com/hasherezade/hollows_hunter/blob/master/LICENSE)
[](https://github.com/hasherezade/hollows_hunter)
Hollows Hunter is a command-line application based on [PE-sieve](https://github.com/hasherezade/pe-sieve.git) passive memory scanner. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). While in case of PE-sieve you can select the process only by its PID, Hollows Hunter allows to select them by various criteria, such as:
+ list of PIDs
+ list of names
+ the time of creation (relatively to the Hollows Hunter execution time)
If no specific target is selected, it proceeds to scan all available processes.
Hollows Hunter allows also for continuous memory scanning, via `/loop` argument, or by being run as an ETW listener: in `/etw` mode (64-bit version only).
> [!IMPORTANT]
> The available arguments are documented on [Wiki](https://github.com/hasherezade/hollows_hunter/wiki). They can also be listed using the argument `/help`.
📦 Uses: [PE-sieve](https://github.com/hasherezade/pe-sieve.git) (the [library version](https://github.com/hasherezade/pe-sieve/wiki/2.-How-to-build)).
❓ [PE-sieve FAQ - Frequently Asked Questions](https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ)
📖 [Read Wiki](https://github.com/hasherezade/hollows_hunter/wiki)
## Clone
Use recursive clone to get the repo together with all the submodules:
```console
git clone --recursive https://github.com/hasherezade/hollows_hunter.git
```
## Builds
Download the latest [release](https://github.com/hasherezade/hollows_hunter/releases), or [read more](https://github.com/hasherezade/hollows_hunter/wiki#download).
 Available also via [Chocolatey](https://community.chocolatey.org/packages/hollowshunter)