AI Summary: Hollows Hunter is a command-line tool designed to identify and dump potentially malicious implants in processes by utilizing the PE-sieve passive memory scanner. Its primary use case includes scanning processes based on various criteria, such as process name and creation time, and it offers capabilities for continuous memory scanning and ETW listening. Notable features include the ability to scan all processes if no specific targets are specified, and support for multiple input criteria for enhanced targeting.

README

hollows_hunter

Hollows Hunter is a command-line application based on PE-sieve passive memory scanner. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). While in case of PE-sieve you can select the process only by its PID, Hollows Hunter allows to select them by various criteria, such as:

• list of PIDs
• list of names
• the time of creation (relatively to the Hollows Hunter execution time)

If no specific target is selected, it proceeds to scan all available processes.

Hollows Hunter allows also for continuous memory scanning, via /loop argument, or by being run as an ETW listener: in /etw mode (64-bit version only).

[!IMPORTANT]
The available arguments are documented on Wiki. They can also be listed using the argument /help.

📦 Uses: PE-sieve (the library version).

❓ PE-sieve FAQ - Frequently Asked Questions

📖 Read Wiki

Clone

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/hollows_hunter.git

Builds

Download the latest release, or read more.

Available also via Chocolatey