Skip to content
hasherezade edited this page Dec 30, 2024 · 25 revisions

Welcome to the Hollows Hunter's wiki!

Hollows Hunter allows you to scan multiple processes at once (or even the full system), searching for potentially malicious implants, and extract them for further analysis.

It is an application based on PE-sieve (a library version), so there is a big overlap of the features between those two. They have a similar command-line interface, but while PE-sieve is an engine dedicated to scanning a single process, Hollows Hunter offers many additional features and filters on the top of this base. More information about similarities and differences described here.

Start by familiarizing yourself with PE-sieve's features by reading the PE-sieve's Wiki.

FAQ - Frequently Asked Questions

Documentation of the Hollows Hunter code:

📚 Docs

Download

📦 ⚙️ You can download the latest stable version from releases. You can also find it i.e. at Chocolatey.

🧪 Fresh test builds (ahead of the official release) can be downloaded from the AppVeyor build server. They are created on each commit to the master branch. You can download them by clicking on the build version, then choosing the tab Artifacts. WARNING: those builds may be unstable.

🚧 If you want to build it by yourself from the sources, follow this small guide.

Features

Hollows Hunter vs PE-sieve

Hollows Hunter gives you access to all the PE-sieve features, so the list of features from PE-sieve wiki is relevant.

In contrast to PE-sieve, HollowsHunter scan multiple processes, one by one.

In order to avoid noise, one of the default PE-sieve features (scanning for code patches and hooks) is not default in HollowsHunter. It can be enabled by a /hooks parameter.

Selecting processes to scan

By default HollowsHunter scans all accessible processes. However, we can make the scan more focused, and select only processes of our interest. There are few criteria by which we can do the selection:

  • by name (parameter /pname)
  • by PID (parameter /pid)
  • by the time of process creation (parameter /ptimes) - relative to the start of HollowsHunter

PID can be supplied as a decimal or hexadecimal number.

In contrast to PE-sive, where only one process can be selected, HollowsHunter allows to supply a list. Both, /pname and /pid can let us supply multiple elements, separated by ;.

Example:

  • hollows_hunter.exe /pname svchost.exe;explorer.exe - will scan only processes named svchost.exe and explorer.exe
  • hollows_hunter.exe /pid 456;123 - will scan only processes with PIDs 456 and 123

Output directories

In both, PE-sieve and HollowsHunter, you can specify the output directory where the dumps will be saved by using a /dir parameter. If it is not selected, the output will be saved in the current directory where the application was run.

Additionally, HollowsHunter offers a /uniqd parameter - to create a unique, timestamped directory on each scan, so that the content of the previous dump will not get overwritten.

If you use both /dir <out_dir> and /uniqd parameters, than the <out_dir> will be used as a root directory, where the unique directory with dumps will be created.

Continuous scan

Sometimes a single scan is not enough, and rather than this we want HollowsHunter to run in a loop. You can do it by using /loop parameter. Keep it mind that scanning all the processes in a loop can be processor-consuming. So, it is recommended to use it occasionally, and only for selected processes.

This feature can be useful i.e. when we are unpacking a malware, and we expect that at some point it will make an injection to a process with a particular name. Scanning in a loop can help us to capture this moment.

Running as ETW listener

You can deploy Hollows Hunter as an ETW listener, using the argument /etw. Keep in mind, that it works only for the 64-bit version of the scanner, and needs to be deployed as an Administrator.

Once the scanner was deployed in ETW mode, it will create a file in the current directory: HH_ETWProfile.ini. It is an INI file that allows you to select what events should be listened to. If you want to change settings, edit the file, save it, and then restart Hollows Hunter. All other arguments can be used from the commandline, as in the default mode, to additionally modify the behavior of the scanner.

Killing or suspending detected processes

After the suspicious processes are detected and reported, we may choose to do something about them. There are two options:

  • /suspend - suspend the process
  • /kill - kill the process

Keep in mind that the detected processes are not necessarily malicious (read why) , so it should be used with care.