-
Notifications
You must be signed in to change notification settings - Fork 264
Home
Hollows Hunter allows you to scan multiple processes at once (or even the full system), searching for potentially malicious implants, and extract them for further analysis.
It is an application based on PE-sieve (a library version), so there is a big overlap of the features between those two. They have a similar command-line interface, but while PE-sieve is an engine dedicated to scanning a single process, Hollows Hunter offers many additional features and filters on the top of this base. More information about similarities and differences described here.
Start by familiarizing yourself with PE-sieve's features by reading the PE-sieve's Wiki.
❓ FAQ - Frequently Asked Questions
Documentation of the Hollows Hunter code:
📚 Docs
📦 ⚙️ You can download the latest stable version from releases. You can also find it i.e. at Chocolatey.
🧪 Fresh test builds (ahead of the official release) can be downloaded from the AppVeyor build server. They are created on each commit to the master branch. You can download them by clicking on the build version, then choosing the tab Artifacts
. WARNING: those builds may be unstable.
🚧 If you want to build it by yourself from the sources, follow this small guide.
Hollows Hunter gives you access to all the PE-sieve features, so the list of features from PE-sieve wiki is relevant.
In contrast to PE-sieve, HollowsHunter scan multiple processes, one by one.
In order to avoid noise, one of the default PE-sieve features (scanning for code patches and hooks) is not default in HollowsHunter. It can be enabled by a /hooks
parameter.
By default HollowsHunter scans all accessible processes. However, we can make the scan more focused, and select only processes of our interest. There are few criteria by which we can do the selection:
- by name (parameter
/pname
) - by PID (parameter
/pid
) - by the time of process creation (parameter
/ptimes
) - relative to the start of HollowsHunter
PID can be supplied as a decimal or hexadecimal number.
In contrast to PE-sive, where only one process can be selected, HollowsHunter allows to supply a list. Both, /pname
and /pid
can let us supply multiple elements, separated by ;
.
Example:
-
hollows_hunter.exe /pname svchost.exe;explorer.exe
- will scan only processes namedsvchost.exe
andexplorer.exe
-
hollows_hunter.exe /pid 456;123
- will scan only processes with PIDs 456 and 123
In both, PE-sieve and HollowsHunter, you can specify the output directory where the dumps will be saved by using a /dir
parameter. If it is not selected, the output will be saved in the current directory where the application was run.
Additionally, HollowsHunter offers a /uniqd
parameter - to create a unique, timestamped directory on each scan, so that the content of the previous dump will not get overwritten.
If you use both /dir <out_dir>
and /uniqd
parameters, than the <out_dir>
will be used as a root directory, where the unique directory with dumps will be created.
Sometimes a single scan is not enough, and rather than this we want HollowsHunter to run in a loop.
You can do it by using /loop
parameter. Keep it mind that scanning all the processes in a loop can be processor-consuming. So, it is recommended to use it occasionally, and only for selected processes.
This feature can be useful i.e. when we are unpacking a malware, and we expect that at some point it will make an injection to a process with a particular name. Scanning in a loop can help us to capture this moment.
You can deploy Hollows Hunter as an ETW listener, using the argument /etw
. Keep in mind, that it works only for the 64-bit version of the scanner, and needs to be deployed as an Administrator.
Once the scanner was deployed in ETW mode, it will create a file in the current directory: HH_ETWProfile.ini
. It is an INI file that allows you to select what events should be listened to. If you want to change settings, edit the file, save it, and then restart Hollows Hunter. All other arguments can be used from the commandline, as in the default mode, to additionally modify the behavior of the scanner.
After the suspicious processes are detected and reported, we may choose to do something about them. There are two options:
-
/suspend
- suspend the process -
/kill
- kill the process
Keep in mind that the detected processes are not necessarily malicious (read why) , so it should be used with care.