Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Overview

hollows_hunter

Build status Codacy Badge GitHub release Github All Releases Github Latest Release

License Platform Badge

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

📦 Uses library: PE-sieve (the DLL version).

📖 Read Wiki

Clone

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/hollows_hunter.git

Builds

Download the latest release, or read more.

Issues
  • Fedora 33 : I cannot build on this Linux distro.

    Fedora 33 : I cannot build on this Linux distro.

    I try to use with Fedora 33 Linux distro. this is the result of build ... without Uses library: PE-sieve (the DLL version).

    [ 96%] Building CXX object CMakeFiles/hollows_hunter.dir/util/suspend.cpp.obj
    [ 97%] Building CXX object CMakeFiles/hollows_hunter.dir/util/util.cpp.obj
    [ 98%] Building CXX object CMakeFiles/hollows_hunter.dir/util/process_privilege.cpp.obj
    [100%] Linking CXX executable hollows_hunter
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32
    
    /usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lpsapi.lib
    /usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lntdll.lib
    /usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lpsapi.lib
    /usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lntdll.lib
    collect2: error: ld returned 1 exit status
    make[2]: *** [CMakeFiles/hollows_hunter.dir/build.make:252: hollows_hunter] Error 1
    make[1]: *** [CMakeFiles/Makefile2:135: CMakeFiles/hollows_hunter.dir/all] Error 2
    make: *** [Makefile:160: all] Error 2
    [[email protected] ~]$ cd _hollows_hunter/
    [[email protected] _hollows_hunter]$ ls
    CMakeCache.txt	     CTestTestfile.cmake  hh_scanner.cpp  params_info	 util
    CMakeFiles	     hh_params.cpp	  hh_scanner.h	  pe-sieve
    cmake_install.cmake  hh_params.h	  LICENSE	  README.md
    CMakeLists.txt	     hh_report.cpp	  main.cpp	  term_util.cpp
    color_scheme.h	     hh_report.h	  Makefile	  term_util.h
    
    opened by catafest 13
  • Process exception list

    Process exception list

    There are some truly awful products out the that will fail HH runs (ie Panda) but may need to run anyway. Would like to request an command line option of processes to not be scanned by HH.

    opened by shivermetimber 8
  • Can we have a summary of the detected items?

    Can we have a summary of the detected items?

    If I got it right, Hollows Hunter identifies different kinds of potentially dangerous stuff:

    • hooks
    • patches
    • implants
    • shell code

    I'd like to be able to quickly compare scan results against past scan results and see whether an application has still the same dangeous stuff as before or it has new "features".

    My proposal would be to name the dangerous stuff in the summary, Maybe like so:

    SUMMARY:
    Scan at: 06/18/20 07:43:09 (1592458989)
    Finished scan in: 81782 milliseconds
    [+] Total Suspicious: 15
    [+] List of suspicious:
    [ 0]: PID: 3164, Name: HsMgr.exe [detected: H, P, I, S]
    [ 1]: PID: 9176, Name: HsMgr64.exe [detected: H, P, I, S]
    [ 2]: PID: 1936, Name: steam.exe [detected: H]
    ...
    
    opened by EveryOtherUsernameWasAlreadyTaken 2
  • Can we have a signature check?

    Can we have a signature check?

    I was shocked by the number of processes detected on my system, which I believe I take good care of.

    SUMMARY:
    Scan at: 06/18/20 07:43:09 (1592458989)
    Finished scan in: 81782 milliseconds
    [+] Total Suspicious: 15
    [+] List of suspicious:
    [ 0]: PID: 3164, Name: HsMgr.exe
    [ 1]: PID: 9176, Name: HsMgr64.exe
    [ 2]: PID: 1936, Name: steam.exe
    [ 3]: PID: 7564, Name: Skype.exe
    [ 4]: PID: 11396, Name: Skype.exe
    [ 5]: PID: 5648, Name: Skype.exe
    [ 6]: PID: 10412, Name: purevpn.exe
    [ 7]: PID: 15632, Name: Discord.exe
    [ 8]: PID: 15748, Name: flux.exe
    [ 9]: PID: 16204, Name: Discord.exe
    [10]: PID: 6688, Name: Discord.exe
    [11]: PID: 10120, Name: browser_assistant.exe
    [12]: PID: 11688, Name: browser_assistant.exe
    [13]: PID: 10640, Name: onenotem.exe
    [14]: PID: 8540, Name: Launchy.exe
    

    The Wiki says

    Keep in mind that the detected processes are not necessarily malicious, so it should be used with care.

    So I now need to decide whether these 15 processes are malicious or not. I started by taking SysInternals Process Explorer and turning on the verification of signatures (Options / Verify Image Signatures).

    I would appreciate if Hollows Hunter would have that built-in, so it tells me in the summary which processes are code signed and which are not. Maybe like so:

    SUMMARY:
    Scan at: 06/18/20 07:43:09 (1592458989)
    Finished scan in: 81782 milliseconds
    [+] Total Suspicious: 15
    [+] List of suspicious:
    [ 0]: PID: 3164, Name: HsMgr.exe (no signature)
    [ 1]: PID: 9176, Name: HsMgr64.exe (no signature)
    [ 2]: PID: 1936, Name: steam.exe (verified: Valve)
    [ 3]: PID: 7564, Name: Skype.exe (verified: Skype Software Sarl)
    [ 4]: PID: 11396, Name: Skype.exe (verified: Skype Software Sarl)
    [ 5]: PID: 5648, Name: Skype.exe (verified: Skype Software Sarl)
    [ 6]: PID: 10412, Name: purevpn.exe (verified: GZ Systems Limited)
    [ 7]: PID: 15632, Name: Discord.exe (verified: Discord Inc.)
    [ 8]: PID: 15748, Name: flux.exe (verified: F.lux Software LLC)
    [ 9]: PID: 16204, Name: Discord.exe (verified: Discord Inc.)
    [10]: PID: 6688, Name: Discord.exe (verified: Discord Inc.)
    [11]: PID: 10120, Name: browser_assistant.exe (verified: Opera Software AS)
    [12]: PID: 11688, Name: browser_assistant.exe (verified: Opera Software AS)
    [13]: PID: 10640, Name: onenotem.exe (verified: Microsoft Corporation)
    [14]: PID: 8540, Name: Launchy.exe (no signature)
    
    opened by EveryOtherUsernameWasAlreadyTaken 2
  • Allow filtering processes by a time of creation

    Allow filtering processes by a time of creation

    Add the parameter that will allow for scanning only newly created processes (created a certain amount of milliseconds/seconds/minutes) before the scan was started).

    - requested by abuse_ch

    enhancement 
    opened by hasherezade 1
  • Logfile

    Logfile "hollows_hunter.log" doesn't output take into account /dir directive

    Hello,

    Thank you for your really useful project.

    Logfile "hollows_hunter.log" output didn't output take into account /dir directive. Now the "hollows_hunter.log" is generated into the directory specified by /dir directive.

    Regards,

    wontfix 
    opened by sydurand 1
  • False Positives

    False Positives

    Hi, at first thank you a lot for your amazing work and thank you for sharing your awesome tools. I have tested Hollow Hunter on 2 Windows machines where I have installed the AV/EDR CrowdStrike and could observe that Hollow Hunter list 47 suspicious process, but I am 99,99% sure that the processes are clean and not malicous. Could it be, that this are false positives because of the installed EDR and the hooks from the EDR?

    opened by VirtualAlllocEx 3
  • Can't detect hollow process created by ursnif trojan

    Can't detect hollow process created by ursnif trojan

    opened by shelovemee 3
Releases(v0.3.4)
Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Arsenii Pustovit 129 Jul 28, 2022
x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display

Bobby Cooke 117 Aug 7, 2022
[WIP] A Riru module tries to enable Magisk hide for isolated processes.

Riru-IsolatedMagiskHider Background Many applications now detect Magisk for security, Magisk provided "Magisk Hide" to prevent detection, but isolated

残页 509 Aug 5, 2022
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Outflank B.V. 241 Aug 2, 2022
Analyze patches in a process for investigation or repairment purposes.

HookHunter Analyze patches in a process for investigation or repairment purposes. Details HookHunter is a multi-purpose Windows tool that can search a

null 180 Aug 11, 2022
Manage (Windows) processes from Garry's Mod.

gm_proc Manage (Windows) processes from Garry's Mod. Usage (success: bool, pid: number) Process.Start(path: string, parameters?: string, working_direc

Earu 4 Apr 20, 2022
A linux library to get the file path of the currently running shared library. Emulates use of Win32 GetModuleHandleEx/GetModuleFilename.

whereami A linux library to get the file path of the currently running shared library. Emulates use of Win32 GetModuleHandleEx/GetModuleFilename. usag

Blackle Morisanchetto 1 Nov 5, 2021
Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin.

A CPU scheduler determines an order for the execution of its scheduled processes; it decides which process will run according to a certain data structure that keeps track of the processes in the system and their status. A process, upon creation, has one of the three states: Running, Ready, Blocked (doing I/O, using other resources than CPU or waiting on unavailable resource).

Abdallah Hemdan 18 Apr 15, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 42 Jul 28, 2022
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 153 Jul 29, 2022
A fast image processing library with low memory needs.

libvips : an image processing library Introduction libvips is a demand-driven, horizontally threaded image processing library. Compared to similar lib

libvips 7k Aug 14, 2022
Bytehound - a memory profiler for Linux

Bytehound - a memory profiler for Linux Features Can be used to analyze memory leaks, see where exactly the memory is being consumed, identify tempora

Koute 2.9k Aug 12, 2022
XEphem is an interactive astronomy program for all UNIX platforms.

XEphem is an interactive astronomy program for all UNIX platforms. More screenshots are shown below.

null 66 Aug 3, 2022
Simple password/cookies/history/bookmarks stealer/dumper for chrome all version (includes 80+)

Simple password/cookies/history/bookmarks stealer/dumper for chrome all version (includes 80+), microsoft edge browser,includes all chromium based browsers, and all gecko based browser (firefox etc.).

null 62 Aug 4, 2022
cavi is an open-source library that aims to provide performant utilities for closed hierarchies (i.e. all class types of the hierarchy are known at compile time).

cavi cavi is an open-source library that aims to provide performant utilities for closed hierarchies (i.e. all class types of the hierarchy are known

Baber Nawaz 5 Mar 9, 2022
A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

Deputation 47 Aug 6, 2022
CommonMark parsing and rendering library and program in C

cmark cmark is the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. (For the JavaScript reference impl

CommonMark 1.4k Aug 7, 2022
libcurses and dependencies taken from netbsd and brought into a portable shape (at least to musl or glibc)

netbsd-libcurses portable edition this is a port of netbsd's curses library for usage on Linux systems (tested and developed on sabotage linux, based

null 119 Jun 19, 2022
The lightweight and modern Map SDK for Android and iOS

Open Mobile Maps The lightweight and modern Map SDK for Android (6.0+) and iOS (10+) openmobilemaps.io Getting started Readme Android Readme iOS Featu

Open Mobile Maps 89 Jul 6, 2022