// the find
hasherezade/hollows_hunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Hollows Hunter scans every running Windows process for signs of in-memory tampering: process hollowing, PE injection, shellcode, hooks, and patched regions. It's built on top of hasherezade's PE-sieve library and adds process-selection logic, ETW-based continuous monitoring, and bulk dumping on top. The target audience is malware analysts and incident responders who need a fast triage tool on a compromised Windows machine.
PE-sieve underneath is genuinely well-regarded in the malware analysis community — the detection logic is mature and has caught real-world implants that commercial EDRs missed. ETW listener mode is a practical addition: instead of polling, it reacts to process creation events, which matters when you're trying to catch short-lived injectors. The /loop mode combined with filter flags (by name, PID list, or creation time) makes it usable in both one-shot forensics and light continuous monitoring without a full EDR stack. Chocolatey packaging lowers the friction for defenders who need it on a machine fast.
Windows-only and 32/64-bit builds are separate binaries — annoying in incident response when you grab the wrong one. Documentation lives entirely on the GitHub Wiki, which is reasonable but fragmented; the relationship between hollows_hunter flags and the underlying pe-sieve parameters isn't always clear without cross-referencing both Wikis. There's no structured output format beyond JSON dump files in a folder — if you want to feed results into a SIEM or script over them, you're parsing filenames and directory structures, not a clean report stream. The recursive submodule dependency chain (pe-sieve, krabsetw, paramkit) makes the build non-trivial; the CMake setup works but first-time builders on Windows regularly hit path and SDK issues.