Hollows_Hunter is a command-line application based on the passive memory scanner PE-sieve. Its main function is to identify and dump various types of potentially malicious implants, such as replaced/embedded PE, shellcodes, hooks, and patches in memory.
Advanced Process Selection: Unlike PE-sieve, which allows selecting processes only by PID (process identifier), Hollows Hunter offers the possibility to choose processes based on various criteria:
Complete Scanning: If no specific target is selected, the software scans all available processes in the system.
Continuous Scanning: Hollows Hunter can be configured to perform continuous memory scanning using the /loop argument or run as an ETW (Event Tracing for Windows) listener in /etw mode (64-bit version only).
With these features, Hollows Hunter becomes a powerful tool for identifying malicious implants in memory, making it essential for security analysis in Windows systems.