Hollows Hunter : Open-Source Tool to Scan Injected ShellCode

One of the many ways a potential attacker/hacker can take over a vulnerable system is by injecting shellcode into a running process. A shellcode is a small piece of code designed to run the shell (command prompt) with elevated access. When the attacker gains control of an elevated shell, they can do anything on that system.

A typical shellcode is written using the assembly language in order to keep its size very very small. This also makes is easy to inject this shellcode into a target process’s memory space. But this cannot be done without any vulnerability in the target process such as buffer overflow. These vulnerabilities allows that attacker to inject the shellcode.

This technique when an attacker replaces some parts of a running process memory code with another (usually malicious) code is called process hollowing. Such memory replacements or code injections are called hollows.

Hollows Hunter

With the help of an open-source tool “Hollows Hunter”, we can scan all the running processes for the presence of any injected shellcode. In addition, this tool can also scan for other in-memory modifications in a running process. This includes detection of memory patches, replacement of PE, and hooks.

While Hollows Hunter is based on another open-source tool called PE-Sieve, it can scan multiple processes at once unlike PE-Sieve which scans only one process at a time. Hollows Hunter can be used to scan an entire system. It looks up for any potentially malicious implants and extract them for further analysis.

When it finds such potential memory implants, it extracts them and saves them in a sub-folder. Security researches can then analyze the dumped code using other tools.

Hollows Hunter is a command line tool and comes with many parameters. Using these parameters, we can choose scan targets, make the scanner run in a loop mode, choose to exclude some processes, choose what to scan (inline hooks, in-memory patches, shellcode, obfuscated code, etc.), and choose how to dump the suspicious process.

You can download Hollows Hunter from https://github.com/hasherezade/hollows_hunter.