Hollows Hunter : Open-Source Tool to Scan Injected ShellCode

One of the many ways a potential attacker/hacker can take over a vulnerable system is by injecting shellcode into a running process. A shellcode is a small piece of code designed to run the shell (command prompt) with elevated access. When the attacker gains control of an elevated shell, they can do anything on that system.

A typical shellcode is written using the assembly language in order to keep its size very very small. This also makes is easy to inject this shellcode into a target process’s memory space. But this cannot be done without any vulnerability in the target process such as buffer overflow. These vulnerabilities allows that attacker to inject the shellcode.

This technique when an attacker replaces some parts of a running process memory code with another (usually malicious) code is called process hollowing. Such memory replacements or code injections are called hollows.

With the help of an open-source tool “Hollows Hunter”, we can scan all the running processes for the presence of any injected shellcode. In addition, this tool can also scan for other in-memory modifications in a running process. This includes detection of memory patches, replacement of PE, and hooks.

While Hollows Hunter is based on another open-source tool called PE-Sieve, it can scan multiple processes at once unlike PE-Sieve which scans only one process at a time. Hollows Hunter can be used to scan an entire system. It looks up for any potentially malicious implants and extract them for further analysis.

When it finds such potential memory implants, it extracts them and saves them in a sub-folder. Security researches can then analyze the dumped code using other tools.

Hollows Hunter is a command line tool and comes with many parameters. Using these parameters, we can choose scan targets, make the scanner run in a loop mode, choose to exclude some processes, choose what to scan (inline hooks, in-memory patches, shellcode, obfuscated code, etc.), and choose how to dump the suspicious process.

You can download Hollows Hunter from https://github.com/hasherezade/hollows_hunter.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Leave a Reply Cancel reply