search

hasherezade / hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
https://github.com/hasherezade/hollows_hunter/wiki
BSD 2-Clause "Simplified" License
2.03k stars 253 forks source link

Can we have a summary of the detected items? #7

Closed EveryOtherUsernameWasAlreadyTaken closed 4 years ago

EveryOtherUsernameWasAlreadyTaken commented 4 years ago

If I got it right, Hollows Hunter identifies different kinds of potentially dangerous stuff:

I'd like to be able to quickly compare scan results against past scan results and see whether an application has still the same dangeous stuff as before or it has new "features".

My proposal would be to name the dangerous stuff in the summary, Maybe like so:

SUMMARY:
Scan at: 06/18/20 07:43:09 (1592458989)
Finished scan in: 81782 milliseconds
[+] Total Suspicious: 15
[+] List of suspicious:
[ 0]: PID: 3164, Name: HsMgr.exe [detected: H, P, I, S]
[ 1]: PID: 9176, Name: HsMgr64.exe [detected: H, P, I, S]
[ 2]: PID: 1936, Name: steam.exe [detected: H]
...
hasherezade commented 4 years ago

HI! I see that it is your first experience with HollowsHunter. Take your time to get familiar with the tool and parameters - HollowsHunter wiki is very brief, and contains only those that are not self explanatory. Check also PE-sieve wiki that contains a lot of important stuff.

You will see that what you are proposing is already implemented - just use /json parameter - and the JSON summary will be printed on stdout. What is shown in the basic summary is just a list of names, but extened summary is also available in more human-readable form.

json_vs_summary

EveryOtherUsernameWasAlreadyTaken commented 4 years ago

Thanks for the explanation and patience.