Enhance process hollowing detection with deep PE comparison

Added comprehensive section-by-section PE comparison that reads the
executable from disk, parses PE sections, and compares them against
memory using SHA-256 hashing. Detects:

- Modified code sections (>5% difference from disk)
- Missing PE sections in memory
- Section hash mismatches

This catches sophisticated hollowing techniques that modify specific
code sections while preserving the PE header structure.

ghost-core/Cargo.toml

@@ -16,6 +16,7 @@ uuid = { version = "1.0", features = ["v4"] }
 toml = "0.8"
 chrono = "0.4"
 yara = "0.28"
+sha2 = "0.10"
 
 [target.'cfg(windows)'.dependencies]
 windows = { version = "0.58", features = [