RunPE Detector v2.0

[JPLesueur]

Hey guys, just to introduce you the new version of RunPE Detector.

What is RunPE Detector:

RunPE Detector is a new concept we invented for near-100% detection of malware mounted in your system’s memory. Hackers use the RunPE process to evade firewalls antivirus detection by hijacking legit processes. With RunPE Detector, you can uncover the malicious code and prevent it from further infecting your system.

Changelog:

GENERAL

• Project recoded from scratch

• Better Pe File / Memory analysis

• Faster analysis

• Stability and memory usage improved

• More efficient code to unlock and remove threats

GUI

• Phrozen Material Support Added

Download link : Download - Phrozen

Some Pictures :

 

[Daniel Keller]

Thank you very much. Will give it a try.

But aren't there any other processes which can be used in this way as well?
Does it work on any windows version?

 

[JPLesueur]

Thank you very much. Will give it a try.

But aren't there any other processes which can be used in this way as well?
Does it work on any windows version?

Hello Daniel,

It work on any windows version and yes some legitimate process could have a different PE Header Memory Image than it Image Path PE Header File but it is substantially different like Skype for example for some reason.

The PE Header of the Malware is very different than the target so the accuracy of that tool is excellent and based on three level of comparison.

Level 1 : Only few differences was detected (Low %)
Level 2 : Few differences was detected
Level 3 : No doubt, it is a Malware, the percentage of difference is very high, it can't be the same Image loaded and active in memory.

There is no reason for legitimate application to use Process Hollowing.

 

[Daniel Keller]

Thank you for the explanations. Sounds promising

 

[erreale]

Very interesting!

 

[Sunshine-boy]

thank you, I will install this tool

 

[Sunshine-boy]

Can this software detect process hollowing?

 

[ZeroDay]

Thanks for this.

 

[JPLesueur]

Can this software detect process hollowing?

Process Hollowing = RunPE

 

[Sunshine-boy]

hello <3
thnx for the answer

 

[RoboMan]

Thanks for sharing. The software won't prevent process hijacking but will work as an on-demand scanner to detect them?

 

[JPLesueur]

Thanks for sharing. The software won't prevent process hijacking but will work as an on-demand scanner to detect them?

Yeah,there is no pro-active module for the moment, the goal was to create a new concept of generic detection. I will for sure in a near futur add pro-active scan. But in my free time I'm first working on Winja and one of it dependency

 

[RoboMan]

Yeah,there is no pro-active module for the moment, the goal was to create a new concept of generic detection. I will for sure in a near futur add pro-active scan. But in my free time I'm first working on Winja and one of it dependency

Thank you for the reply and for the software.

 

[Visa]

Can this software detect process hollowing?

Process hollowing has many different titles. The most professional title I have heard for it would be "dynamic forking"... Although it is also known as "process hollowing" and "RunPE".

Process hollowing is essentially replacing a program in memory with another. It is quite a powerful technique if implemented correctly because without a way of identification for this behavior having taken place (e.g. without a tool like this one) you may be tricked into believing that a program like chrome.exe is running when in actual fact it had been targeted with process hollowing and therefore malware is running while pretending to be chrome.exe. One of the worst parts about this technique is that typical security solutions will genuinely see that chrome.exe is running (and scan chrome.exe on disk), instead of scanning the malicious PE.

This looks like a really promising tool! Looking forward to seeing a pro-active scanner added to it!

 

[Sunshine-boy]

hello @Visa
thnx for the info<3

 

[JPLesueur]

Process hollowing has many different titles. The most professional title I have heard for it would be "dynamic forking"... Although it is also known as "process hollowing" and "RunPE".

Process hollowing is essentially replacing a program in memory with another. It is quite a powerful technique if implemented correctly because without a way of identification for this behavior having taken place (e.g. without a tool like this one) you may be tricked into believing that a program like chrome.exe is running when in actual fact it had been targeted with process hollowing and therefore malware is running while pretending to be chrome.exe. One of the worst parts about this technique is that typical security solutions will genuinely see that chrome.exe is running (and scan chrome.exe on disk), instead of scanning the malicious PE.

This looks like a really promising tool! Looking forward to seeing a pro-active scanner added to it!

I will surely do my best ! I only can spend 5% of my time at coding Freeware / rest of the time I'm busy in IT Consulting / Custom project development with my company. I might in a near futur increase my Freeware dedicated time

 

[Visa]

I will surely do my best ! I only can spend 5% of my time at coding Freeware / rest of the time I'm busy in IT Consulting / Custom project development with my company. I might in a near futur increase my Freeware dedicated time

Don't worry about it, you're doing fine as you are IMO. I really like your tool and I think that the idea alone is brilliant, most AV solutions don't really do anything against process hollowing I've found, with the exceptions of solutions by vendors like Emsisoft which have a BB against code injection attacks.

Keep doing as you are, your tool will rise in popularity as time goes by and will improve over time. Great work!

 

[Visa]

Hey! Back here for a few minutes quickly..

I just wanted to come back to this thread and say that I just tested out this RunPE detector tool and it worked flawlessly during the test; the scanning was incredibly fast for me and the scanner did not hesitate to detect the process hollowing attack which had affected OSRLOADER.exe. In my test, I targeted OSRLOADER.exe (which I had placed at the root of the C: drive) so it would be replaced with an empty C++ GUI application I compiled called VisaGUI.exe.

You can see a screenshot here of OSRLOADER.exe being detected as a process hollowing target:

Spoiler: Screenshot

After scanning:

As you can see from the attached picture file, the program really does work as intended and advertised.

Can't wait for the future updates!

 

[JPLesueur]

Hey! Back here for a few minutes quickly..

I just wanted to come back to this thread and say that I just tested out this RunPE detector tool and it worked flawlessly during the test; the scanning was incredibly fast for me and the scanner did not hesitate to detect the process hollowing attack which had affected OSRLOADER.exe. In my test, I targeted OSRLOADER.exe (which I had placed at the root of the C: drive) so it would be replaced with an empty C++ GUI application I compiled called VisaGUI.exe.

You can see a screenshot here of OSRLOADER.exe being detected as a process hollowing target:

As you can see from the attached picture file, the program really does work as intended and advertised.

Can't wait for the future updates!

Hehe, many Malware coders I know are quite upset, cuz their RunPE crypter can't bypass this detection ^^

Simple but efficient

 

[Sunshine-boy]

@Visa Hello and Thanks for the test<3
so this tiny tool is OTP