RunPE Detector v2.0

Status
Not open for further replies.

JPLesueur

From Phrozen Software
Thread author
Verified
Developer
May 3, 2016
63
Hey guys, just to introduce you the new version of RunPE Detector.

What is RunPE Detector:

runpe-detector.png

RunPE Detector is a new concept we invented for near-100% detection of malware mounted in your system’s memory. Hackers use the RunPE process to evade firewalls antivirus detection by hijacking legit processes. With RunPE Detector, you can uncover the malicious code and prevent it from further infecting your system.

Changelog:

GENERAL
  • Project recoded from scratch
  • Better Pe File / Memory analysis
  • Faster analysis
  • Stability and memory usage improved
  • More efficient code to unlock and remove threats
GUI
  • Phrozen Material Support Added

Download link : Download - Phrozen

Some Pictures :


RunPEDetector1.png

RunPEDetector2.png
 

JPLesueur

From Phrozen Software
Thread author
Verified
Developer
May 3, 2016
63
Thank you very much. Will give it a try.

But aren't there any other processes which can be used in this way as well?
Does it work on any windows version?

Hello Daniel,

It work on any windows version and yes some legitimate process could have a different PE Header Memory Image than it Image Path PE Header File but it is substantially different like Skype for example for some reason.

The PE Header of the Malware is very different than the target so the accuracy of that tool is excellent and based on three level of comparison.

Level 1 : Only few differences was detected (Low %)
Level 2 : Few differences was detected
Level 3 : No doubt, it is a Malware, the percentage of difference is very high, it can't be the same Image loaded and active in memory.

There is no reason for legitimate application to use Process Hollowing.
 

JPLesueur

From Phrozen Software
Thread author
Verified
Developer
May 3, 2016
63
Thanks for sharing. The software won't prevent process hijacking but will work as an on-demand scanner to detect them?

Yeah,there is no pro-active module for the moment, the goal was to create a new concept of generic detection. I will for sure in a near futur add pro-active scan. But in my free time I'm first working on Winja and one of it dependency ;)
 

Visa

Level 1
May 31, 2017
42
Can this software detect process hollowing?
Process hollowing has many different titles. The most professional title I have heard for it would be "dynamic forking"... Although it is also known as "process hollowing" and "RunPE".

Process hollowing is essentially replacing a program in memory with another. It is quite a powerful technique if implemented correctly because without a way of identification for this behavior having taken place (e.g. without a tool like this one) you may be tricked into believing that a program like chrome.exe is running when in actual fact it had been targeted with process hollowing and therefore malware is running while pretending to be chrome.exe. One of the worst parts about this technique is that typical security solutions will genuinely see that chrome.exe is running (and scan chrome.exe on disk), instead of scanning the malicious PE.

This looks like a really promising tool! Looking forward to seeing a pro-active scanner added to it! :) :cool:
 

JPLesueur

From Phrozen Software
Thread author
Verified
Developer
May 3, 2016
63
Process hollowing has many different titles. The most professional title I have heard for it would be "dynamic forking"... Although it is also known as "process hollowing" and "RunPE".

Process hollowing is essentially replacing a program in memory with another. It is quite a powerful technique if implemented correctly because without a way of identification for this behavior having taken place (e.g. without a tool like this one) you may be tricked into believing that a program like chrome.exe is running when in actual fact it had been targeted with process hollowing and therefore malware is running while pretending to be chrome.exe. One of the worst parts about this technique is that typical security solutions will genuinely see that chrome.exe is running (and scan chrome.exe on disk), instead of scanning the malicious PE.

This looks like a really promising tool! Looking forward to seeing a pro-active scanner added to it! :) :cool:

I will surely do my best ! I only can spend 5% of my time at coding Freeware / rest of the time I'm busy in IT Consulting / Custom project development with my company. I might in a near futur increase my Freeware dedicated time :)
 

Visa

Level 1
May 31, 2017
42
I will surely do my best ! I only can spend 5% of my time at coding Freeware / rest of the time I'm busy in IT Consulting / Custom project development with my company. I might in a near futur increase my Freeware dedicated time :)
Don't worry about it, you're doing fine as you are IMO. I really like your tool and I think that the idea alone is brilliant, most AV solutions don't really do anything against process hollowing I've found, with the exceptions of solutions by vendors like Emsisoft which have a BB against code injection attacks.

Keep doing as you are, your tool will rise in popularity as time goes by and will improve over time. Great work! :)
 

Visa

Level 1
May 31, 2017
42
Hey! Back here for a few minutes quickly.. :)

I just wanted to come back to this thread and say that I just tested out this RunPE detector tool and it worked flawlessly during the test; the scanning was incredibly fast for me and the scanner did not hesitate to detect the process hollowing attack which had affected OSRLOADER.exe. In my test, I targeted OSRLOADER.exe (which I had placed at the root of the C: drive) so it would be replaced with an empty C++ GUI application I compiled called VisaGUI.exe.

You can see a screenshot here of OSRLOADER.exe being detected as a process hollowing target:
RxYkz2.jpg


After scanning:

KX2eR5.jpg

As you can see from the attached picture file, the program really does work as intended and advertised. :cool:

Can't wait for the future updates! :)
 

Attachments

  • runpe1.png
    runpe1.png
    193.8 KB · Views: 374
  • runpe2.png
    runpe2.png
    34.7 KB · Views: 474

JPLesueur

From Phrozen Software
Thread author
Verified
Developer
May 3, 2016
63
Hey! Back here for a few minutes quickly.. :)

I just wanted to come back to this thread and say that I just tested out this RunPE detector tool and it worked flawlessly during the test; the scanning was incredibly fast for me and the scanner did not hesitate to detect the process hollowing attack which had affected OSRLOADER.exe. In my test, I targeted OSRLOADER.exe (which I had placed at the root of the C: drive) so it would be replaced with an empty C++ GUI application I compiled called VisaGUI.exe.

You can see a screenshot here of OSRLOADER.exe being detected as a process hollowing target:

As you can see from the attached picture file, the program really does work as intended and advertised. :cool:

Can't wait for the future updates! :)

Hehe, many Malware coders I know are quite upset, cuz their RunPE crypter can't bypass this detection ^^

Simple but efficient
 
Status
Not open for further replies.