Guide | How To Uncover hidden malware with RunPE Detector

The associated guide may contain user-generated or external content.

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Handy little tool!!
RunPE-Detector.jpg

Malware uses many tricks to hide its process, and one of the most common is known as RunPE.
Essentially this involves starting a known and trusted process -- Explorer.exe, say -- in a suspended state, replacing its code with the malware’s own, then starting it up. Even running something like Process Explorer won’t reveal any problems unless you look very, very closely.

It's a free tool which scans the headers of your processes in memory, and compares them to their disk images. It sounds too simple a technique, but it really does work: if a process has been exploited by RunPE then there should be a difference, and you’ll see an alert.

The program tries to go further by giving you the option to remove whatever malware it detects. It’s good to see the developer has some ambition, but it’s a difficult task, and we wouldn’t rely on it being successful. If you do find a problem, use a full-strength antivirus engine to investigate further.

Phrozen RunPE Detector doesn’t do a great deal. It only detects RunPE-compromised processes, and even then, only if they’re 32-bit (64-bit scanning is apparently coming soon).

https://www.phrozensoft.com/freeware
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top