Uncover hidden malware with RunPE Detector
Malware uses many tricks to hide its process, and one of the most common is known as RunPE.
Essentially this involves starting a known and trusted process -- Explorer.exe, say -- in a suspended state, replacing its code with the malware’s own, then starting it up. Even running something like Process Explorer won’t reveal any problems unless you look very, very closely.
Phrozen RunPE Detector is a free tool which scans the headers of your processes in memory, and compares them to their disk images. It sounds too simple a technique, but it really does work: if a process has been exploited by RunPE then there should be a difference, and you’ll see an alert.
The program tries to go further by giving you the option to remove whatever malware it detects. It’s good to see the developer has some ambition, but it’s a difficult task, and we wouldn’t rely on it being successful. If you do find a problem, use a full-strength antivirus engine to investigate further.
Phrozen RunPE Detector doesn’t do a great deal. It only detects RunPE-compromised processes, and even then, only if they’re 32-bit (64-bit scanning is apparently coming soon).
Still, RunPE is a common attack type, and as Phrozen RunPE Detector is compact, portable and no-strings free, we’d recommend you grab a copy for your security toolkit.