Phrozen RunPE Detector is designed to detect and defeat some suspicious processes using a generic method.
The RunPE is a very simple and efficient method, most commercial anti-virus heuristic scans detect this trick, but not everybody thinks a good commercial anti-virus solution is money well spent. When you understand the RunPE injection method, you can easily imagine a way to get rid of most of the possible versions by using a Memory PE Headers Scan of each process and comparing the Memory PE Headers to the Process Image Path PE Header version.
Since the Malware PE Header that has hijacked a legitimate process is very different from the legitimate process Image Path PE Header, we could detect the presence of a hijacked process.
RunPE is a technique that is used in several malicious ways. The two most common are:
FWB (Firewall Bypass): As its name suggests, this technique is implemented to bypass or disable the Application Firewall or the Firewall rules. Since most malware needs to connect to a Remote Command-and-Control (C&C) Server, it needs to connect to the Internet via the Firewall. Since most users are connected to the Internet at home, normally the installed Firewall would prevent the malware from connecting to the Internet. Using the RunPE technique to hijack a legitimate process that is authorized to reach the Internet, any malware could subsequently connect to the C&C without being detected by the Firewall.
Malware Packer or Crypter: script kiddies â€“ immature hackers - use a well-known type of malware that is already detected by most anti-virus programs. They then try the obfuscate this malware to evade detection. To achieve this, they need to buy programs such as a Packer or a Crypter. The price depends on its ability to evade anti-virus programs, update intervals, the number of extra functions, etc.
A Crypter will simply obfuscate or conceal the malicious code, and an anti-virus program will fail to detect it. A Packer will add an extra compression step to make the malware smaller. It is then easier to transfer, or it can be virtually invisibly added to a legitimate process. Therefore, it will be harder to detect when it is downloaded to the victim's computer. Here, RunPE is used to unencrypt the malware in memory and to place it into a legitimate process without being written on the disc. More advanced techniques exist for Crypting and Packing malware, but since most creators of Crypters and Packers developed from typical script kiddies that visited the same forums to get a basic knowledge, they all have learned to use the RunPE method.