恶意软件(Malware)使用许多技巧来隐藏其进程,RunPE是相同的常见示例之一。该技术主要涉及启动一个已知且受信任的进程,可能是处于挂起状态的Explorer.exe 。然后它用恶意软件自己的代码替换它的代码。最后,启动它。像Process Explorer(Process Explorer)这样的运行工具可能并不总是能成功检测到恶意进程。Phrozen RunPE Detector是一款免费软件,专门设计用于检测和击败此类可疑进程。
适用于 Windows 的 RunPE 检测器
- 这是什么(What it is)
简而言之, Phrozen RunPE (Fileless)Detector(Phrozen RunPE Detector)可用于检测Windows计算机上的无文件恶意软件、RAT(RATs)、木马(Trojans)、后门加密程序(Backdoors Crypters)、打包(Packers)程序和内存驻留恶意软件。它基本上扫描内存中进程的标头,然后将它们与它们的磁盘映像进行比较。这个技巧听起来太简单了,难以置信,但它确实有效。如果某个进程已被RunPE利用,那么应该会有所不同,并且您会看到一个警报。
- 这个怎么运作(How it works)
RunPE Detector检测并阻止使用(RunPE Detector)RunPE技术通过以下任一方式感染您的系统的黑客攻击:
- 防火墙绕过:此技术绕过或禁用您的防火墙或应用程序防火墙规则。
- 恶意软件(Malware)打包程序或加密程序:此技术用于解压或解密内存中的恶意软件,并将其放入真正的进程中,而无需将其写入磁盘,在那里可以发现和阻止它。
- 它能做什么(What it Does)
Phrozen RunPE Detector扫描每个进程的 PE 头,然后将内存中的 PE 头与进程映像路径中的 PE 头进行比较。根据开发人员的说法,这是一种非常简单有效的方法。有许多商业防病毒程序可以执行此类扫描,但 Phrozen 的RunPE Detector是用于手动执行此类扫描的独立工具。该安全程序已针对多种常用类型的恶意软件进行了测试,检测率非常准确。
- 它可以用来删除恶意软件吗?(Can it be used to remove malware?)
该程序为用户提供了删除它检测到的任何恶意软件的选项。尽管建议不要完全依赖它。如果您确实发现了问题,使用功能强大的防病毒引擎进行调查将是一个好主意。它在检测无文件恶意软件等内存驻留恶意(Fileless malware)软件方面可能非常有用。
- 它不做什么(What it does not do)
RunPE Detector通过扫描系统中的所有应用程序文件轻松识别被劫持的进程,然后将其 PE 标头与正在运行的进程进行比较以检测感染点。但是,当恶意代码被恶意软件打包程序或加密程序加载时,它不会识别主机位置。这就是 Phrozen 开发人员建议使用商业防病毒解决方案来删除恶意软件的原因之一。
最终判决(Final Verdict)
因为RunPE技术非常常用于RAT(RATs)、木马(Trojans)、后门加密程序(Backdoors Crypters)和打包程序,所以使用RunPE Detector是一种智能方法,可确保您的系统没有最具破坏性的恶意软件类型。
RunPE仍然是一种常见的攻击类型,因为Phrozen RunPE Detector是一种紧凑、便携且无字符串的解决方案。因此,我们建议您从www.phrozen.io获取此安全工具包的副本。
Phrozen RunPE Detector仅在它们是 32 位时检测 RunPE 受损的进程。它与 64 位系统兼容,但目前无法运行扫描,显然 64 位扫描即将推出。
RunPE Detector: Detect Memory-resident malware, RATs, Backdoors Crypters, Packers
Malware υses a number of tricks to hide its process, RunPE is one of the common examples of the same. The technique basically involves starting a known, and trusted process may be Explorer.exe in a suspended state. Then it replaces its code with the malware’s own code. And finally, starts it up. Running tools like the Process Explorer may not always be successful in detecting the malicious process. Phrozen RunPE Detector is a free software which has been specially designed to detect and defeat some suspicious processes like these.
RunPE Detector for Windows
- What it is
Putting in simple words, Phrozen RunPE Detector can be used to detect Fileless malware, RATs, Trojans, Backdoors Crypters, Packers & memory resident malware on Windows computers. It basically scans the headers of your processes in memory and then compares them to their disk images. The trick might sound too simple to believe, but it does work. If a process has been exploited by RunPE, then there should be a difference, and you would see an alert.
- How it works
RunPE Detector detects and defeats hacking attacks that use the RunPE techniques to infect your system in either of the following ways:
- Firewall bypass: This technique bypasses or disables your firewall or application firewall rules.
- Malware packer or crypter: This technique is used to unpack or decrypt the malware in memory and to place it into a genuine process without writing it to the disc, where it can be discovered and blocked.
- What it Does
Phrozen RunPE Detector scans the PE headers for every process and then compares the PE headers in memory to the PE headers in the process image path. According to the developers, this is a very simple and efficient method. There are many commercial antivirus programs available, which have the capability to perform this kind of scan, but Phrozen’s RunPE Detector is a standalone tool for performing such scans manually. This security program has been tested against numerous commonly-used types of malware, and the detection rates have been highly accurate.
- Can it be used to remove malware?
This program provides the users with the option to remove whatever malware it detects. Even though it is advisable not to rely on it completely. If you do find a problem, using a full-strength antivirus engine to investigate, would be a good idea. It could be very useful in detecting memory-resident malware like Fileless malware.
- What it does not do
RunPE Detector easily identifies the hijacked processes by scanning all the application files in the system and then compares their PE headers to a running process to detect the point of infection. But it does not identify the host locations when the malicious code is loaded with a malware packer or crypter. This is one reason why the Phrozen developers have recommended using a commercial antivirus solution to remove the malware.
Final Verdict
Because the RunPE technique is so commonly used with RATs, Trojans, Backdoors Crypters, and Packers using RunPE Detector is a smart approach to ensure that your system is free of the most destructive types of malware.
RunPE is still a common attack type, and as Phrozen RunPE Detector is one compact, portable and no-strings free solution. So, we would recommend you grab a copy of this security toolkit from www.phrozen.io.
Phrozen RunPE Detector detects RunPE-compromised processes only if they’re 32-bit. It is compatible with 64-bit systems, but it cannot run scans currently, apparently 64-bit scanning is going to come in soon.