Vista / Win10 / Win7 / Win8 / WinXP
Many RATs use a technique called RunPE which spawns a legitimate process in Windows (e.g. web browser) and then injects malicious code directly into memory, tricking the computer into treating the malicious code as a legitimate, safe process.
You can use to tool to detect the presence of a hijacked process in Windows and can even scan through the file system for application files to compare the PE Headers to the malicious process, potentially finding the source malware.
For now it is limited to scanning 32-bit processes but will run on 64-bit Windows, and as of now most malware is still compiled in 32-bit architecture and run on 64-bit systems, so it shouldn't impede the program too much.
phrozen runpe detector malware rat detect hijacked process
1License and operating system information is based on latest version of the software.
(No user ratings yet)