Hide process always was a difficult task for the authors of malware and they found many ways to do it. This trick is known as “RunPE“and many times used in the industry of malware, specifically in the RAT (Remote Administration Tools).
In fact, when the malware runs, it selects a victim among the Windows processes (for example, explorer.exe) and runs a new instance in a suspended state. In this state, to modify safely, and malware completely clean it with code, if necessary, expand the memory and copies its own code inside.
Then the malware will do some magic to configure the address of the entry point and base address, and resume the process. After the renewal process shows that it is running from a file that no longer has anything to do with what he actually does.
Get down to business
We need to download Visual Studio 2019. To do this, go to their official website:
After we got the Studio, we have to click on the check mark along with C++. Then go to github and click “Clone Or Download“in order to download the source code of the program:
You then need to download the program
Now run our folder in Visual Studio and go to main.cpp. Paste everything you copied into free space in the code. Once the entire project is loaded, select Release and x64:
Then go to the folder with the project then => bin => release => RunPE => RunPE>exeand if it all started, so we did it right!
Here is an example of how to do it:
As this trick is simple, it is also easy to detect. We can safely assume (except .NET assemblies) that the PE header will be 99% the same in memory and in the disk image process. Knowing this, we can then compare each process, the PE header of the file on the disk image in memory. If the difference is too large, we can safely assume that the process is intercepted.
Soft RogueKiller in version 10.8.3 able to detect the injection of RunPE.
RogueKiller Anti-Malware you can use free for scanning and cleaning. However, the app has additional paid features that provide protection in real-time, a higher level of security and allows you to configure the behavior of the program.
When you run RogueKiller, you can perform a system scan for malware and elements. After verification is complete, the program will show a list of detected problems and offer to fix them.
But with ANTISCAN
As you can see, most antivirus programs are unable to detect this prikolyuha. Thank you all, and good luck!
As a Supplement are making YouTube videos on the subject