RunPE Detector

May 29,2015

Software Description

Phrozen RunPE Detector is a security program, especially designed to detect and defeat some suspicious processes using a generic method.

We at Phrozen Software do things differently, more creatively. So, when we set ourselves the task of creating a novel way of detecting, disabling and removing RATs, we didn't want to take the route every other anti-virus company has done before us.

Phrozen Software studied the behaviour of RATs and discovered that hackers virtually always use a technique called RunPE. This technique spawns a legitimate process – often the default browser or a Microsoft system process – and replace it with a malicious program code directly in memory. Your computer is thus tricked and treats the malicious code as a legitimate process. The user and his anti-virus program have no idea that his default browser is effectively turned into a virus.

RunPE is a technique that is used in several malicious ways. The two most common are :

How does it work?

Basically, the RunPE is a very simple method, but at the same time also very efficient. Yes, most commercial anti-virus heuristic scans detect this trick, but not everybody thinks a good commercial anti-virus solution is money well spent. When you really understand the RunPE injection method, you can easily imagine a way to get rid of most of the possible versions by using a Memory PE Headers Scan of each process and comparing the Memory PE Headers to the Process Image Path PE Header version.

Since the Malware PE Header that has hijacked a legitimate process is very different from the legitimate process Image Path PE Header, we could detect the presence of a hijacked process.

Is it efficient?

Yes. After testing our program against several of the most used types of malware, the detection rate was good. (Against RunPE technique only)

Since many RAT’s (Remote Administration Tools), Trojans, Backdoors Crypters and Packers are using RunPE to hide their suspicious activities, using our tool often is a first good step for making sure your system is clean from most destructive types of malware.

Does it remove the Malware?

Yes it can, but we cannot achieve a good success rate like for the detection process. It is easy to detect a hijacked process by the RunPE injection method, but it is much more difficult to detect what type of malware loaded the attack.

To detect the presence of the malware on the disk we scan for all application files in the file system (.EXE, .COM, .BAT, .SCR, .PIF) and then compare their PE Headers to the malicious running process. If a malicious running process PE Header is similar to the current scanned file then we can assume we have detected the original file of infection.

Since most of the time the injected malicious process file will be located inside a loader (or stub file) used to run the malicious code in memory, RunPE host detection failed often.

To work, the malware loader must load itself to memory using RunPE andnot being Packed or Compressed.

So how to remove if it doesn’t detect the host location?

What to do next?

If RunPE Detector has found malicious programs in your system even if now 100% cleaned you must change all your passwords (bank accounts, browsers, games, applications, etc.). It is entirely possible that the hacker has already stolen all you credentials. Be sure to inform your bank to prevent your bank account being emptied..

Never download programs from unknown sources, be certainly careful when downloading and using cracks or keygens and open them only in a Virtual Machine or a Sandbox (Sandboxie for example).

Buy and keep up-to-date a good anti-virus program.

We recommend Kaspersky or Bitdefender as commercial anti-virus programs and COMODO Internet Security for Firewall.

Important Notice: Never allow anti-virus programs to scan your files in the cloud for privacy reasons. This function should not even exist, so don’t accept!

Does it support 64bit process scanning?

It supports 64bit-systems, but not yet the scanning of 64bit-processes. We are planning to support that in the near future.

Note that nowadays most malware still being compiled in 32bit-architecture, because most hackers feel more comfortable to code it and it still has a higher infection rate.

Since 64bit-machines run 32bit-code there are no imminent reasons for malware developers to code both 64bit and 32bit-code.


Main Application Window
Clean Result
Threat Detected, Scanning File System
Threat Detected
Portable Executable Explorer
Threat Removal Window
Threat Removal Success


Work In Progress

We are glad to see Phrozen Company growing quickly! A new website is under development and is excepted within a month with a beautiful new modern design / awesome freeware and services. Thanks all for trusting us and downloading by million our products <3