You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 14, 2023. It is now read-only.
Normally, a user-mode process is executed by double-clicking on a file icon. If the process is executed this way, its parent process will be the shell process (“explorer.exe”, "cmd.exe", "powershell.exe").
The main idea of the two following method is:
Compare the PID of parent process with the pid of “explorer.exe”, "cmd.exe", "powershell.exe"
Check the parent process signature (it can prevent fake names in parent process)