A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #19441  by CloneRanger
 Tue May 28, 2013 1:33 am
Just seen this posted on Wilders by TyRidian. There is one post on here that mentions it, but nobody seems to have replied ? As it looks useful i thought it deserved it's own thread :)

PeStudio
PeStudio is a free tool which can be used to perform static analysis of any Windows application and reveals not only Raw-data, but also Indicators of Trust. Executable files analyzed with PeStudio are never started. For this reason, you can analyze suspicious applications with PeStudio with no risk!

http://winitor.com
PeStudio shows details about applications (.exe, .dll, .cpl, ocx, .ax, .sys, etc.) without starting them including:

* All libraries that are used by an application.
* All functions that are imported by an application.
* All functions (also anonymous) that are exported by an application.
* All functions that are forwarded to other libraries.
* Obsolete Functions that are exported and imported by an application.
* Whether the Data Execution Prevention (DEP) Windows security mechanism is used.
* Whether the Address Space Layout Randomization (ASLR) Windows security mechanism is used.
* Whether Structured Exception Handling - SEH Windows security mechanism is used.
* Whether some sections are compressed.

http://www.portablefreeware.com/index.php?id=1950
 #19710  by Marc Ochsenmeier
 Fri Jun 21, 2013 8:26 am
@CloneRanger: thank you for creating a thread for PeStudio!

I am the author of PeStudio and would be happy If I could change my username @ KernelMode from julien to Marc Ochsenmeier.
 #19723  by Marc Ochsenmeier
 Sat Jun 22, 2013 10:25 am
PeStudio has been updated:

. Added detection of MPRESS compression
. Added detection of UPX evasion (one or more standard UPX section names changed)
. Added computation of SHA1 of the image analyzed
. fixed issue with right mouse copy at the UI
 #19801  by Marc Ochsenmeier
 Tue Jun 25, 2013 4:06 pm
PeStudio has been updated:

. Added Handling of Blacklisted imported Functions (API) based on the PeStudioBlackListFunctions.XML (You can edit this
file according to your needs and tag any function as being BLACK).
. Detect Directories outside any Section
. Detect unusual contruct of Version Information block ("VarFileInfo" preceeding "StringFileInfo")
 #19805  by Marc Ochsenmeier
 Tue Jun 25, 2013 5:54 pm
Just got a message about the API detected as blacklist, I thought it might be interesting for others:

The APIs detected as blacklist are the ones you put in the PeStudioBlackListFunctions.xml file which is (in the current implementation) located in the directory of PeStudio.
You can edit this XML file, remove and add items to the list.

Future implementation might support an FTP server.
 #19859  by Marc Ochsenmeier
 Fri Jun 28, 2013 7:21 pm
PeStudio has been updated:

. Added detection of Overlay (extra-data appended to the end of the image)

Feedback is always welcome! Thanks.
 #19935  by Marc Ochsenmeier
 Wed Jul 03, 2013 3:59 pm
PeStudio has been updated:

. Enhanced detection of fake UPX
. Extented Blacklist of Functions
. Fixed a bug when handling exported functions
. Show Section:Offset Addresses where exports, imports and strings are located in
 #19958  by CloneRanger
 Fri Jul 05, 2013 1:55 am
Hi, pleasure ;)

Keep up the good work !
 #19979  by bantempmail
 Fri Jul 05, 2013 4:46 pm
Whats wrong with all the PE editor writers? peid, lordpe, die, cff, this one...
Make the windows resizable. Remember them, also size and placement.
Make them non-child (I forget the proper term, like when peid beeps when you try to open the section viewer and pe details) . PeStudio wont let you look at file header and optional header at the same time.
I sit in front of two 27 inch LCDs. They want to be used...