[CloneRanger]

Just seen this posted on Wilders by TyRidian. There is one post on here that mentions it, but nobody seems to have replied ? As it looks useful i thought it deserved it's own thread :)

PeStudio

PeStudio is a free tool which can be used to perform static analysis of any Windows application and reveals not only Raw-data, but also Indicators of Trust. Executable files analyzed with PeStudio are never started. For this reason, you can analyze suspicious applications with PeStudio with no risk!

http://winitor.com

PeStudio shows details about applications (.exe, .dll, .cpl, ocx, .ax, .sys, etc.) without starting them including:

* All libraries that are used by an application.
* All functions that are imported by an application.
* All functions (also anonymous) that are exported by an application.
* All functions that are forwarded to other libraries.
* Obsolete Functions that are exported and imported by an application.
* Whether the Data Execution Prevention (DEP) Windows security mechanism is used.
* Whether the Address Space Layout Randomization (ASLR) Windows security mechanism is used.
* Whether Structured Exception Handling - SEH Windows security mechanism is used.
* Whether some sections are compressed.

http://www.portablefreeware.com/index.php?id=1950

[Marc Ochsenmeier]

@CloneRanger: thank you for creating a thread for PeStudio!

I am the author of PeStudio and would be happy If I could change my username @ KernelMode from julien to Marc Ochsenmeier.

[Marc Ochsenmeier]

PeStudio has been updated:

. Added detection of MPRESS compression
. Added detection of UPX evasion (one or more standard UPX section names changed)
. Added computation of SHA1 of the image analyzed
. fixed issue with right mouse copy at the UI

[Marc Ochsenmeier]

PeStudio has been updated:

. Added Handling of Blacklisted imported Functions (API) based on the PeStudioBlackListFunctions.XML (You can edit this
file according to your needs and tag any function as being BLACK).
. Detect Directories outside any Section
. Detect unusual contruct of Version Information block ("VarFileInfo" preceeding "StringFileInfo")

[Marc Ochsenmeier]

Just got a message about the API detected as blacklist, I thought it might be interesting for others:

The APIs detected as blacklist are the ones you put in the PeStudioBlackListFunctions.xml file which is (in the current implementation) located in the directory of PeStudio.
You can edit this XML file, remove and add items to the list.

Future implementation might support an FTP server.

[Marc Ochsenmeier]

PeStudio has been updated:

. Added detection of Overlay (extra-data appended to the end of the image)

Feedback is always welcome! Thanks.

[Marc Ochsenmeier]

PeStudio has been updated:

. Enhanced detection of fake UPX
. Extented Blacklist of Functions
. Fixed a bug when handling exported functions
. Show Section:Offset Addresses where exports, imports and strings are located in

[CloneRanger]

Hi, pleasure ;)

Keep up the good work !

[Xylitol]

I crashed it after intensive use

[bantempmail]

Whats wrong with all the PE editor writers? peid, lordpe, die, cff, this one...
Make the windows resizable. Remember them, also size and placement.
Make them non-child (I forget the proper term, like when peid beeps when you try to open the section viewer and pe details) . PeStudio wont let you look at file header and optional header at the same time.
I sit in front of two 27 inch LCDs. They want to be used...