PeStudio 8.63 released August 21, 2017
PeStudio implements a rich set of features that is especially designed to retrieve every single detail of any executable file. Results are checked against the Microsoft specification. Additionally, the content of the file being analyzed is checked against several white and black lists and thresholds.
PeStudio shows details about applications and other system files (.exe, .dll, .cpl, ocx, .ax, .sys etc.) without starting them including:
- Libraries that are used by an application
- Functions that are imported by an application
- Functions (also anonymous) that are exported by an application
- All functions that are forwarded to other libraries
- Obsolete Functions that are exported and imported by an application
- If Data Execution Prevention (DEP) Windows security mechanism is used
- If Address Space Layout Randomization (ASLR) Windows security mechanism is used
- If Windows security mechanism Structured Exception Handling (SEH) is used
- Whether some sections are compressed
PeStudio runs from the Graphical User Interface (GUI) as well as from the Command prompt (CLI). Running pestudio from the prompt offerts the possibillty to analyze executable file and to create associated XML output files in a batch mode.
PeStudio is used by many Computer Emergency Response Teams (CERT) worldwide in order to perform malware initial assessments. Malicious software often attempts to hide its intents in order to evade early detection and static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies and other indicators.
The goal of PeStudio is to spot these artifacts in order to ease and accelerate Malware Initial Assessment. The tool uses a powerful parser and a flexible set of configuration files that are used to detect various types of indicators and determine thresholds. Since the file being analyzed is never started, you can inspect unknown or malicious executable file, trojan and ransomware without any risk of infection.
PeStudio can query Antivirus engines hosted by Virustotal for the file being analyzed. This feature only sends the MD5 of the file being analyzed. This feature can be switched ON or OFF using an included XML file.
What's new in v. 8.63:
• Added detection of whitlelist (well-known) strings
• Added detection of deprecated functions
• Added detection of undocumented functions
• Consolidate indicators
OS: Win 10; 8-8.1; 7; Vista; XP
Home: http://www.winitor.com/
Download: https://www.winitor.com/tools/pestudio/current/pestudio.zip
Info about PeStudio Pro: https://www.winitor.com/tools/pestudio/current/pestudio-licensing.pdf