PeStudio ermöglicht es, beliebige 32-Bit oder 64-Bit Programme (*.exe, *.dll, *.cpl, *.ocx, *.ax, *.sys, ...) zu analysieren und zu validieren, OHNE diese starten zu müssen!
PeStudio funktionniert auf Windows 32 und 64-Bit und zeigt Ihnen z.B:
* alle Bibliotheken, die von einer Applikation in Anspruch genommen werden
* alle Funktionen, die von einer Applikation importiert werden
* alle Funktionen (auch anonym), die von einer Applikation exportiert werden
* alle Funktionen, die zu anderen Bibliotheken weiter geleitet werden
* alle obsoleten Funktionen, die exportiert und importiert werden
* ob der Data Execution Prevention - DEP Windows-Schutzmechanismus in Anspruch genommen wird
* ob der Address Space Layout Randomization - ASLR Windows-Schutzmechanismus in Anspruch genommen wird
* ob der Structured Exception Handling - SEH Windows-Mechanismus verwendet wird.
* ob Sections komprimiert sind
* ob eine Applikation 64-Bit fähig ist
* ob eine Applikation IL Code entählt
* welche Execution Level eine Applikation in Anspruch nehmen wird
* und vieles mehr...
PEStudio ist eine kleine portable Anwendung zur Überprüfung ausführbarer Dateien.
* Version 3.66
. Show presence of Embedded Compressed HTML files in Resources
. Show presence of Embedded Executables files in Resources
. Show Resources instances and their characteristics
. Show MD5 footprint
Der Webmaster von winitor.com hat geschrieben:Version 3.67 - updated: 01. May 2012[sic!]
Der Ersteller von ChangeLog.txt in der herunterladbaren ZIP-Datei hat geschrieben:Fixed a bug when handling resources of encrypted/compressed files
Show presence of Embedded Type Library files in Resources
Show presence of Embedded Registry files in Resources
*Version 3.69
. Added detection of "Resources Only" images
. Added detection of Borland compiler
. Show presence of Delphi Turbo Pascal Filers (TPF) in Resources
You can download PeStudio (Version 3.69 - updated: 08. May 2012) as a ZIP file for free. http://www.winitor.com/tools/PeStudio369.zip
PeStudio is based on our own library PeParser which is also part of the package.
Version 6.00
. Added Indicator "The image file contains %i unused Bytes (Caves)"
. Added Indicator "The image Name has been Changed"
. Added Indicator "The image original name was %s"
. Added Indicator "The image contains %i bytes of Code"
. Added Indicator "The image contains %i embedded Visual Stylesheet XML Items(s)"
. Added Indicator "The image contains %i Custom Resource Item(s)"
. Added Indicator "The image contains %i Built-in Resources Item(s)"
version 6.91
. All lists support right-click context menu
. Added ordering by number in all lists
. Added size in Strings List
version 6.90
. Severity flags (red, yellow color for the UI Indicators) are now read from PeStudioIndicators.XML
. Added support for Sorting by Color for Indicators
. Added support for sorting by Text for lists
. Added detection of PKZIP, PKLITE, PKSFX and JAR Embedded in Resources
. Added new items to PeStudioFunctionsDeprecated.XML file and simplified its format
. Added Indicators for any Directory (e.g. Import Directory) located outside Sections
. Added detection of RTF Embedded in Resources
. Simplified format of PeStudioIndicators.XML
. Changed many Indicators (e.g. Resources, Directories, MachineTarget) to more generic Indicators
. Ignore SEH for managed code
. Added additional Hints about suspicious size of the Version Resource (some malware place custom stream in standard Windows Resources)
. Added additional Hints about Invalid Directories as Indicator and at the UI
. Extended handling to handle Ollybugs images
Version 7.84
. Better detection of hard-coded IP Addresses
. Added <HideImportedFunctionNames> Tag in PeStudioBlackListStrings.xml to hide the strings that are Imported Libraries (with the goal to concentrate on strings that really matter)
Version 7.83
. Extended PeStudioBlackListFunctions.xml
. Added <HideImportedLibraryNames> Tag in PeStudioBlackListStrings.xml to hide the strings that are Imported Libraries (with the goal to concentrate on strings that really matter)
Version 7.82
. Consolidated Indicators about blacklisted Resources Languages
. Show the Resources Tree leaf in Red when a Resource Language has been detected as Blacklisted
Version 7.81
. Added PeStudioBlackLanguages.XML to support detection of Resources Blacklisted Languages
Version 7.90
. Extended detection of fake and missing fields in the File Version Information block
. Show more fields of Version Information block
. Added new Indicators
Version 7.89
. Extended detection of anomalies of File Version Information fields
Version 7.88
. Added detection of signature for the Resources
. Added Detection of discrepency between Image Name and Manifest <AssemblyIndentity> and <description> (Hint of reuse of
other Manifest)
. Added Detection of misspelling of the"VarFileInfo" internal tag of the Version Information (Hint to Evasion)
. Map Version Translation Information to user friendly string
. Show Version Translation Information Blacklisted Languages
. Extented PeStudioOrdinals.xml to Resolve SNMP functions imported by Ordinals back to their original names
Version 8.00
. Fixed a crash when disabling VirusTotal query
. Show the Signature of the files Embedded in the Custom Resources
Version 7.99
. Added Min/Max Threshold checks on HTML Resource size and Extented PeStudioThresholds.xml
. Extented PeStudioIndicators.xml
. Extented PeStudioOrdinals.xml
. Extended Features detection
. Extended Blacklisting
. Extended detection of embedded IP Adresses
Version 8.04
. Added Feature detection of Regular Expressions (Regex)
. Added Feature detection of Service Control Manager (SCM)
Version 8.03
. Added "Anomalies" Indicators.
. Added detection of fake Microsoft executables
. Extended "Features"
Version 8.02
. Added PeStudioFeatures.xml
. Added "Features" as part of the "Indicators". Features translates the APIs, and other data into "Features" of the executable
being analysed (e.g. The API "FindFirstUrlCacheEntry()" is translated as "The image accesses the IE Protected Storage" Feature).
