Here’s quite a remarkable little tool for experienced PC users to add to their arsenal of security weapons. It’s a free application called PeStudio and lets you really take a look at a file before you use it. It’s a way to learn a lot about a program before you install it. With this utility, you can dissect a file in many different ways.
PeStudio is portable and its actions do not change anything on your computer. The file being analyzed is never opened. The developer’s site is at this link. The download is a zipped file of 560 KB. The program has been around for a while and the current version is 8.05. It is said to work in all current versions of Windows. I tried it out in Windows 8, 64-bit. Although the program is portable, it should be unzipped to its own folder since it uses a number of XML files that come with it. The interface is very easy to use, just drag and drop a file on it. The information it provides will probably overwhelm many average PC users so this tool is primarily for those who are technically oriented.
File types that are analyzed include .exe, .dll, .cpl, ocx, .ax, .sys. The categories of information that are given include:
- All libraries that are used by an application
- All functions that are imported by an application
- All functions that are exported by an application
- All functions that are forwarded to other libraries
- Whether Data Execution Prevention (DEP) is used
- Whether Address Space Layout Randomization (ASLR) is used
- Whether Structured Exception Handling (SEH) is used
PeStudio can also obtain a report about a file from VirusTotal. This feature can be switched on or off using an XML file included with PeStudio.
A download link is on the developer’s site. It is also available at several major download sites.
If you are concerned that this type of tool may have hidden or undesirable functions, you can read the favorable comments at Wilder’s Security Forum. The program’s developer, Marc Ochsenmeier, participates in the forum. Also, the application is listed in Gizmo's main Best Free Security List.
Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.
This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.
Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.
We are looking for people with skills or interest in the following areas:
Comments
Does this program have an instructional manual or other site to understand how to best use this?
I have checked the installation setup executable of a known good program SuperAntispyware Free yet it leaves some question (probably false) that this program may be suspicious.
Among the results in the main page are:
For File Description,SUPERAntiSpyware Free Edition Setup
{MD5,827378ED339546918FB893C41A72FF01}
Under "Indicators" 16/28 are "redflagged.
The image contains 86 Blacklisted Strings
The image imports 5 Library(s) detected as Blacklisted
The image imports 108 Blacklisted Functions (API)
The image Imports 4 Anonymous Symbol(s)
The ACTUAL program application executable 'red flags' the below among others:
MD5,6C12BD722FFC94584348DD34F4059FC5
The image contains 189 Blacklisted Strings
The image imports 11 Library(s) detected as Blacklisted
The image imports 175 Blacklisted Functions (API)
Also, under "Imported Libraries 11/20" which were blacklisted:
When a red highlighted (blacklisted) [*.dll] file was automatically sent to VirusTotal nothing could be found. I did not think that VirusTotal would scan a *.dll file; this should be sent to another site for analysis; program needs to be fixed in this regard.
There needs to be better guidance on how to use and interpret this program. Any references?
Vic, thank you for this post.
I am sorry to be nitpicking but this forum is read by some people that are not geeks; they mostly have limited or no knowledge of technical intricacies but are here to search for advice and information. I believe we need to be very careful to express ourselves correctly.
You write "The file being analyzed is never opened"; that is impossible. It most certainly must be opened to be read and to analyze it's content.
You certainly meant "is never executed" or in layman's terms "never run".
Thanks for your patient indulgence of my rambling.
He sneaked in some updates while you weren't looking - V 8.05 now.
I tried this and it seemed to indicate that two out of the three exe files had a Trojan. Scanned the files with three different AV scanners all which showed no trojans present. Not too sure about this.
Hi. When the files scanned with PeStudio, the Virus Totals showed trojans, AdWare.Win32.Popupguide!O and PAK_Generic.001. There is no help file with this, so I took it to be that it reports a trojan/virus if it finds one. If I'm wrong I stand corrected.
Thanks alot,looks good