Want to Join Us ?

you'll be able to discuss, share and send private messages.

NEW PEStudio v8.46 Released

Discussion in 'Tools of the Trade.' started by storm shadow, Feb 28, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    PEStudio is a unique tool that performs the static investigation of 32-bit and 64-bit executable. PEStudio is free for private non-commercial use only.

    Malicious executable often attempts to hide its malicious behavior and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of PEStudio is to detect these anomalies, provide Indicators and score the Trust for the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.

    Changelog v8.46

    • Added new thresholds
    • Extended detection
    • Fixed a crash with malformed files
    • Corrected duplicates during collection of functions statistics
    Changelog 8.30 to 8.45
    • Added Virustotal aging and submission date
    • Extended Languages detection and mapping
    • Added PeID Signature detection of Executable embedded in Resources
    • Added PeID Signature detection of Executable embedded in Overlay
    • Added XML-based detection of PeID Signatures
    • Added XML-based detection of OIDs
    • Added XML-based detection of useragent
    • Extented blacklists
    • Added detection of references to Firefox API
    • Added MD5 Blacklist for a file and its Resources
    • Extended detection of Overlay
    • Extended validation of Sections
    • Resolve OpenSSL ordinals API to User friendly names
    • Added Blacklist of MD5 dedicated to the Overlay
    • Extended detection of files embedded in Resources
    • Added detection of Regular Expressions and Threshold
    • Cache Virustotal scores when Internet connection drops
    • Small cosmetic issues
    • Added Indicators and Thresholds
    • Fixed a bug when handling the imports of some images
    • Added more Indicators and Thresholds
    • Added Functions Groups classification
    • Resources with unknown Signature and containing only text are now tagged as Text
    • Fixed a bug when handling the Characteristics of the FileHeader
    • Added MD5, SHA1 and Virustotal Score for Overlay
    • Fixed a bug when handling the <PreferedVirustotalEngine>
    • Fixed a bug when handling the virustotal Engines
    • Added Thresholds for DOS Stub and Header size
    • Added Thresholds for Blacklisted Imported Libs and Blacklisted functions number
    • Added Thresholds for Blacklisted Strings count
    • Added Thresholds for Blacklisted Exported Functions count
    • Added XML Threshold of number of Antivirus detecting the image as infected
    • Extended Imported Symbols View
    • Extended Indicators
    • Added XML Thresholds for several values
    • Added XML “prefered” Antivirus Engine Name
    • Added XML Threshold on Libraries count
    • Added support for White listing of Libraries per name in PeStudioWhiteListLibraries.xml
    • Fixed a bug in the collection of libraries
    • Extended Sections View
    • Extended Blacklists
    • Extended detection
    • Extended the XML report resulting of the analysis
    • Fixed update of Virustotal Lookup
    • Fixed Ordinal to Name mapping for 64bit images
    • Images analysed are now parsed in separated Thread
    • Extended detection of Overlay
    • Added Thresholds for Image Size
    • Added Thresholds for Certificate Size
    • Added Default Threshold for Resources
    • Fixed a crash when analysing some 64bit files
    • Extended Blacklisted Libraries and Functions
    • Extended detection of embedded Registry items
    • Added Threshold (PeStudioThresholds.xml) for DateTimeStamp
    • Added Threshold (PeStudioThresholds.xml) for Debug Age
    • Detect access to Group Policy
    • Consolidated Libraries and Functions Blacklisting
    • Extended the detection of privileged APIs
    • Begin detection of Functions requiring Access Rights (privileges) to be set
    • Extended Thresholds detection
    • Fixed a bug when handling 64bit Images
    • Added detection of bound Libraries
    • Detect Clipboard Chain hooking
    • Extended Blacklist of API
    • Extended detection of Undocumented API

    • Indicators: PEStudio shows Indicators as a human-friendly result of the analysed image. Indicators are grouped into categories according to their severity. Indicators show the potential and the anomalies of the application being analysed.
    • Virus Detection: PEStudio can query Antivirus engines hosted by Virustotal for the file being analysed. This feature only sends the MD5 of the file being analysed.
    • Imports: Even a suspicious binary or malware file must interact with the operating system in order to perform its activity. For this to be possible, a certain amount of libraries must be used. PEStudio retrieves the libraries and the functions used by the image.
    • Resources: Executable files typically not only contain code but also many kinds of data types. Resources sections are commonly used to host different Windows built-in items (e.g. icons, strings, dialogs, menus) and custom data.
    • Report: The goal of PEStudio is to allow investigators to analyse unknown and suspicious executable files. For this purpose, PEStudio can also produce an XML Output Report file documenting the executable file being analysed.
    • Prompt: The package you can download not only contains PEStudio running as Graphical User Interface (GUI), but it also contains a Command Line Interface (CLI) version of PEStudio.
    • Interface: Considering the general software architecture, PEStudio is a consumer of a set of private interfaces provided by the underlying layer. The underlying layer is called PeParser, which is the engine performing the parsing of the Executable files being analysed.
    More Information: here
  2. roocoon

    Active Member

    I guess this is a good enough place to post a question about this utlity.
    I'm using v8.54 (free version) in Win7 SP1 x64 by the way.

    Everything works fine except in two cases:

    1) Open up two copies of PEStudio to look at and compare two different files.
    Extremely slow (in my also slow laptop) to populate its panels and CPU staying fully busy until I shut down the program.

    2) If I modify the Import Table of any DLL (I tried x64 ones), it shows garbage (and wrong number of entries) for the original imports, and only shows the added entry properly. Both Impors and Libraries are wrong in a similar way.
    I'd think it has to do with a mistake on my part, except that all other tools I tried, show the proper information. And the DLLs work fine too.
    Is PEBear buggy in this aspect or it expects something that others (and Windows) ignore?

    In case it's the way I add the DLL, maybe you can suggest a better one.
    I use either CFF Exporer alone or in combination with PE-Bear.

  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    I will try asking the dev on twitter, he usally is very helpfull.
    roocoon and Rip Cord like this.