PEStudio v8.46 Released
PEStudio is a unique tool that performs the static investigation of 32-bit and 64-bit executable. PEStudio is free for private non-commercial use only.
Malicious executable often attempts to hide its malicious behavior and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of PEStudio is to detect these anomalies, provide Indicators and score the Trust for the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
Changelog v8.46
- Added new thresholds
- Extended detection
- Fixed a crash with malformed files
- Corrected duplicates during collection of functions statistics
Changelog 8.30 to 8.45
- Added Virustotal aging and submission date
- Extended Languages detection and mapping
- Added PeID Signature detection of Executable embedded in Resources
- Added PeID Signature detection of Executable embedded in Overlay
- Added XML-based detection of PeID Signatures
- Added XML-based detection of OIDs
- Added XML-based detection of useragent
- Extented blacklists
- Added detection of references to Firefox API
- Added MD5 Blacklist for a file and its Resources
- Extended detection of Overlay
- Extended validation of Sections
- Resolve OpenSSL ordinals API to User friendly names
- Added Blacklist of MD5 dedicated to the Overlay
- Extended detection of files embedded in Resources
- Added detection of Regular Expressions and Threshold
- Cache Virustotal scores when Internet connection drops
- Small cosmetic issues
- Added Indicators and Thresholds
- Fixed a bug when handling the imports of some images
- Added more Indicators and Thresholds
- Added Functions Groups classification
- Resources with unknown Signature and containing only text are now tagged as Text
- Fixed a bug when handling the Characteristics of the FileHeader
- Added MD5, SHA1 and Virustotal Score for Overlay
- Fixed a bug when handling the <PreferedVirustotalEngine>
- Fixed a bug when handling the virustotal Engines
- Added Thresholds for DOS Stub and Header size
- Added Thresholds for Blacklisted Imported Libs and Blacklisted functions number
- Added Thresholds for Blacklisted Strings count
- Added Thresholds for Blacklisted Exported Functions count
- Added XML Threshold of number of Antivirus detecting the image as infected
- Extended Imported Symbols View
- Extended Indicators
- Added XML Thresholds for several values
- Added XML “prefered” Antivirus Engine Name
- Added XML Threshold on Libraries count
- Added support for White listing of Libraries per name in PeStudioWhiteListLibraries.xml
- Fixed a bug in the collection of libraries
- Extended Sections View
- Extended Blacklists
- Extended detection
- Extended the XML report resulting of the analysis
- Fixed update of Virustotal Lookup
- Fixed Ordinal to Name mapping for 64bit images
- Images analysed are now parsed in separated Thread
- Extended detection of Overlay
- Added Thresholds for Image Size
- Added Thresholds for Certificate Size
- Added Default Threshold for Resources
- Fixed a crash when analysing some 64bit files
- Extended Blacklisted Libraries and Functions
- Extended detection of embedded Registry items
- Added Threshold (PeStudioThresholds.xml) for DateTimeStamp
- Added Threshold (PeStudioThresholds.xml) for Debug Age
- Detect access to Group Policy
- Consolidated Libraries and Functions Blacklisting
- Extended the detection of privileged APIs
- Begin detection of Functions requiring Access Rights (privileges) to be set
- Extended Thresholds detection
- Fixed a bug when handling 64bit Images
- Added detection of bound Libraries
- Detect Clipboard Chain hooking
- Extended Blacklist of API
- Extended detection of Undocumented API
Features
- Indicators: PEStudio shows Indicators as a human-friendly result of the analysed image. Indicators are grouped into categories according to their severity. Indicators show the potential and the anomalies of the application being analysed.
- Virus Detection: PEStudio can query Antivirus engines hosted by Virustotal for the file being analysed. This feature only sends the MD5 of the file being analysed.
- Imports: Even a suspicious binary or malware file must interact with the operating system in order to perform its activity. For this to be possible, a certain amount of libraries must be used. PEStudio retrieves the libraries and the functions used by the image.
- Resources: Executable files typically not only contain code but also many kinds of data types. Resources sections are commonly used to host different Windows built-in items (e.g. icons, strings, dialogs, menus) and custom data.
- Report: The goal of PEStudio is to allow investigators to analyse unknown and suspicious executable files. For this purpose, PEStudio can also produce an XML Output Report file documenting the executable file being analysed.
- Prompt: The package you can download not only contains PEStudio running as Graphical User Interface (GUI), but it also contains a Command Line Interface (CLI) version of PEStudio.
- Interface: Considering the general software architecture, PEStudio is a consumer of a set of private interfaces provided by the underlying layer. The underlying layer is called PeParser, which is the engine performing the parsing of the Executable files being analysed.
More Information: here
[button size=large style=round color=red align=none url=http://winitor.com/tools/PeStudio846.zip]Download PEStudio v8.46[/button]
Thanks to Marc Ochsenmeier for sharing this tool with us. 😉
