PEStudio is a unique tool that performs the static investigation of any 32-bit and 64-bit Windows executable (*.exe, *.dll, *.cpl, *.ocx, *.ax, *.acm, *.sys, *.drv, *.scr,...). The goal of PEStudio is to detect Anomalies, provide Indicators and score the Trust of the Executable being analysed.

Since the Executable being analysed is never started, you can inspect unknown and even Malicious Executable with no risk. PEStudio runs on any Windows Platform and is fully portable, no installation is required. PEStudio has a zero foot print, it does not change the system it is running on nor does it leave anything behind.

Download PEStudio 8.23

References

PEStudio is proudly used by many professionals for Forensic Investigations and for Trainings around the world, like:


Licence

PEStudio is free for private non-commercial use only. Despite that fact of being free for non-commercial use, any donation to support the development of the tool is more than welcome. For commercial use of PEStudio, please contact the author, to obtain more details about the License models and prices.


Indicators

PEStudio shows Indicators as a human-friendly result of the analysed image. Indicators are grouped into categories according to their severity. Indicators show the potential and the anomalies of the application being analysed. The classifications are based on XML files provided with PEStudio. By editing the XML file, one can customize the Indicators shown and their severity. Among the indicators, PEStudio shows when an image is compressed using UPX or MPRESS. PEStudio helps you to define the trustworthiness of the application being analysed.

Virus Detection

PEStudio can query Antivirus engines hosted by Virustotal for the file being analysed. This feature only sends the MD5 of the file being analysed. This feature can be switched ON or OFF using an XML file included with PEStudio. PEStudio helps you to determine how suspicious the file being analysed is.

Imports

Even a suspicious binary or malware file must interact with the operating system in order to perform its activity. For this to be possible, a certain amount of libraries must be used. PEStudio retrieves the libraries and the functions used by the image. PEStudio also includes an XML file that is used to blacklist functions (e.g. Registry, Process, Thread, File, ...). The blacklist file can be customized and extended according to your own needs. PEStudio shows the intent and purpose of the application analyzed.

Resources

Executable files typically not only contain code but also many kinds of data types. Resources sections are commonly used to host different Windows built-in items (e.g. icons, strings, dialogs, menus) and custom data. PEStudio analyzes the resources of the file being analysed and detects embedded items (e.g. EXE, DLL, SYS, PDF, CAB, ZIP, JAR, ...). Any item can be separately selected and saved to a file, allowing the possibility of further analysis.

Report

The goal of PEStudio is to allow investigators to analyse unknown and suspicious executable files. For this purpose, PEStudio can also produce an XML Output Report file documenting the executable file being analysed. The goal of this XML Output Report file is the ability to be utilized by any third-party analysis tool. To better accomplish this goal, an XML Schema will be published soon.

Prompt

The package you can download not only contains PEStudio running as Graphical User Interface (GUI), but it also contains a Command Line Interface (CLI) version of PEStudio. Starting PEStudio in a prompt mode allows the analysis of executables and the creation of the XML output file in a batch mode.

Interface

Considering the general software architecture, PEStudio is a consumer of a set of private interfaces provided by the underlying layer. The underlying layer is called PeParser, which is the engine performing the parsing of the Executable files being analysed. This parser has been completely designed and implemented by the author. No third party library or any Windows library is used to parse Executable. As far as the parsing is concerned, this task is made at the RAW level, which has the advantage that the parser can be easily ported to run on other operating systems. The parser provides access to all data of the files being inspected as well as consolidated Information and Notifications that can be also consumed by other products. For this sake, a Software Development Kit (SDK) can be acquired on a license basis. Please contact the author, to get more information about the license models.

Legal

The application presented here may not be used for illegal purpose. Any decompilation and/or reverse-engineering of this application and its components is forbidden.