pestudio is a tool that performs the static analysis of 32-bit and 64-bit Windows executable files.
Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
Licensepestudio is free for private non-commercial use only. For commercial use of pestudio, please contact the author, to obtain more details about the License models and prices. The application presented here may not be used for illegal purpose. Any decompilation and/or reverse-engineering of this application and its components is forbidden.
pestudio is delivered as a ZIP file (MD5: CE7694D81FEDA5A095CF130D6A510361). Once the package is decompressed, pestudio does not require any installation nor does it change the system it is running on. pestudio is portable and runs on any Windows Platform. Download pestudio 8.50
Referencespestudio is proudly referenced and used by many professionals for Digital Forensic Investigations and Trainings around the world, like:
- Live demo of pestudio at Black Hat 2015 in Las Vegas
- pestudio in the Best 2014 Security Tools list of Toolswatch
- Live demo of pestudio at Black Hat 2014 in Amsterdam
- How to Quick Analyze Malware with pestudio, Wireshark & VirusTotal
- pestudio in the Best 2013 Security Tools list of Toolswatch
- pestudio in the SANS Digital Forensics and Incident Response tools kit
Indicatorspestudio shows Indicators as a human-friendly result of the analysed image. Indicators are grouped into categories according to their severity. Indicators show the potential and the anomalies of the application being analysed. The classifications are based on XML files provided with pestudio. By editing the XML file, one can customize the Indicators shown and their severity. Among the indicators, pestudio shows when an image is compressed using UPX or MPRESS. pestudio helps you to define the trustworthiness of the application being analysed.
Virus Detectionpestudio can query Antivirus engines hosted by Virustotal for the file being analysed. This feature only sends the MD5 of the file being analysed. This feature can be switched ON or OFF using an XML file included with pestudio. pestudio helps you to determine how suspicious the file being analysed is.
ImportsEven a suspicious binary or malware file must interact with the operating system in order to perform its activity. For this to be possible, a certain amount of libraries must be used. pestudio retrieves the libraries and the functions used by the image. pestudio also includes an XML file that is used to blacklist functions (e.g. Registry, Process, Thread, File, ...). The blacklist file can be customized and extended according to your own needs. pestudio shows the intent and purpose of the application analyzed.
ResourcesExecutable files typically not only contain code but also many kinds of data types. Resources sections are commonly used to host different Windows built-in items (e.g. icons, strings, dialogs, menus) and custom data. pestudio analyzes the resources of the file being analysed and detects embedded items (e.g. EXE, DLL, SYS, PDF, CAB, ZIP, JAR, ...). Any item can be separately selected and saved to a file, allowing the possibility of further analysis.
ReportThe goal of pestudio is to allow investigators to analyse unknown and suspicious executable files. For this purpose, pestudio can also produce an XML Output Report file documenting the executable file being analysed. The goal of this XML Output Report file is the ability to be utilized by any third-party analysis tool. To better accomplish this goal, an XML Schema will be published soon.