Investigate suspect EXEs with Professional PE Explorer
Professional PE Explorer is a portable tool which allows investigating Windows executables including EXE files, SYS, DLL and more.
The download is so tiny you’ll wonder if it’s broken -- 78.1KB, really? -- but no, this is all you get. Unzip it and run PPEE.exe to get started.
Drag and drop a suspect file onto the program and a left-hand tree lists some of its structures: DOS Header, NT Header, Section Headers, assorted directory entries and more.
If you’re happy with this low-level detail, you’ll also appreciate the program’s "anomaly detection", where unusual elements of the section are highlighted in orange for Warning and red for Error.
Other expert-level features include entropy and MD5 calculations, section editing, the ability to dump elements of the file, even browse it in depth with a built-in hex editor.
This can get complicated, but fortunately there are also elements here which could be useful to anyone.
Click NT Header > File Header and the summary tells you whether this is a 32 or 64-bit EXE.
NT Header > Optional Header has an item indicating whether it’s a GUI or console program.
If the EXE has a digital signature, a DIRECTORY_ENTRY_SECURITY section gives you details on its name, date and more. This relies on the Windows API but should still work just fine in most situations.
Sometimes there’s a DIRECTORY_ENTRY_DEBUG section which shows you when the EXE was compiled, and its location on the developer’s hard drive.
A "Strings in file" section locates strings of characters in the file and organizes them into four categories: ASCII, Unicode, URL and Registry. If the EXE contacts a URL or accesses a Registry key, you might find it listed here. Beware, though, malware usually tries to obscure this kind of detail, preventing it being displayed.
If you see an interesting item -- the name attached to a digital signature, an unusual string -- then right-clicking it displays options to search at Google or MSDN.
Professional PE Explorer lacks the VirusTotal integration of PEStudio, but it’s still a likeable static analysis tool, comfortable to use and with a strong set of features. One to watch.
Professional PE Explorer is a free application for Windows 7 and later.