Explore malicious executables with Adlice PEViewer

PEViewer-768x477

Adlice PEViewer -- aka RogueKillerPE -- is a free tool for analyzing and exploring Windows executables.

The results can help you troubleshoot programs, find out more about what they’re doing, and perhaps identify malware that your regular antivirus tool has missed. It’s the free version of a commercial tool and a nag screen appears occasionally, but not enough to be annoying and there are no other major restrictions.

Launch PeViewer and you’re able to open an EXE disk image, handy for performing a PeStudio-like static analysis of the file.

Usefully, you can also select a target from your running processes, and grab its image from RAM. If the EXE has been encrypted by a packer, using a memory image instead might give you more details.

Whatever you’re chosen, PEViewer quickly analyses the target and displays its results across multiple tabs.

The "General" tab displays the executable location, size, version, and VirusTotal score. If the file is new, you can submit it to VirusTotal with a click, or view a detailed report in your browser.

PEViewer shows you the parent of a running process (the process which launched it), if possible, along with its creation time and command line. That may be helpful if you don’t understand why a process is running.

Other areas tell you if the executable is digitally signed (tends to be good), uses a packer (might be bad), or is 32 or 64-bit (just handy to know).

The "Indicators" tab provides a quick report on the program’s features. Some of these items are straightforward (VirusTotal score), others strictly experts-only ("Imports count"), but everyone will understand the end result: a "likely to be malicious" score out of 100.

If there’s nothing conclusive so far, clicking Hex/ Strings > Scan prompts PeViewer to search through the target process images for text strings.

In theory you can click various tabs to view file names, Registry keys, URLs, IP addresses or GUIDs referenced by the image.

In practice we found some of the strings were missing their first character (ttp://www.something…), which meant they weren’t classified correctly. We were still able to find the strings listed under an "All" tab, though, and overall it’s a very helpful tool for exploring an EXE’s origin and purpose (whether it’s malware or not).

The Version Info/ Digital Signature tab lists the executable’s company name, version, copyright message, and -- if it’s signed -- details including the certificate issuer, expiration date and company.

The remaining tabs can get much more technical, although some still have helpful details for everyone. So clicking "PE Header" and checking the "Other" pane shows you whether this is a 64-bit and/ or .NET file. And experts can also view all the other regular header details (PE/ File/ Optional data, sections, details, and the rest).

If you really know what you’re doing, there’s also a hex viewer, disassembler, resource viewer and other tools to explore.

Put it all together and PEViewer has a good mix of useful features and functionality. If you’re already doing much the same thing with tools like PeStudio or Process Hacker then it’s probably not going to win you over, but we like the convenience of analyzing RAM and disk image in one package, and overall it deserves a closer look.

Adlice PEViewer is a free tool for Windows XP and later.

2 Responses to Explore malicious executables with Adlice PEViewer

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.