Anyone using PeStudio by Winitor?

I am now, the VirusTotal integration is better than the outdated VT Uploader (20MB) or X-Ray (32MB API limitation and slow), because neither can support the full 64MB. Sure it can't upload, but fast hash checking is enough for me.
Also like how it's easier than other similar tools due to GUI, no requirements like Python (limits portability), and Indicators of Trust.

 

@mox, thanks for the new build.
Unfortunately, it seems that something has gone awry in v6.96 with Libraries and Imports (0).

 

Sounds great, I'll give a try

 

Thanks for your remark about this issue! Really sorry, yes libraries have been hit by a side-effect. This has been fixed in version 6.97. Is it working correctly now..?

 

@J_L: I am pleased you like PeStudio! Upload is in the pipe. No dependency, no requirement, fully portable, these are the goals of PeStudio.

 

Yes, it's working just fine.
The only other issue I have to report at present, is that if you keep PeStudio open and keep dragging files to it for analysis, memory isn't being released and eventually it either crashes or needs to closed.
(Yes, I was bored. lol)

 

sorry about the memory issue. I'll have a look at it.

 

I've been using both usernames for many years and figured, why not just stick with one...So I picked TyRidian.

 

Version 6.98 released

• Detect INVALID DATA found in the VERSION_INFO stream (some malware place custom stream in standard Windows Resources)
• Extended support for corkami malformed samples
• Added more items in PestudioIndicators.xml

 

PeStudio 7.00 is now available:

. Added additional Hints about suspicious size of the Version Resource (some malware place custom stream in standard Windows Resources)
. Added additional Hints about Invalid Directories as Indicator and at the UI
. Extended handling to handle Ollybugs images

 

PeStudio 7.01 is now available:

- Added a new PeStudioStringsBlackList.xml file. This file contains the list of blacklisted strings which will be used to detect suspicious strings in the Image. You must manually edit this file to add strings to your convenience. The blacklisted strings will be shown as Indicators and at the UI in the Strings Tab.

- Added validation on Number of Sections

 

Is it possible to add

Indicators ->
The Image has following SHA 1
The Image has following SHA 256 ?

 

Really appreciate your making time and effort to fashion and share your useful utility analyzer with us.

Please keep up the good work and thanks in advance for every new improvement and feature forthcoming.

Regards Easter

 

@StillAlive: yes of course. I'll put it on the todo list!

 

There is a bug in versions 6.98 - 7.01 with representation of strings ("Strings" tab). Example:




In previous versions:

 

@StillAlive: thank you! Let me have look at the strings enumeration asap. I will post here when done.

 

@StillAlive: PeStudio 7.02 just released. It should correct the bug. Can you please confirm? Thanks!

 

mox

Yes, there is no more the bug.

Waiting for new versions of PeStudio with new features.

Thank you.

 

@StillAlive: Thanks for the update.

Btw, just updated PeStudio:

. Added detection of MPRESS compression
. Added detection of UPX evasion (one or more standard UPX section names changed)
. Added computation of SHA1 of the image analyzed
. fixed issue with right mouse copy at the UI

 

Why is "Lookup to VirusTotal" disabled by default in recent versions?

 

@J_L: "Lookup to VirusTotal" is disabled by default because some people complained that is was enabled by default. You can enable it by editing the appropriate tag in the XML file (PeStudioVirusTotal.xml):

<!-- 1: Enable Lookup to VirusTotal, 0: Disable Lookup to VirusTotal -->
<EnableLookup>0</EnableLookup>

 

I don't see why would they complain when it's completely optional clicking that tab. Heck, the tab still exists when disabled. Any performance gain would be negligible.

Is their reasoning somewhere along the lines of privacy of their executables? Even that doesn't make sense, unless they're developers who don't even want hashes leaked if they accidentally clicked that tab.

I'm just annoyed that whenever this software updates, I have to restore settings or risk possible incompatibility.

 

PeStudio has been updated:

. Added Handling of Blacklisted imported Functions (API) based on the PeStudioBlackListFunctions.XML (You can edit this
file according to your needs and tag any function as being BLACK).
. Detect Directories outside any Section
. Detect unusual contruct of Version Information block ("VarFileInfo" preceeding "StringFileInfo")

...and VT Lookup Enabled is the default (if you don't like it, edit the XML file).

 

When will a right click context open with PEstudio be added?

This is an interesting project with many well laid out information features.

 

You can quite easily add it yourself:

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\Open in PE Studio]
"Icon"="\"C:\\Program Files (x86)\\PE Studio\\PeStudio.exe\",0"

[HKEY_CLASSES_ROOT\*\shell\Open in PE Studio\command]
@="\"C:\\Program Files (x86)\\PE Studio\\PeStudio.exe\" \"%1\""

Just save it as a .reg file. Make sure to adjust the paths as necessary. If you prefer the entry only to show up on certain file types, you need to replace the * with the actual extensions. Then import it .