Anyone using PeStudio by Winitor?

Discussion in 'other anti-malware software' started by Tyrizian, May 27, 2013.

  1. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    awesome :cool:

    i was just worried that maybe google tries to ask for UUID or CPU ID#, HDD identifiers thru your program like the websites can do thru the browser via javascript? or maybe sets a cookie or something. i tried looking at the connection with SmartSniff but of course encrypted.

    btw 7.51 is freezing for me on WinXP even when i just try to drag + drop or open an image thru file menu. i haven't been able to test thru the IDM program.
    only thing i can think that i do different is run it from a separate partition than c: drive.

    v 7.43 still works.
     
  2. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: I really don't think google is asking for anything through PeStudio or placing cooking on the system when using PeStudio.
     
  3. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: another user contacted me because of freezing issue on XP. I'll test it on xp tomorrow...Sorry about this inconvenience!
     
  4. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    thanks, no problem.

    i have a portable radio player program that places cookies for "streamtheworld" (CBS radio network iirc) stations for some reason so i wondered if other programs were also doing this.
     
  5. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: Pestudio 7.53 is now available. The freezing issue on XP has been fixed (and tested under XP).
     
  6. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,821
    Thank you kind sir, much appreciated :thumb:

    That was quick, you're definitely on top of stuff.
     
  7. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Yes, Now good work under XP. Thanks

    Good job.:)
     
  8. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474

    Thanks. new version is working well.

    one more question though, can we get VT results for any file again like we used to in version 7.43? now we just get incorrect format error. its a very useful feature of the program that's missing now.
     
  9. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: of course, it will be available in the next version!
     
  10. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    thanks.

    also, maybe i didn't test v7.53 enough - i was just using it as one file at a time and then close the program but i see now that if i try to close an image with the red X or the scissors it still freezes.
     
  11. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: PeStudio 7.54 is now available to fix this issue under XP + ANY file can be opened and checked against VT + extended validation of version information data, etc..
     
  12. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    Thanks, it works great now. Also, it seems like it releases the file image almost immediately so i can rename, cut + paste etc right away. :)

    edit:

    also ideas for future versions, to me it would be useful to have a subsection under strings for "URLs found" (or anything that might be a URL) and also maybe potential IPs found. i see that we can sort on the "value" in strings but not all of the urls start with http, some may start with a # or whatever else. for the IPs i dont know if its possible to find them in the code but i'd read that some malware tries to hardcode an IP in the program to bypass DNS so it would be useful to see anything like this. thanks.
     
    Last edited: Sep 30, 2013
  13. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: thank you for this idea! Yes, currently the strings output is too noisy. I am planing to implement a filtering and searching and ...classification. Stay tuned.
     
  14. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.56 is now available with an whitelist XML-based mechanism to detect suspicious sections names...
     
  15. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    @Marc

    for some reason the file "wget.exe" (from WinWGetportable) crashes latest version, not sure why. i thought it was because it may be a command line or console file but then the program works fine with those type programs in the System32 folder.
     
  16. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: just tried it, everything is alright. Can you send me the exe, just to be sure? thanks.
     
  17. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio7.57 detects blacklisted exported functions
     
  18. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    heh, must have been a temporary glitch or something as both 7.43 and 7.56 have no trouble with the file now.

    edit: maybe its the path, i have two files with same hash and one scans fine, the other crashes and its path is 122 spaces plus the exe.
     
    Last edited: Oct 4, 2013
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,725
    Now it's version 7.60 when SUMo reported 7.58. Active as always I see. :thumb:
     
  20. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    No reason to stop, static analysis still has a huge potential...stay tuned.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    Keep the updates rolling out. This is a very useful piece of work.

    Regards Easter
     
  22. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Anyone interested by a kind of "blacklisted" library mechanism ? An XML file containing a list of DLL which would then be detected by PeStudio as "blacklisted" (e.g. urlmon.dll, winhttp.dll, winscard.dll...)?
     
    Last edited: Oct 14, 2013
  23. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    maybe a reload button?

    quite a few times i have internet connection drop from 3g so virustotal results are blank. rather than find the file again it would be handy to have a reload button.


    i would like this also.
     
    Last edited: Oct 29, 2013
  24. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: There is already the "Update in PeStudio" context menu to execute a new Lookup...but it must be fixed. Blacklisted Libraries feature is also on my todo list.
     
  25. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
Loading...