Anyone using PeStudio by Winitor?

Thanks Fabian! PeStudio does not write anything on the system it is running on, that is why I never released this handy Registry trick (that Fabian shared to me a while ago either).

 

@EASTER: Thanks for the compliment!

 

I confess i was lazy and thought throwing out that suggestion would save me codeing yet another one in the many i been making lately and modifying from video thumbnails, toggle menus and a host of other customizations I'm always adding to improve both functionality and appearances.

Thanks for the code though. It's mind bending sometimes when working directly with these scripts and spending hours in the registry maze. But it's an obsession with me. It's. a great place to defeat the apprehension most people have when working in this section of windows. Useful too.

Easter

 

@Fabian Wosar: Can I add this handy .reg file to the PeStudio package?

 

Thanks for agreeing with my rather selfish request, I believe most users prefer the easier choice of VirusTotal.

You can easily add it to the "Send To" menu. Editing the registry is not for me, unless you use it frequently.

I agree, great job by the developer.

 

Sure.

 

Is it possible to add some statistics calculation for a file and its sections: entropy, redundancy, density of FPU instructions, etc. And with some graphical representation, if possible. For example:

http://onthar.in/wp-content/uploads/2012/01/tau2.png
http://onthar.in/wp-content/uploads/2012/01/tau3.png
http://www.the-interweb.com/bdump/hexer/notepad-entropy.png
http://2.bp.blogspot.com/-PT7QIYrzXVs/T77HcBnrPvI/AAAAAAAAANg/jGM6gAKf2DU/s1600/25.05.2012+03-40-12++377.jpg


Entropy analyzers:

http://www.cert.at/downloads/software/bytehist_en.html

Crypto Implementations Analysis Toolkit
http://sourceforge.net/projects/ciat/

Entyzer - Advanced Entropy Analyzer
http://www.themutable.com/

http://www.fourmilab.ch/random/

http://onthar.in/files/tauscanner/


Entropy analyzers with source code:

Ent - Entropy Level and FPU Density Measurement Tool
http://gynvael.coldwind.pl/?id=158
http://gynvael.coldwind.pl/?id=162

http://mydiary-musiclife.blogspot.com/2012/05/badguy.html
http://mydiary-musiclife.blogspot.com/2012/05/blog-post_25.html

http://www.manhunter.ru/assembler/556_raschet_entropii_na_assemblere.html

 

@StillAlive: thank you very much for this input! Actually I am already working on MD5 for sections and Resources. Entropy is also in the pipe. I'll have a look at these suggested URLs very soon.

 

btw, not sure I mentioned that PeStudio is also on Twitter: https://twitter.com/ochsenmeier

 

@StillAlive: http://www.manhunter.ru is access denied

 

I don't know... I can access this site. Try a Russian proxy or startpage.com search engine -> View by Ixquick Proxy

The file Entropy.Demo.zip from the site I uploaded to a file sharing service:
http://rghost.ru/47060723

 

PeStudio has been updated:

. Added Detection of Fake UPX (sections named like UPX but the image is NOT UPXed)
. Extended detection of Executable(s) embedded in the image
. Extended "Severity" Indicator (see PeStudioIndicators.xml) to increase the granularity when scoring an image.
. Added "PeStudioIntoExplorerContextMenu.reg" file to the package to *manually* integrate PeStudio in the context Menu of Explorer

 

PeStudio has been updated:

. Added detection of Overlay (extra-data appended to the end of the image)

 

Thank you mox for the update

 

a new version of PeStudio is available:

. Added more validation check on Version info to handle hand-crafted version block (e.g. corkami\version_cust.exe)
. Added Detection of Images based on the Visual Basic Virtual Machine
. Corrected size of Overlay for signed images.

 

PeStudio updated:

. Enhanced detection of fake UPX
. Extented Blacklist of Functions
. Fixed a bug when handling exported functions
. Show Section:Offset Addresses where exports, imports and strings are located in

 

PeStudio update:

. Added Detection of Device Drivers and handle Indicators accordingly

 

This update is the best one yet for my expectations.

Thanks a bunch and keepem'.coming. Useful program indeed.

 

@EASTER: thanks! Yeah, I keep working on it.

 

PeStudio has been updated:

- it now detects when an Image is statically linked to the C Run-Time Libraries

 

PeStudio now detects the (direct) usage of the Native APIs.

 

PeStudio updated:

. Handle shrinked (hand-crafted) File Header
. Added collection of Unicode Strings

 

PeStudio has been updated:

. Added Sections MD5 computation

 

mox,

can you wait for few days and then release new update with several fixes?
There is new version every day...
Just my 2 cents....

 

@ mox

Thanks for the updates

siketa makes a good point though