Anyone using PeStudio by Winitor?

Discussion in 'other anti-malware software' started by Tyrizian, May 27, 2013.

  1. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Yes.

    eg.

    In version Pestudio 7,37 is language. In later versions no ;)
     
  2. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @ELWIS1: Languages are back in PeStudio 7.42.
     
    Last edited: Sep 4, 2013
  3. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.43 can filter Executable Images according to the presence (or absence) of Certificate
     
  4. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.45 is now available with the detection of Relocations Table
     
  5. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Anyone interested to see PeStudio to compute and show the real check sum of the file (beside the one available in the image at OptionalHeader.Checksum)?
     
  6. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Anyone interested to see PeStudio "consuming" YARA rules?
     
  7. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Anyone using PeStudio?
     
  8. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    630
    Location:
    Sydney Australia
    Hi Marc

    Yes, still using occasionally. Use of YARA rules would be interesting.
    Would it be possible to have the option to save the PeStudio window size and position?
     
  9. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @stackz: saving size and position would be possible, but would introduce problems when switching back and forth from one/two screens working environment (e.g. position saved on screen 2 which would not be available when booting in one screen 1 mode...)
     
  10. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Yes ,,Yara'' in Pestudio it can be very interesting.

    Real checksum also, you can add :)
     
  11. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Real checksum will be done. Currently working on raw dump of certificates, but won't take long time to be done.
     
  12. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.47 now supports RAW detection and handling of certificates embedded in PE files.
     
  13. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    best part of this program for me is just drag and drop any file and in a few seconds there is the VirusTotal results :)
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,725
    It's faster creating a Send To shortcut or using the "PeStudioIntoExplorerContextMenu.reg". :D
     
  15. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.50 retrieves more details for each Certificate found, as usual only using RAW access.
     
  16. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    @Marc - i use this program instead of AV for Internet Download Manager where it alows to select an AV for file scanning and it works great except it doesn't seem to release the file or let IDM know that it has been scanned, so the finished popup for IDM doesn't show up until i close PE Studio or close the image there. Is there an easy fix possible?

    or maybe there is a command line parameter i should add to IDM where it allows to select the AV scanner program?
     
  17. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: as far as I understand you question, I can say that PeStudio opens a file to be analysed only when the file is not yet to be found in memory and it opens it with FILE_SHARE_READ access. It looks like your IDM cannot cope with that. Probably it wants exclusive access to the file.
     
  18. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    ok, that's beyond my knowledge. all i knew was that i could type in the path to the console version of Avast or Comodo iirc and it would scan and then on completion IDM has this little popup that asks if you want to open the file or the folder or just close.

    is it possible to have option for PeStudio to copy the file(s)to a temp folder (user selects directory) and then maybe some options like temp folder max size and empty temp folder on closing PeStudio? i don't know if this would solve the IDM delay but one of the few drawbacks of the program for me is that once i send a file to PeStudio i can't move the file until i close the image in PeStudio and what i'm usually doing is checking VT results, moving the file to a new folder, renaming the file, etc. most of these files are less than 1 MB so adding 10 or 20 to a temp directory wouldn't take up too much space.
     
  19. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,821
    @Marc Ochsenmeier

    Can you create/add a separate .reg file, that can remove the explorer context menu?
     
  20. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @TyRidian: will be done. ...but don't get rid of PeStudio..! :)
     
  21. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @TyRidian: PeStudio 7.51 contains the new reg file to remove PeStudio from the explorer context menu.
    @Snoop3: PeStudio 7.51 releases images much earlier, this should solve your issue with the IDM.
     
  22. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,051
    Location:
    United Surveillance States
    If the new version doesn't help you, try using VT Hash Check to scan your downloaded files in IDM.
     
  23. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    thanks 0strodamus, but it wants me to register and download an API which i'm guessing will be a unique identifier and as VT is now owned by Google i'm not too keen on adding more of my info to their database. i was hoping (and maybe i'm incorrect) that PE Studio is a way to access VT hashes without giving up any unique ID except IP address, which is always changing for me.
     
  24. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: Yes, PeStudio does not need any installation and has its own (encrypted) VT key. PeStudio does not need anything else to submit your files to VT. Your IP address, which is always changing, does not matter....does that help?
     
    Last edited: Sep 25, 2013
  25. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.52 is now availabe to fix an issue with the certificates.
     
Loading...