PeStudio is a free tool performing the
static investigation of any Windows executable binary. A file being analyzed with PeStudio is never launched. Therefore you can evaluate unknown executable and even malware with
no risk. PeStudio runs on any Windows Platform and is fully
portable, no installation is required. PeStudio does not change the system or leaves anything behind.
Among very famous security tools, PeStudio has proudly obtained
Rank 4 on the
Best 2013 Security Tools.
Download
Homepage
Indicators
PeStudio shows Indicators as a human-friendly result of the analyzed image. Indicators are grouped into categories according to their
severity. Indicators show the potential and the
anomalies of the application being analyzed. The classifications are based on XML files provided with PeStudio. By editing the XML file, one can
customize the Indicators shown and their severity. Among the indicators, PeStudio shows when an image is compressed using UPX or MPRESS. PeStudio helps you to define the trustworthiness of the application being analyzed.
Virus Detection
PeStudio can query
Antivirus engines hosted by
Virustotal for the file being analyzed. This feature only sends the MD5 of the file being analyzed. This feature can be switched ON or OFF using an XML file included with PeStudio. PeStudio helps you to determine how suspicious the file being analyzed is.
Imports
Even a suspicious binary or malware file must interact with the operating system in order to perform its activity. For this to be possible, a certain amount of libraries must be used. PeStudio retrieves the libraries and the functions used by the image. PeStudio also includes an XML file that is used to
blacklist functions (e.g. Registry, Process, Thread, File, ...). The blacklist file can be
customized and extended according to your own needs. PeStudio shows the intent and purpose of the application analyzed.
Resources
Executable files typically not only contain code but also many kinds of data types. Resources sections are commonly used to host different Windows built-in items (e.g. icons, strings, dialogs, menus) and custom data. PeStudio analyzes the resources of the file being analyzed and detects
embedded items (e.g. EXE, DLL, SYS, PDF, CAB, ZIP, JAR, ...). Any item can be separately selected and saved to a file, allowing the possibility of further analysis.
Certificates
PeStudio is also capable to detect and proceed to a RAW handling of the digital certificates (when available) embedded in an image. The interaction with the Certificates does not use any Windows API. Using PeStudio you can even Dump the content of the Certificate to a file.
Report
The goal of PeStudio is to allow investigators to analyze unknown and suspicious executable files. For this purpose, PeStudio can produce an
XML Output Report file documenting the executable file being analyzed. The goal of this XML Output Report file is the ability to be utilized by any third-party analysis tool. To better accomplish this goal, an XML Schema will be published soon.
Prompt
Depending on how it is started, PeStudio runs as a Graphical User Interface GUI or a Command Line Interface CLI. Starting PeStudio in a prompt mode allows the analysis of executables and the creation of the XML output file in a batch mode mechanism
