PeStudio is a free and portable tool which uses static analysis (and other techniques) to help you discover more about suspicious applications. The program is aimed squarely at developers and Windows experts, but don't let that put you off - there are features here which everyone can use and understand.
Getting started, for instance, is as easy as dragging and dropping a program onto PeStudio. A detailed report appears almost immediately, and the first Indicators tab delivers plenty of useful information. Is it digitally signed, for instance? Targeted at 32 or 64-bit processors? Does it need administrative permission? And there are details about ASLR, DEP, SafeSEH, resources and more.
Clicking the Strings tab will then reveal any embedded text strings in the program - function names, paths, prompts, web addresses and more - which can be a useful way to figure out what it's doing. (Malware will usually employ various tricks to hide this kind of information, but it's still worth a try.)
The Libraries and Imports tabs show you the DLLs and other support files required by your program, and the functions it's using.
The Resources tab will list structures embedded within your program (typically icons, bitmaps, dialogs and so on).
Usefully, clicking Indicators > VirusTotal Scan Report will tell you whether any of the VirusTotal antivirus engines (46, as we write) thinks the executable is malware.
And PeStudio even comes with command line support, which means you can automate its analysis and check a host of files in a single operation.
What's new in 8.93 (see changelog for more)?
- Fix a bug when handling exports by ordinals
- Fix a bug when handling entry-point outside the first section
- Indicate when entry-point is located at the beginning of the file (aka. MZ-instructions cancellation)