PeStudio : Malicious File Analysis Tool for Windows

What do you do when you find a suspicious looking file on your computer? If you are smart, then you upload it to the VirusTotal site and see if it is malicious in nature and if it turns out to be a malware then you get rid of it. The VirusTotal site not only checks an uploaded file for malware but it also analyzes its various aspects like the file type, the compiler type, resources embedded, PE sections and more. If you want to analyze the suspicious files right on your desktop then you can use the freeware tool called PeStudio which can give you detailed information about PE (portable executable) files similar to VirusTotal.

You can download the PeStudio from the winitor web site. The download is less than one megabytes in size. After downloading it, extract the contents of the ZIP archive to a folder and double-click on the file PeStudio.exe to run it. It does not offer any menubar or toolbar to select a file. But you can just drag and drop a PE file (or any other file) onto the PeStudio window. It would instantly analyze the file and show you the results. If you want to check what VirusTotal has to say about the file, then you can select the VirusTotal option. The results from VirusTotal are displayed at an amazingly fast speed.

PeStudio : Malicious File Analysis Tool for Windows

The Headers section shows you the information related to the different header sections for the PE file. The Libraries section shows the different libraries (DLL files) loaded by the PE file when it is run. The Imports section shows the functions called from external libraries by the application. The Exports section shows the functions inside the PE that can be called by other applications. The Resources section displays all the items embedded inside the application in form of resources like bitmap files, icons, dialogs, manifest files etc.

The Strings section can show you all the strings found inside the PE file. These strings can be DLL file names, command lines, registry sections, website addresses etc. These can be useful to understand what the program is trying to do and which websites it is trying to connect to. But some clever programs obfuscate the strings and you cannot find anything useful in the Strings section.

It should be mentioned that PeStudio and other tools like this are not for the ordinary PC users. These are only for the use of advanced users. In general, if you find a malicious file, you should delete it immediately without thinking twice. But if you are an advanced user then you can get more information about the malicious file by using the free PeStudio. Even then it would be better that you use a safe environment like Virtual PC or Virtual Box for analysis of suspicious PE files.

You can download free PeStudio from http://winitor.com/.