A Gem of a Free Tool to Check Out a Program Before You Open or Install it

toggle-button

Here’s quite a remarkable little tool for experienced PC users to add to their arsenal of security weapons. It’s a free application called PeStudio and lets you really take a look at a file before you use it. It’s a way to learn a lot about a program before you install it. With this utility, you can dissect a file in many different ways.

PeStudio is portable and its actions do not change anything on your computer. The file being analyzed is never opened. The developer’s site is at this link. The download is a zipped file of 560 KB. The program has been around for a while and the current version is 8.05. It is said to work in all current versions of Windows. I tried it out in Windows 8, 64-bit. Although the program is portable, it should be unzipped to its own folder since it uses a number of XML files that come with it. The interface is very easy to use, just drag and drop a file on it. The information it provides will probably overwhelm many average PC users so this tool is primarily for those who are technically oriented.

File types that are analyzed include .exe, .dll, .cpl, ocx, .ax, .sys. The categories of information that are given include:

  • All libraries that are used by an application
  • All functions that are imported by an application
  • All functions that are exported by an application
  • All functions that are forwarded to other libraries
  • Whether Data Execution Prevention (DEP) is used
  • Whether Address Space Layout Randomization (ASLR) is used
  • Whether Structured Exception Handling (SEH) is used

PeStudio can also obtain a report about a file from VirusTotal. This feature can be switched on or off using an XML file included with PeStudio.

A download link is on the developer’s site. It is also available at several major download sites.

If you are concerned that this type of tool may have hidden or undesirable functions, you can read the favorable comments at Wilder’s Security Forum. The program’s developer, Marc Ochsenmeier, participates in the forum. Also, the application is listed in Gizmo's main Best Free Security List.

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.


This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Please rate this article: 

Your rating: None
4.1875
Average: 4.2 (16 votes)
toggle-button

Comments

Does this program have an instructional manual or other site to understand how to best use this?
I have checked the installation setup executable of a known good program SuperAntispyware Free yet it leaves some question (probably false) that this program may be suspicious.

Among the results in the main page are:
For File Description,SUPERAntiSpyware Free Edition Setup
{MD5,827378ED339546918FB893C41A72FF01}

Under "Indicators" 16/28 are "redflagged.
The image contains 86 Blacklisted Strings
The image imports 5 Library(s) detected as Blacklisted
The image imports 108 Blacklisted Functions (API)
The image Imports 4 Anonymous Symbol(s)

The ACTUAL program application executable 'red flags' the below among others:
MD5,6C12BD722FFC94584348DD34F4059FC5
The image contains 189 Blacklisted Strings
The image imports 11 Library(s) detected as Blacklisted
The image imports 175 Blacklisted Functions (API)

Also, under "Imported Libraries 11/20" which were blacklisted:
When a red highlighted (blacklisted) [*.dll] file was automatically sent to VirusTotal nothing could be found. I did not think that VirusTotal would scan a *.dll file; this should be sent to another site for analysis; program needs to be fixed in this regard.

There needs to be better guidance on how to use and interpret this program. Any references?

You have hit on one of the problems with any malware detection method. All detection schemes have grey areas. This software provides warnings but not decisions. There will always be times when additional information, judgment, and experience is required. This program is only one security tool and has to be used in conjunction with others. I wish there were a black and white procedure but security isn't that simple. Maybe this reference will help: http://www.techsupportalert.com/content/how-tell-if-file-malicious.htm You could also go to one of the security forums like Wilder's and ask for help in interpreting the kind of warnings you got: http://www.wilderssecurity.com/index.php

Vic, thank you for this post.

I am sorry to be nitpicking but this forum is read by some people that are not geeks; they mostly have limited or no knowledge of technical intricacies but are here to search for advice and information. I believe we need to be very careful to express ourselves correctly.

You write "The file being analyzed is never opened"; that is impossible. It most certainly must be opened to be read and to analyze it's content.

You certainly meant "is never executed" or in layman's terms "never run".

Thanks for your patient indulgence of my rambling.

OK, "never run" is perhaps better if you consider reading the contents of an executable file to be opening it.

He sneaked in some updates while you weren't looking - V 8.05 now.

Thanks for the update. I have corrected the version.

I tried this and it seemed to indicate that two out of the three exe files had a Trojan. Scanned the files with three different AV scanners all which showed no trojans present. Not too sure about this.

I am afraid I am not sure exactly what you are describing. Do you mean that you scanned three different exe files from other programs with this utility and it indicated they were trojans? Or do you mean you sent the files to VirusTotal using PeStudio and got a trojan report? PeStudio itself does not report trojans per se.

Hi. When the files scanned with PeStudio, the Virus Totals showed trojans, AdWare.Win32.Popupguide!O and PAK_Generic.001. There is no help file with this, so I took it to be that it reports a trojan/virus if it finds one. If I'm wrong I stand corrected.

As indicated in the article, PeStudio has an option to send files to VirusTotal that can be turned on or off. If a file is flagged by VirusTotal, you have to look further to see if it is a false indication by a few of the many programs that VirusTotal uses or a real indication. See this article for more information: http://www.techsupportalert.com/content/how-tell-if-file-malicious.htm

Thanks alot,looks good