{"id":660561,"date":"2013-05-28T05:57:59","date_gmt":"2013-05-28T09:57:59","guid":{"rendered":"http:\/\/betanews.com\/?p=154869"},"modified":"2013-05-28T05:57:59","modified_gmt":"2013-05-28T09:57:59","slug":"pestudio-lets-you-analyse-suspicious-programs-for-malware","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/660561","title":{"rendered":"PeStudio lets you analyse suspicious programs for malware"},"content":{"rendered":"

\"\"If you find a program on your PC which you think might be malware, then checking it with an antivirus tool is a good first step — but it\u2019s not the only option. You could also try “static analysis”, which involves examining the executable file itself to learn more about it. Most static analysis tools are aimed at developers and extremely complex, but the free PeStudio<\/a> is an interesting exception: it offers plenty of low-level detail, but also has more straightforward features that just about anyone can use.<\/p>\n

It\u2019s easy to get started with the program. Just download and unzip it, launch PeStudio.exe, and drag and drop your suspect executable onto the PeStudio window. Wait a few seconds for the program to run its analysis, and a detailed report then appears.<\/p>\n

The first tab, Indicators, gives you some useful information about the target application. Some of this is strictly experts-only, with details on the file\u2019s use of DEP, ASLR, SafeSEH, Thread Local Storage, and so on. But you also get plenty of more generally useful data. Is it 32 or 64-bit, for instance? GUI, or console-based? Does it need administrative permission? Is it digitally signed?<\/p>\n

Clicking the Strings tab will then reveal any embedded text strings in the program — function names, paths, prompts, web addresses, error messages and more — which can be a useful way to figure out what it\u2019s doing. (Malware will usually employ various tricks to hide this kind of information, but it\u2019s still worth a try.)<\/p>\n

The Misc tab (if present) shows you any properties of your mystery executable. This might include file and product names, a description, version number, target language, and so on. Don\u2019t assume any of this is true — malware could provide any details it likes here — but, again, it might help explain what the program is and where it\u2019s come from.<\/p>\n

And if none of this is too conclusive, then clicking Indicators > VirusTotal Scan Report will tell you whether any of the VirusTotal antivirus engines (46, as we write) thinks the executable is malware. Again, don\u2019t take the VirusTotal verdict as guaranteed, it\u2019s possible you\u2019ve encountered something which hasn\u2019t been recognized yet, but it\u2019s still useful to see what the rest of the antivirus world thinks.<\/p>\n

\"\"<\/p>\n

If you know your way around the executable file format then you\u2019ll also appreciate the Libraries and Imports tabs, which reveal the DLLs and other support files required by your program, and the functions it\u2019s using. The Resources tab is another plus, listing structures embedded within your program. While command line support means all this analysis can be automated and used to check a host of files in a single operation.<\/p>\n

You don\u2019t have to delve into these complexities unless you really want to, though — and that\u2019s the major plus here. There\u2019s plenty of low-level information for experts, but all these technicalities don\u2019t get in your way, and even if you\u2019re a PC novice, you\u2019ll still be able to use PeStudio<\/a> to find out more about any mystery program.<\/p>\n

Photo credit:<\/strong> megainarmy<\/a>\/Shutterstock<\/a><\/p>\n

\n<\/img><\/a> <\/img><\/a>\n<\/div>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

If you find a program on your PC which you think might be malware, then checking it with an antivirus tool is a good first step — but it\u2019s not the only option. You could also try “static analysis”, which involves examining the executable file itself to learn more about it. Most static analysis tools […]<\/p>\n","protected":false},"author":7429,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-660561","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/660561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/7429"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=660561"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/660561\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=660561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=660561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=660561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}