What's new in PeStudio 9.58
Feb 4, 2024
- Fix an issue when fetching the Virustotal report
- Fix a bug when detecting libraries
- Extend indicators
New in PeStudio 9.57 (Jan 8, 2024)
- Fix bug in XML report
- Fix bug in libraries detection
- Fix bug in Resources string-tables handling
- Fix an infinite loop happening with some resources
- Add toggling of language flag
- Extend Certificate detection
- Extend detection of message-tables
New in PeStudio 9.56 (Nov 9, 2023)
- Toggle DLL <> EXE (file-header)
- Assign new entry-point (optional-header)
- Extend certificate detection
- Extend footprints detection
- Extend dialog settings
- Dump sections
- Fix bugs
New in PeStudio 9.55 (Sep 18, 2023)
- Add groups collection
- Extend dialog settings
- Reduce CPU consumption
- Fix bugs
New in PeStudio 9.55 (Sep 17, 2023)
- Add groups collection
- Extend dialog settings
- Reduce CPU consumption
- Fix bugs
New in PeStudio 9.54 (Aug 18, 2023)
- Extend embedded file detection
- Extend footprints collection
- Extend internal | external jumps
- Fix bug when handling export table
- Fix bug when handling the checksum of the image
New in PeStudio 9.53 (Jun 25, 2023)
- Fix potential DLL side-loading of libraries used by pestudio
- Fix bug when handling .NET resources
- Fix internal jumps
- Extend dump of section items
- Add detection of callback functions
New in PeStudio 9.52 (Jun 3, 2023)
- Add footprints view
- Extend strings detection
- Extend resources detection
- Fix bugs
New in PeStudio 9.50 (Apr 23, 2023)
- Show tail of Certificate
- Extend summary of Image stamps
- Extend Mitre detection
- Fix bugs
New in PeStudio 9.49 (Apr 2, 2023)
- Extend data collection of Certificate
- Extend data collection of debug
- Add switch to toggle VT
- Fix a crash when handling the relocations table
- Fix bug when handling imports table
New in PeStudio 9.48 (Mar 2, 2023)
- Add support for customer virustotal key
- Extend detection of Certificate anomaly
- Extend detection of library groups
- Extend detection of .NET Resources
- Extend detection debug streams
- Extend exports view
- Extend sections view
- Fix bugs
New in PeStudio 9.47 (Jan 31, 2023)
- Fix issue with virustotal report
- Fix bug when showing directories
- Fix bug in detection of overlay
- Extend indicators
- Extend detection of debug stream types
- Extend context menus
- Group libraries
- Clean Mitre report
New in PeStudio 9.46 (Nov 6, 2022)
- Detect spoofed libraries
- Detect invalid Import Address Table (IAT) entries
- Extend Sections view
- Fix bug in the detection of delay-loaded libraries
New in PeStudio 9.45 (Oct 22, 2022)
- Detect spoofed & hooked imports
- Detect missing Import Name Table (INT)
- Detect duplicated libraries
- Extend .NET detection
- Extend indicators
- Fix directory validity check
New in PeStudio 9.44 (Oct 9, 2022)
- Extend imports view with First-Thunk-Original (aka. INT), First-Thunk (aka. IAT) and hint
- Show discrepancy between INT and IAT tables
- Fix detection of bound libraries
- Extend indicators
New in PeStudio 9.43 (Sep 11, 2022)
- Extend debug streams detection
- Extend links to google search
- Add detection of /CETCOMPACT
- Fix bugs
New in PeStudio 9.42 (Sep 1, 2022)
- Extend .NET detection
- Fix a crash
New in PeStudio 9.40 (Aug 15, 2022)
- Synchronize XML mitre output report with front-end
- Extend rich-header view
- Fix bug when handling Import Address Table
- Fix bug when handling Delay-loaded Import Table
New in PeStudio 9.38 (Jul 28, 2022)
- Redesign Mitre View with more details
- Fix and extend exports
New in PeStudio 9.37 (Jul 18, 2022)
- Rename "blacklist" items into "flag"
- Map os-version into a friendly name
- Fix when showing image name in caption
New in PeStudio 9.36 (Jul 3, 2022)
- Consolidate Indicators
- Fix bugs
New in PeStudio 9.35 (Jun 19, 2022)
- Extend indicators
- Extend detection of .NET Resources
- Extend detection of Tooling
New in PeStudio 9.31 (Mar 31, 2022)
- Show .NET Functions Namespaces as separate item
- Extend .NET streams detection
- Fix minimum string length bug
New in PeStudio 9.30 (Mar 14, 2022)
- Handle .NET ascii strings (#Strings) Stream
- Extend detection of embedded files (e.g. MS-Compress)
- Extend indicators
- Fix bugs
New in PeStudio 9.29 (Feb 18, 2022)
- Simplify indicators
- Handle .NET unicode user-strings (#US) Stream
- Fix bugs
New in PeStudio 9.28 (Feb 3, 2022)
- Differentiate between n/a and empty Export Table
- Remove duplicates in indicators
- Show file-ratio ofNET Streams size
- Show threshold of NET Streams size
- Blacklist NET functions that belong to a blacklist Namespace
- Fix bugs
New in PeStudio 9.27 (Jan 19, 2022)
- Split Namespaces into system and custom Namespaces
- Fix a bug with the delay-load imports
New in PeStudio 9.26 (Jan 6, 2022)
- Compile pestudio package to 64bit
- Add .NET Field table
- Fix bugs
New in PeStudio 9.25 (Dec 28, 2021)
- Better detection of file signature
- Add mapping rich-header to tooling
New in PeStudio 9.24 (Dec 19, 2021)
- Show all time-stamps always and only in UTC.
New in PeStudio 9.23 (Dec 15, 2021)
- Add blacklisting of .NET namespace
- Fix bugs
New in PeStudio 9.21 (Nov 19, 2021)
- Extend detection of.NET tables
- Handle .NET namespaces
- Fix bug in Resources > context menu
New in PeStudio 9.20 (Nov 7, 2021)
- Extend detection of.NET functions and libraries
- Fix bugs
New in PeStudio 9.19 (Oct 25, 2021)
- Handle more .NET metadata
- Extend .NET relevant indicators
- Fix an issue with the detection of duplicate exports
New in PeStudio 9.18 (Oct 9, 2021)
- Handle more .NET metadata.
- Fix an issue with the exports.
New in PeStudio 9.17 (Sep 24, 2021)
- Handling .NET tables
- Fix issue when handling very large amount of exports
New in PeStudio 9.16 (Sep 9, 2021)
- Start handling .NET streams
- Fix bugs
New in PeStudio 9.15 (Sep 8, 2021)
- Fix a bug when computing the offset of string items
- Add Resource context menu to change the severity of signature
New in PeStudio 9.14 (Aug 10, 2021)
- Add Libraries context menu to toggle blacklist flag
- Fix bugs when modifying indicator's severity level
New in PeStudio 9.13 (Jun 27, 2021)
- Add Resources context menu to toggle language blacklist flag
- Extend File-header detection
- Extend Optional-header detection
- Fix bugs
New in PeStudio 9.12 (Jun 6, 2021)
- Add File-Header characteristics
- Add Option-Header characteristics
- Add Ordinal name mapping for delay-loaded libraries
- Add details to Certificate
- Extend detection of string hints
- Extend collection of DateTime stamp indicators
- Extend context menus
- Fix bugs
New in PeStudio 9.09 (Dec 27, 2020)
- Fix a bug when handling malformed relocations table
- Add handling of Rich-header
New in PeStudio 9.08 (Nov 29, 2020)
- Extend context menus
- Extend detection of embedded files
- Fix bugs
New in PeStudio 9.07 (Sep 28, 2020)
- Add Sections > Characteristics field
- Show Relocations
- Show Exceptions
- Extend support of MUI files
- Fix bug when retrieving executable hidden in data section
- Fix bug About > Check update
- Fix bug GUID pdb
New in PeStudio 9.06 (Aug 31, 2020)
- Extend User-Interface to handle XML-based settings
- Add setting filters for online-score, indicators, mitre, etc..
- Show duplicated exports for 64bit executable
- Fix bug when computing minimum string length
- Fix bug when computing file-offset of resources
New in PeStudio 9.05 (Apr 18, 2020)
- Add settings dialog to handle settings.xml file
- Fix bugs
New in PeStudio 9.04 (Apr 7, 2020)
- Add switch upper-case|lower-case Hash values
- Fix Virustotal Imphash query
New in PeStudio 9.03 (Mar 28, 2020)
- Fix bugs
- Add short/long Mitre View switch
New in PeStudio 9.03 (Mar 28, 2020)
- Fix bugs
- Add short/long Mitre View switch
New in PeStudio 9.01 (Feb 12, 2020)
- Fix bugs
- Extend indicators
New in PeStudio 9.00 (Dec 8, 2019)
- Detect when compiler time stamp is outside of certificate time stamp range
- Add Mitre Tactics detection
- Add Mitre View
- Fix bugs
New in PeStudio 8.99 (Oct 6, 2019)
- Fix bugs
- Add Mitre Technique detection
New in PeStudio 8.98 (Oct 6, 2019)
- Extend indicators with function(s) group(s)
- Fix bugs
New in PeStudio 8.97 (Aug 12, 2019)
- Change syntax of pestudio.exe parameters
- Extend indicators
- Fix bugs
New in PeStudio 8.96 (Jun 9, 2019)
- Extend Indicators
- Fix bugs
New in PeStudio 8.95 (Jun 3, 2019)
- Fix a bug when handling sections
New in PeStudio 8.94 (May 26, 2019)
- Indicate virtualized sections
- Handle (very) long strings
- Extend indicators
- Extend detection of anomalies
- Fix bugs
New in PeStudio 8.93 (May 5, 2019)
- Fix a bug when handling exports by ordinals
- Fix a bug when handling entry-point outside the first section (aka. MZ-instructions cancellation)
- Indicate when entry-point is located at the beginning of the file
New in PeStudio 8.91 (Mar 31, 2019)
- Extend indicators
- Fix a bug when handling very long unicode strings
New in PeStudio 8.90 (Mar 4, 2019)
- . detect more anomalies
- . Show first-bytes-text of resources
- . Add some missing items in the XML report file
New in PeStudio 8.89 (Feb 10, 2019)
- Fix bugs
- Synchronize the content of the XML report with the GUI
New in PeStudio 8.88 (Jan 13, 2019)
- . Fix a bug when handling export XML file from the CLI
- . Extend overview of time-date stamps
- . Handle more malformation of sections and show indicators appropriately
- . Add sample name analysed in the caption of pestudio GUI
New in PeStudio 8.87 (Jan 1, 2019)
- . Fix bugs
- . Detect TLS Callback functions for 64bit executable
- . Extend sections view with "self-modifying" tag
- . Extend msdn search on imports
- . Extend google search on exports
- . Extend google search on strings
- . Show hashes of Certificates to ease hunting
New in PeStudio 8.86 (Dec 17, 2018)
- Fixed bugs
- ADded search Google and Virustotal for resources
New in PeStudio 8.85 (Dec 6, 2018)
- Fixed bugs
- Clean API classification
- Extend several context menus
- Show time date stamp of directories
New in PeStudio 8.84 (Nov 10, 2018)
- Fix bugs
- Add google search to sections hash
- Compute hashes of Version blob
- Add google search using hashes of Version blob
New in PeStudio 8.83 (Nov 5, 2018)
- Show file hashes with and without overlay
- Fix a bug when handling embedded files
New in PeStudio 8.82 (Oct 22, 2018)
- Fix a crash on Win10
- Fix a bug when dumping sections
- Extend google search to imphash to ease hunting
- Extend google search to hashes of image, pdb, dos-stub, overlay to ease hunting
- Add underlining items to indicate google search URL link
New in PeStudio 8.81 (Aug 13, 2018)
- Add search google for strings view
- Show details of virustotal report
New in PeStudio 8.80 (Jul 15, 2018)
- Fix bugs
- Handle characteristics specific to EFI executable files
New in PeStudio 8.79 (Jul 2, 2018)
- Extend detection of embedded executable to all sections
New in PeStudio 8.77 (May 13, 2018)
- Compute SHA1 and SHA256 for dos-stub
- Compute SHA1 and SHA256 for debugger
- Extend the detection of embedded file(s) in overlay
New in PeStudio 8.76 (Apr 2, 2018)
- Fix sorting of Virustotal scores
- Extend context Menu of Virustotal view
- Add support of "favorite-engine" for Virustotal
New in PeStudio 8.75 (Mar 23, 2018)
- Fix flickering of the views
- Extend strings detection by indicating presence of API and Libraries strings in the Import Table
New in PeStudio 8.74 (Feb 26, 2018)
- Fix a bug with the creation of the XML report file
New in PeStudio 8.73 (Feb 5, 2018)
- Add functions groups to the strings View
- Extend functions groups to the delay-loaded functions
New in PeStudio 8.72 (Jan 14, 2018)
- Show functions that are delay-loaded
- Fix a bug when handling deprecated functions
- Extend context menu for imports to cope with functions.xml file
- Extend groups of imports
New in PeStudio 8.71 (Dec 15, 2017)
New in PeStudio 8.70 (Nov 26, 2017)
- Expose the indicators id number in the output XML file
- Extend grouping of utilities
- Extend grouping of imports by types and colors
New in PeStudio 8.69 (Oct 30, 2017)
- Add grouping of imports by types and colors
- Extend strings "hint" detection and mapping
New in PeStudio 8.68 (Oct 15, 2017)
- Extend signatures detection
- Extend strings "hint" detection and mapping
New in PeStudio 8.67 (Oct 8, 2017)
- Map strings "hint" to their Human-friendly name
New in PeStudio 8.66 (Oct 1, 2017)
- Fix a bug when computing the position of the entry-point when it is located at the very beginning of a section
- Add detection of strings "hint" (e.g. GUID, RTTI, ..)
New in PeStudio 8.65 (Sep 25, 2017)
- Compute the Sha256 of the image and the overlay
- Extend and consolidate the Indicators
- Fix a bug when handling a debug type
New in PeStudio 8.64 (Sep 5, 2017)
- Fix bug when showing exports of 64bit file
- Fix bug when showing the offset of the Security Directory
- Add <strings-whitelist hide="1|0"> in settings.xml to hide the whilelist strings
- Extend Indicators
New in PeStudio 8.63 (Sep 5, 2017)
- Add detection of whitlelist (well-known) strings
- Add detection of deprecated functions
- Add detection of undocumented functions
- Consolidate indicators
New in PeStudio 8.62 (Aug 13, 2017)
- Extend the resource type detection
- Extend handling of malformed manifest
- Extend handling of the file signature
- Detect "unusual" dos-stub messages
New in PeStudio 8.61 (Jul 23, 2017)
- Increase performance when loading executable with large collection of exports
- Consolidate switches in settings.xml
- Consolidate API classification
- Fix a bug when handling the Thread-Local Storage (TLS)
- Fix a bug of the Manifest View
- Fix a bug when detecting 64-bit managed files
- Add online check of update in the "About" dialog
- Add support for ARM detection
- Indicate missing library
- Extend features of standard version
New in PeStudio 8.60 (May 22, 2017)
- Add detection of Control Flow Guard (CFG)
- Add details for Virustotal view
New in PeStudio 8.59 (May 2, 2017)
- Show first bytes (hex) of resources
- Show first bytes (hex and text) of file
- Handle empty entry-point
- Extend Indicators
New in PeStudio 8.58 (Apr 21, 2017)
- Fix a crash with some 64bit executables
- Add detection of missing libraries
- Extent status-bar
New in PeStudio 8.57 (Apr 10, 2017)
- Extend translations
- Extend Exports handling
- Extend Imports handling
- Extend signatures
- Clean and Extend indicators
- Show first bytes of entrypoint
- Show first bytes of overlay
- Show dos-stub message
New in PeStudio 8.56 (Feb 27, 2017)
- Compute file-ratio for resources, sections, overlay and dos-stub
- Extent file summary
- Extent file signature detection
- Fix bugs
New in PeStudio 8.55 (Jan 2, 2017)
- Extented Indicators
- Dump PKCS7 Certificate
- fixed bugs
New in PeStudio 8.54 (May 8, 2016)
New in PeStudio 8.53 (May 8, 2016)
- Added indicators
- Show overlay strings numbers
- Detect duplicated exported symbols
- Enhanced unicode strings detection
- Show strings location map with colors
- Differentiate URLs referenced in the certificate
- Fixed bugs
New in PeStudio 8.52 (Apr 4, 2016)
- Differentiate between standard and professional (pro) versions of pestudio
- Added deletion of overlay
- Added computation of entropy
- Added detection of TLS Callback functions
- Show more details about sections
- Fixed bugs and crash
New in PeStudio 8.51 (Aug 17, 2015)
- renamed pestudioprompt.exe into pestudiox.exe
- Added virustotal scoring of hardcoded URL
- Added detection of pipes
- Added Network Watchdog to update Virustotal score automatically
- Added XML switches to define the colors of the front-end
- Fixed ordinal functions mapping for 64bit images
- Fixed a crash when handling overlay
- Fixed a bug when retrieving the Description of the delay-loaded libraries
New in PeStudio 8.50 (May 6, 2015)
- Fixed a bug when handling exported functions of 54bit executables
New in PeStudio 8.49 (May 4, 2015)
- Added detection of Windows builtin services
- Fixed a bug when handling strings
- Leveraged Indicators for embedded files
New in PeStudio 8.48 (Apr 18, 2015)
- Extended Thresholds
- Extended Indicators
- Show virustotal score for Overlay (when available)
- Fixed an issue in the Debug detection
- Fixed an issue in imported symbols by ordinal for 64bit files
New in PeStudio 8.47 (Mar 9, 2015)
- Added computation of Imports Hash (imphash)
- Added detection of strings embedded in non-PE files
- Extended detection of processor types
- Fixed a hangup
- Updated AV list
New in PeStudio 8.46 (Jan 9, 2015)
- Added new thresholds
- Extended detection
- Fixed a crash with malformed files
- Corrected duplicates during collection of functions statistics
New in PeStudio 8.45 (Dec 11, 2014)
- Added Virustotal aging and submission date
- Extended Languages detection and mapping
New in PeStudio 8.44 (Nov 28, 2014)
- Added PeID Signature detection of Executable embedded in Resources
- Added PeID Signature detection of Executable embedded in Overlay
New in PeStudio 8.43 (Nov 24, 2014)
- Added XML-based detection of PeID Signatures
- Added XML-based detection of OIDs
- Added XML-based detection of useragent
- Extented blacklists
New in PeStudio 8.42 (Nov 4, 2014)
- Added detection of references to Firefox API
- Added MD5 Blacklist for a file and its Resources
- Extended detection of Overlay
New in PeStudio 8.41 (Oct 27, 2014)
- Extended validation of Sections
- Resolve OpenSSL ordinals API to User friendly names
New in PeStudio 8.40 (Oct 25, 2014)
- Added Blacklist of MD5 dedicated to the Overlay
- Extended detection of files embedded in Resources
- Added detection of Regular Expressions and Threshold
- Cache Virustotal scores when Internet connection drops
New in PeStudio 8.39 (Oct 15, 2014)
- Small cosmetic issues
- Added Indicators and Thresholds
- Fixed a bug when handling the imports of some images
New in PeStudio 8.38 (Oct 10, 2014)
- Added more Indicators and Thresholds
- Added Functions Groups classification
- Resources with unknown Signature and containing only text are now tagged as Text
- Fixed a bug when handling the Characteristics of the FileHeader
- Added MD5, SHA1 and Virustotal Score for Overlay
New in PeStudio 8.37 (Sep 6, 2014)
- Fixed a bug when handling the
New in PeStudio 8.36 (Sep 5, 2014)
- Fixed a bug when handling the virustotal Engines
- Added Thresholds for DOS Stub and Header size
- Added Thresholds for Blacklisted Imported Libs and Blacklisted functions number
- Added Thresholds for Blacklisted Strings count
- Added Thresholds for Blacklisted Exported Functions count
New in PeStudio 8.35 (Aug 24, 2014)
- Added XML Threshold of number of Antivirus detecting the image as infected
New in PeStudio 8.34 (Aug 22, 2014)
- Extended Imported Symbols View
- Extended Indicators
- Added XML Thresholds for several values
- Added XML "prefered" Antivirus Engine Name
New in PeStudio 8.33 (Aug 18, 2014)
- Added XML Threshold on Libraries count
New in PeStudio 8.32 (Aug 14, 2014)
- Added support for White listing of Libraries per name in PeStudioWhiteListLibraries.xml
- Fixed a bug in the collection of libraries
New in PeStudio 8.31 (Aug 12, 2014)
- Extended Sections View
- Extended Blacklists
- Extended detection
- Extended the XML report resulting of the analysis
- Fixed update of Virustotal Lookup
- Fixed Ordinal to Name mapping for 64bit images
New in PeStudio 8.30 (Jul 1, 2014)
- Images analysed are now parsed in separated Thread
- Extended detection of Overlay
- Added Thresholds for Image Size
- Added Thresholds for Certificate Size
- Added Default Threshold for Resources
- Fixed a crash when analysing some 64bit files
New in PeStudio 8.29 (Jun 2, 2014)
- Extended Blacklisted Libraries and Functions
- Extended detection of embedded Registry items
- Added Threshold (PeStudioThresholds.xml) for DateTimeStamp
- Added Threshold (PeStudioThresholds.xml) for Debug Age
New in PeStudio 8.28 (May 17, 2014)
- Detect access to Group Policy
New in PeStudio 8.27 (May 17, 2014)
- Consolidated Libraries and Functions Blacklisting
- Extended the detection of privileged APIs
New in PeStudio 8.26 (May 5, 2014)
- Begin detection of Functions requiring Access Rights (privileges) to be set
- Extended Thresholds detection
New in PeStudio 8.24 (Apr 24, 2014)
- Extended features and blacklist detection
New in PeStudio 8.23 (Apr 16, 2014)
- Extended blacklist and Features detection
- Fixed a bug when handling 64bit Images
New in PeStudio 8.22 (Apr 15, 2014)
- Added detection of bound Libraries
- Setup detection of Common folder variables
- Setup detection of KNOWNFOLDERID constants represent GUIDs
New in PeStudio 8.21 (Apr 11, 2014)
- Detect Clipboard Chain hooking
- Extended Blacklist of API
- Extended detection of Undocumented API
New in PeStudio 8.20 (Apr 9, 2014)
- Extended blacklist of API
- Extended the detection of Smartcard usage
New in PeStudio 8.19 (Apr 8, 2014)
- Extended blacklist of API
- Detect Mouse and Keyboard Events programmatic synthesis
New in PeStudio 8.18 (Apr 4, 2014)
- Extended detection of files embedded in Resources and Overlay
New in PeStudio 8.17 (Mar 31, 2014)
- Added support for detection of Undocumented API (PeStudioFunctionsUndocumented.xml)
New in PeStudio 8.16 (Mar 28, 2014)
- Fixed a bug when invoking PeStudio.exe from the prompt with a file
New in PeStudio 8.15 (Mar 27, 2014)
- Extended Hooking detection
- Extended Blacklisted functions detection
New in PeStudio 8.14 (Mar 25, 2014)
- Extended detection of Overlay for InnoSetup
- Show shrinked DOS-Header
New in PeStudio 8.13 (Mar 24, 2014)
- Extended detection of Overlay
- Added PeStudioWhiteListLibraries.xml
New in PeStudio 8.12 (Feb 27, 2014)
- Show Overlay Signature
- Blacklist Well-Known SID
New in PeStudio 8.11 (Feb 25, 2014)
- Fixed a bug when Dumping a resource
- Images in Windows directories are considered as trusted
- Extended Features detection
- Extended Blacklisting
New in PeStudio 8.10 (Feb 19, 2014)
- Blacklist DNS and IP APIs
New in PeStudio 8.09 (Feb 17, 2014)
- Added detection of Microsoft Detour
- Added detection of Hooking
New in PeStudio 8.08 (Feb 17, 2014)
- Added detection of AutoIt
New in PeStudio 8.07 (Feb 13, 2014)
- Allow RAW-dumping using the context menu of any resource
- Extended Features detection
- Added Detection of Resources reuse
New in PeStudio 8.06 (Feb 6, 2014)
- Extended Features detection
- Extended Blacklisting
- Show default Icon of the Image being analysed (which often helps as first suspicious indicator)
New in PeStudio 8.05 (Jan 31, 2014)
- Extended Features detection
- Extended Blacklisting
- Extended detection of embedded IP Adresses
New in PeStudio 8.04 (Jan 28, 2014)
- Added Feature detection of Regular Expressions (Regex)
- Added Feature detection of Service Control Manager (SCM)
New in PeStudio 8.03 (Jan 28, 2014)
- Added "Anomalies" Indicators.
- Added detection of fake Microsoft executables
- Extended "Features"
New in PeStudio 8.02 (Jan 23, 2014)
- Added PeStudioFeatures.xml
- Added "Features" as part of the "Indicators". Features translates the APIs, and other data into "Features" of the executable
- being analysed (e.g. The API "FindFirstUrlCacheEntry()" is translated as "The image accesses the IE Protected Storage" Feature)
New in PeStudio 8.01 (Jan 20, 2014)
- Extented PeStudioOrdinals.xml for LDAP by ordinals
- Added a Threshold for size of Custom Resources
- Extended PeStudioThresholds.xml
New in PeStudio 8.00 (Jan 16, 2014)
- Fixed a crash when disabling VirusTotal query
- Show the Signature of the files Embedded in the Custom Resources
New in PeStudio 7.99 (Jan 15, 2014)
- Added Min/Max Threshold checks on HTML Resource size and Extented PeStudioThresholds.xml
- Extented PeStudioIndicators.xml
- Extented PeStudioOrdinals.xml
New in PeStudio 7.98 (Jan 13, 2014)
- Extended PeStudioBlackListFunctions.xml
- Extended PeStudioBlackListLibraries.xml
- Correct an issue when showing the Resources friendly names at the GUI
New in PeStudio 7.97 (Jan 9, 2014)
- Extended PeStudioThresholds.xml to detect the Min/Max size of Manifest
New in PeStudio 7.96 (Jan 8, 2014)
- New classification of Strings
- Extended detection (and Indicator) of File Version Information suspicious fields
- Extended PeStudioOrdinals.xml
- Corrected Ordinals mapping for 64 bit images
- Better visualization of Relocations entries
- Added Detection of Blacklisted Function of Delayed-loaded Libraries
- Added Support for Strings Tables
- Added Detection of Self-Registering DLLs
New in PeStudio 7.95 (Dec 27, 2013)
- Added detection (and Indicator) of anonymous Exported Functions
- Added detection (and Indicator) of multiple Executable Sections
- Added detection (and Indicator) of multiple instance Imported Functions Names
- Added PeStudioEvasions.xml to support the detection of attempts Evasions (Antidebugging)
- Added (part of) exported MFC42 ordinals to PeStudioOrdinals.xml
New in PeStudio 7.94 (Dec 16, 2013)
- Map Version Translation Information to user friendly string
- Show Version Translation Information Blacklisted Languages
- Extented PeStudioOrdinals.xml to Resolve SNMP functions imported by Ordinals back to their original names
New in PeStudio 7.93 (Dec 13, 2013)
New in PeStudio 7.92 (Dec 12, 2013)
- Added Detection of discrepency between Image Name and Manifest and (Hint of reuse of other Manifest)
- Added Detection of misspelling of the"VarFileInfo" internal tag of the Version Information (Hint to Evasion)
New in PeStudio 7.91 (Dec 10, 2013)
- Extended PeStudioBlackListFunctions.xml
- Fixed a bug when creating the XML report file
New in PeStudio 7.90 (Dec 9, 2013)
- Extended detection of fake and missing fields in the File Version Information block
- Show more fields of Version Information block
- Added new Indicators
New in PeStudio 7.89 (Dec 5, 2013)
- Extended anomalies detection of File Version Information fields
New in PeStudio 7.88 (Dec 4, 2013)
- Added detection of signature for the Resources
New in PeStudio 7.87 (Dec 2, 2013)
- Extended detection of embedded IP Addresses
- Extended malicious usage of Resource Icons
- Added new Indicator for suspicious Resource Icons
New in PeStudio 7.86 (Dec 2, 2013)
- Added Support for Sections -> Context Menu -> Dump
- Added Support for Dumping ICO as RAW and ICO.file format
New in PeStudio 7.85 (Nov 28, 2013)
- Extended detection of suspicious debugger fields (invalid content - e.g.: flame)
- Added PeStudioFunctionsMapping.XML to map Function Names (e.g. SystemFunction036 to RtlGenRandom )
New in PeStudio 7.84 (Nov 20, 2013)
- Better detection of hard-coded IP Addresses
- Added Tag in PeStudioBlackListStrings.xml to hide the strings that are Imported Libraries (with the goal to concentrate on strings that really matter)
New in PeStudio 7.83 (Nov 16, 2013)
- Extended PeStudioBlackListFunctions.xml
- Added Tag in PeStudioBlackListStrings.xml to hide the strings that are Imported Libraries (with the goal to concentrate on strings that really matter)
New in PeStudio 7.82 (Nov 15, 2013)
- Consolidated Indicators about blacklisted Resources Languages
- Show the Resources Tree leaf in Red when a Resource Language has been detected as Blacklisted
New in PeStudio 7.81 (Nov 14, 2013)
- Added PeStudioBlackLanguages.XML to support detection of Resources Blacklisted Languages
New in PeStudio 7.80 (Nov 13, 2013)
- Extended Blacklist of Libraries
- Map dynamically loaded libraries to the content of PeStudioBlackListLibraries.xml
- Map dynamically loaded functions to the content of PeStudioBlackListFunctions.xml
New in PeStudio 7.79 (Nov 12, 2013)
- Corrected Imported Functions names for 64bit images
- Added Correlation between strings and imported Libraries
- Extended PeStudioTranslations.xml
New in PeStudio 7.78 (Nov 11, 2013)
- Added Detection and Indicator for ComSpec
- Added Correlation between strings and imported Symbols
New in PeStudio 7.77 (Nov 9, 2013)
- Added Detection and Indicator for MIME64 Encoding string
- Added Detection and Indicator for hard-coded IP Adresses
New in PeStudio 7.76 (Nov 8, 2013)
- Added PeStudioOrdinals.xml to map Imported Ordinals to their original Function Names
New in PeStudio 7.75 (Nov 5, 2013)
- Fixed a bug with the Exported Symbols of 64 bit Images
New in PeStudio 7.74 (Nov 4, 2013)
- Added detection of GINA
- Extended Directories Validation
- Added Valid, Missing, Empty fields for Directories
- Extended PeStudioBlackListLibraries.xml
- Extended PeStudioIndicators.xml
New in PeStudio 7.73 (Nov 4, 2013)
- Extended validation of Debug fields
- Extended PeStudioIndicators.xml
- Added Context Menu at the image level
- Added Certificates validity handling
- Added Indicator Id in the output XML report
New in PeStudio 7.72 (Nov 1, 2013)
- Created PeStudioBlackListLibraries.xml for the Detection of blacklisted Libraries
- Added a new Indicator in PeStudioIndicators.xml
New in PeStudio 7.71 (Oct 31, 2013)
- Fixed a bug when handling empty Relocation Table
New in PeStudio 7.70 (Oct 30, 2013)
- Created PeStudioPrompt.exe, a stand-alone version of PeStudio running exclusively at the prompt
New in PeStudio 7.69 (Oct 30, 2013)
- Fixed a problem when disabling the Lookup to VT
New in PeStudio 7.68 (Oct 28, 2013)
- Added detection of Debug File without PDB extension
- Added detection of Debug File name different than the image name
- Changed Sections UI
- Changed VirusTotal UI
New in PeStudio 7.67 (Oct 26, 2013)
- Added Query MSDN context menu for Exported Functions
- Show Gaps in Exported Functions Table
- Extended PeStudioTranslations.xml
- Extended PeStudioIndicators.xml
New in PeStudio 7.66 (Oct 25, 2013)
- Show more details of VirusTotal
New in PeStudio 7.65 (Oct 23, 2013)
- Added detection of PeCompact compressor
New in PeStudio 7.64 (Oct 23, 2013)
New in PeStudio 7.63 (Oct 23, 2013)
- Extended PeStudioThresholds.xml (which enables your to define your own thresholds)
- Extended PeStudioTranslations.xml (which enables you to change the text at the UI)
- Extended PeStudioSettings.XML (which enables you to change the behaviour of PeStudio)
- Added R/W support UI PeStudioSettings.XML
New in PeStudio 7.62 (Oct 14, 2013)
- Extended PeStudioBlackListFunctions.xml
- Fixed an Issue when closing all files
New in PeStudio 7.61 (Oct 13, 2013)
- Added detection of missing Trust Information inside Manifest
- Extended PeStudioIndicators.xml
- Extended PeStudioTranslations.xml
New in PeStudio 7.60 (Oct 9, 2013)
- Added a switch (see PeStudioBlackListStrings.xml) for case-sensitiveness when scanning the black strings
- Added a switch (see PeStudioBlackListStrings.xml) for substrings when scanning the black strings
- Added Support for Windows File Redirection
New in PeStudio 7.59 (Oct 8, 2013)
- Added DOS Stub at the UI
- Added new Indicator related to the (suspicious) size of the DOS Stub
- Added PeStudioThresholds.xml that contains the Min, Max values used as thresholds
- Fixed enabling/disabling Virustotal lookup switch
New in PeStudio 7.58 (Oct 7, 2013)
- Added filtering of Windows (standard vs. custom) Resources
- Added filtering of obfuscated Sections
- Added filtering of forwarded exported Symbols
- Added Indicator about Expired Certificate(s)
New in PeStudio 7.57 (Oct 3, 2013)
- Added test of Exported Blacklisted Functions
- Extended PeStudioIndicators.xml
New in PeStudio 7.56 (Oct 3, 2013)
- Added PeStudioSectionsNames.xml containing a Whitelist of Sections Names ( Sections names NOT in this list will be detected as Blacklisted )
- Extended PeStudioIndicators.xml
New in PeStudio 7.55 (Oct 2, 2013)
- Extended Validation Handling
- Extended Certificates Handling
New in PeStudio 7.54 (Sep 30, 2013)
- Enable to open ANY image (to show the results with VirusTotal)
- Added Creation, Last Access and Last Write times
- Extended validation and reflect it on the Tree View
- Extended Version Information handling
- Added Deprecated column to the Imported Symbols view
New in PeStudio 7.53 (Sep 28, 2013)
- Added CTRL-C and CTRL-A support for all views
- Added details for Relocations
- Extended PeStudioTranslations.xml
- Added translation of Machine Type
- Fixed a hangup when running on XP
New in PeStudio 7.52 (Sep 28, 2013)
- Extended details about Sections
- Fixed a bug with the Certificates
New in PeStudio 7.51 (Sep 26, 2013)
- Added PeStudioRemoveFromExplorerContextMenu.reg file to remove PeStudio from Explorer context menu
- Added validation of OptionalHeader.CheckSum
- Added result of OptionalHeader.CheckSum validation as Indicator
- Released Image being analysed earlier
New in PeStudio 7.50 (Sep 24, 2013)
- Added more details for each Certificate found in an additional View
- Extended Blacklisted Functions list
- Extended Obsolete Functions list
New in PeStudio 7.49 (Sep 20, 2013)
- Added Certificates Expiration Validity Check
- Added Dump of Indicators
- Added Dump of Manifest
New in PeStudio 7.48 (Sep 18, 2013)
- Added Context menu for Certificates
- Added Dump of Certificates
New in PeStudio 7.47 (Sep 17, 2013)
- Raw discovery of fundamental characteristics of the Certificate(s) embedded in the Image
- Extended Indicators for Certificates
New in PeStudio 7.46 (Sep 16, 2013)
- Corrected execution of PeStudio from the command prompt
- Images that cannot be opened (e.g. invalid format,...) are shown in Gray
- Extended Tree Context Menu for VirusTotal
New in PeStudio 7.45 (Sep 12, 2013)
- Extended Tree Context Menu
- Added Relocation Tables discovery
- Added Indicator about Relocation Items in PeStudioIndicators.xml
New in PeStudio 7.44 (Sep 9, 2013)
- Added discovery of registered Exception handlers of 64bit Images
- Added Indicators for registered Exception handlers
- Added discovery of static usage of Thread Local Space (TLS)
- Added Indicator for usage of Thread Local Space (TLS)
- Extented Filtering
New in PeStudio 7.43 (Sep 6, 2013)
- Added a Filtering mechanism in the Parser
- Added a UI to filter according to the presence of Certificate
New in PeStudio 7.42 (Sep 4, 2013)
- Corrected FileVersion shown when pointing the image
- Extended context menu for imported libraries
- Extended context menu for resources
New in PeStudio 7.41 (Sep 2, 2013)
- Implemented the "default_view" (see PeStudioSettings.xml)
- Added general Information when pointing an Image root
- Added Tree coloring (e.g. VirusTotal score)
- Added Tree context menu
New in PeStudio 7.40 (Aug 31, 2013)
- Fixed the dependencies of the new UI of PeStudio
New in PeStudio 7.39 (Aug 29, 2013)
- Added context-menu for all lists
- Added Accelerators
- Added Close All Images button
New in PeStudio 7.38 (Aug 29, 2013)
- Redesign of the User Interface
- Support loading of multiple images
- Demangled the Parser programmatic interface
- Issue: when loading too many images simultaneously, the VT results are not retrieved for some images. This is "normal" since the current key PeStudio is using is restricted as far as the amount of request pro seconds is concerned. This issue will be handled with VT
New in PeStudio 7.37 (Aug 15, 2013)
- Added detection of empty fields in the Version Information block
- Added Indicator "The Version field '%s' is Empty" (e.g The Version field 'CompanyName' is Empty)
New in PeStudio 7.36 (Aug 13, 2013)
- Added Support of images packed with FSG
New in PeStudio 7.35 (Aug 12, 2013)
New in PeStudio 7.34 (Aug 9, 2013)
- Handled misalignement of Version buffer
New in PeStudio 7.33 (Aug 8, 2013)
- Better validation of certificat
New in PeStudio 7.32 (Aug 7, 2013)
- Fixed a crash with files depending on a specific library.
New in PeStudio 7.31 (Aug 3, 2013)
- Handled an issue when loading the same image multiple times
New in PeStudio 7.30 (Aug 2, 2013)
- Correct Load Configuration Directory validation
- Added detection of in-process COM Server (e.g. BHO Plugin)
New in PeStudio 7.29 (Aug 1, 2013)
- Handle malformed or empty App Paths entries
- Show/Hide Virustotal TAB from the UI and Show/Hide the Virustotal XML Section according to the switch in PeStudioVirusTotal.xml
New in PeStudio 7.28 (Jul 31, 2013)
- fixed a bug when opening PeStudio with a right-mouse click on in Explorer
- "PeStudio Handbook.pdf" is now directly available at www.winitor.com
New in PeStudio 7.27 (Jul 30, 2013)
- Support usage of PeStudio from the Command Prompt
- Started a "PeStudio Handbook.pdf"
New in PeStudio 7.26 (Jul 26, 2013)
- Added Validity checks (and Indicators) on Section Headers (e.g. file missalignment)
- fixed SHA1 issue
New in PeStudio 7.25 (Jul 25, 2013)
- Fixed an issue with 64bit Images.
New in PeStudio 7.24 (Jul 25, 2013)
- Handle Resources distributed among several Sections (à la Themida)
- Added TAG in the PeStudioSetting.xml file to determine in which TAB the GUI must start
New in PeStudio 7.23 (Jul 24, 2013)
- Added an Indicator when the Offset of a Directory is outside any Section
- Added an Indicator for duplicate Sections Offset
- Corrected mapping of Sections
- Handle non-printable characters in XML report
New in PeStudio 7.22 (Jul 19, 2013)
- Added more Indicators specific to the location of the Entry Point
- Added more details (offset and size) for each file Cave detected
New in PeStudio 7.21 (Jul 18, 2013)
- Show the name of the section BaseOfCode is located in
- Fixed reporting of the Libraries in the XML report
New in PeStudio 7.20 (Jul 18, 2013)
- Simplified Indicators XML file
- Added Indicators specific for First and Last Sections
- Take virtual Section into account when pointing the overlay
New in PeStudio 7.19 (Jul 15, 2013)
- Fixed detection of MPRESS under 64bit
- Added detection and Indicator of suspicious Certificate size
- Added detection and Indicator of suspicious Certificate content (e.g. padding)
New in PeStudio 7.18 (Jul 15, 2013)
- Added MD5 computation for Resources
New in PeStudio 7.17 (Jul 13, 2013)
- Added MD5 computation for Sections
- Extented Severity levels with "positive" (green) indicators
New in PeStudio 7.16 (Jul 11, 2013)
- Handle shrinked (hand-crafted) File Header
- Added collection of Unicode Strings
New in PeStudio 7.15 (Jul 10, 2013)
- Detect (direct) usage of Native API
New in PeStudio 7.14 (Jul 10, 2013)
- Detection of Embedded Executable in malformed Images
- Detect Images statically linked to the C-Runtime and show this as Indicator
New in PeStudio 7.13 (Jul 8, 2013)
- Added Detection of Device Drivers and handle Indicators accordingly
New in PeStudio 7.12 (Jul 8, 2013)
- Extended detection of Custom Embedded files in standard Resources
New in PeStudio 7.11 (Jul 5, 2013)
- Removed many strings from Parser and put these in a new PeStudioTranslations.XML file
- Corrected NB10 debug detection
New in PeStudio 7.10 (Jul 5, 2013)
- Show Section:Offset for Resources
- Extended Types and location of embedded Executables
- More validity checks on Exports
- More detection of Masquerated UPX
New in PeStudio 7.09 (Jul 4, 2013)
- Enhanced detection of fake UPX
- Extented Blacklist of Functions
- Fixed a bug when handling exported functions
- Show Section:Offset Addresses where exports, imports and strings are located in
New in PeStudio 7.08 (Jul 4, 2013)
- Added more validation check on Version info to handle hand-crafted version block (e.g. corkami\version_cust.exe)
- Added Detection of Images based on the Visual Basic Virtual Machine
- Corrected size of Overlay when the image is signed
New in PeStudio 7.07 (Jul 1, 2013)
- Show Offset and Subsystem type of Embedded Executable(s)
New in PeStudio 7.06 (Jun 29, 2013)
- Added detection of Overlay (extra-data appended to the end of the image) as Indicator (e.g. spotify)
New in PeStudio 7.05 (Jun 28, 2013)
- Added Detection of Fake UPX (sections named as UPX but the image is NOT UPXed)
- Extended detection of Executable(s) embedded in the image
- Extended "Severity" Indicator (see PeStudioIndicators.xml) to increase the granularity when scoring an image.
- Added "PeStudioIntoExplorerContextMenu.reg" file to the package to *manually* integrate PeStudio in the context Menu of Explorer
New in PeStudio 7.04 (Jun 25, 2013)
- Added Handling of Blacklisted imported Functions (API) based on the PeStudioBlackListFunctions.XML (You can edit this
- file according to your needs and tag any function as being BLACK).
- Blacklisted imported functions and strings shown with a dark gray background color.
- Detect Directories outside any Section
- Detect unusual contruct of Version Information block ("VarFileInfo" preceeding "StringFileInfo")
New in PeStudio 7.03 (Jun 22, 2013)
- Added detection of MPRESS compression
- Added detection of UPX evasion (one or more standard UPX section names changed)
- Added computation of SHA1 of the image analyzed
- fixed issue with right mouse copy at the UI
New in PeStudio 7.02 (Jun 19, 2013)
- Added Items in Blacklist XML file
- PeStudioSettings.xml now centralizes the names (which are not hardcoded anymore) of the others XML files
- The Blacklist engine can now be switched ON and OFF in the XML file enumerating the the Blacklisted strings.
- The minimum length of strings detected is now determined in the Blacklist XML file
- Show more details about the content of ollybugs images
- cleaning up comments in this ChangeLog.txt file
- fixed an issue with strings enumeration
New in PeStudio 7.01 (Jun 17, 2013)
- Added a new PeStudioStringsBlackList.xml file.
- This file contains the list of "blacklisted" strings which will be used to detect suspicious strings in the Image.
- You must manually edit this file to add strings to your convenience.
- The "blacklisted" strings will be shown as Indicators and at the UI in the Strings Tab.
- Added validation on Number of Sections
New in PeStudio 7.00 (Jun 17, 2013)
- Added additional Hints about suspicious size of the Version Resource (some malware place custom stream in standard Windows Resources)
- Added additional Hints about Invalid Directories as Indicator and at the UI
- Extended handling to handle Ollybugs images
New in PeStudio 6.99 (Jun 15, 2013)
- Added support for suspicious imported file names (e.g. unprintable name, not null terminated)
- Added PeStudioSettings.xml and handling VirusTotal switch ON/OFF based on this XML file
- Enhanced validation of EAT (ollybug.exe)
New in PeStudio 6.98 (Jun 13, 2013)
- Detect INVALID DATA found in the VERSION_INFO stream (some malware place custom stream in standard Windows Resources)
- Extended support for corkami malformed samples
- Added more items in PestudioIndicators.xml
New in PeStudio 6.97 (Jun 11, 2013)
- Fixed side-effect in libraries enumberation
New in PeStudio 6.96 (Jun 10, 2013)
- Enhanced support for Delay-loaded libraries
- Enhance detection of invalid entries in the import table
- Fixed a malformation of the XML report created by PeStudio
- removed superflous controls from the UI
- Detect Executables Embedded inside Executables embedded in Resources (eg. procexp)
New in PeStudio 6.95 (Jun 7, 2013)
- Add detection of Embedded Executable Files Outside the Resources
- Differentiate between Embedded Executable Files inside and Outside the Resources and show these as Indicators (see PeStudioIndicators.xml file)
New in PeStudio 6.94 (Jun 7, 2013)
- Radio Buttons for the Indicators are back in the UI
New in PeStudio 6.93 (Jun 7, 2013)
- Corrected a bug by right-click Copy
New in PeStudio 6.92 (Jun 7, 2013)
- Check for duplicates in the Export Symbols
- Truncate original file name when needed (malformed images attempting to escape analysis)
- Added detection of fake (unprintable characters) imported library names (malformed images attempting to escape analysis)
- Added dependency type in the UI list
New in PeStudio 6.91 (Jun 3, 2013)
- All lists support right-click context menu
- Added ordering by number in all lists
- Added size in Strings List
New in PeStudio 6.90 (May 31, 2013)
- Severity flags (red, yellow color for the UI Indicators) are now read from PeStudioIndicators.XML
- Added support for Sorting by Color for Indicators
- Added support for sorting by Text for lists
- Added detection of PKZIP, PKLITE, PKSFX and JAR Embedded in Resources
- Added new items to PeStudioFunctionsDeprecated.XML file and simplified its format
- Added Indicators for any Directory (e.g. Import Directory) located outside Sections
- Added detection of RTF Embedded in Resources
- Simplified format of PeStudioIndicators.XML
- Changed many Indicators (e.g. Resources, Directories, MachineTarget) to more generic Indicators
- Ignore SEH for managed code
New in PeStudio 6.89 (May 16, 2013)
- Added Detection of ZM instead of MZ at the begin of the image
- Added Query of Imported Functions at MSDN using the Context Menu
- Fixed a bug in the XML report
- Filter Directories types on the UI
New in PeStudio 6.88 (May 16, 2013)
- Added Detection of Qt Embedded Resources
- Added Translation of OptionalHeader.Subsystem into human friendly name
- Added support for Directories located outside of Section (aka. TinyPe.exe)
- Corrected computation of MS-DOS Header
- Added Indicator "The size (%i Bytes) of the MS-DOS Stub is very uncommon"
New in PeStudio 6.87 (May 16, 2013)
- Handle unsual MS-DOS Header size and show at the UI and XML report accordingly
- Added Indicator "The size of the MS-DOS Header (%i Bytes) complies to the specification (64bytes)"
- Added Indicator "The size of the MS-DOS Header (%i Bytes) is smaller than the specification (64bytes)"
- Added Indicator "The count (%i) of Section Headers has reached the Windows Limits (1-96)"
- Added Indicator "The count (%i) of Section Headers is very unusual"
New in PeStudio 6.86 (May 11, 2013)
- Put Directories Tab into Headers Tab
- Add new Indicators and validation tests
- Add more coloring for showing fields validation for many samples of corkami
- Handle another type of malformation of image (and thus avoid crash of PeStudio)
New in PeStudio 6.85 (May 10, 2013)
- Added *ALL* details of the VirusTotal scan report in the XML report file
- Consolidated the UI of the Debug, .NET, Manifest items in the Miscelllaneous Tab
- Added DosHeader output to UI
- Consolidated DosHeader list, File Header list, Optional Header list and SectionHeader list in one view
- Added the Version details to the Miscelllaneous Tab
- Added .NET basic information
- Addes support for CTRL-A selection for ALL lists
- Added Copy & Paste with the context Menu in All lists
- Corrected a bug by showing the libraries image base Addresses
- Consolidated headers (DOS, File, Section, Directory) in XML Report file
New in PeStudio 6.80 (May 2, 2013)
- The Lookup at VirusTotal has been totally integrated into PeStudio, no browser is started anymore
- The result of VirusTotal is now shown at the UI
- The result of VirusTotal is now available in the XML report file
- ALL corkami images have been tested against PeStudio
New in PeStudio 6.75 (Apr 26, 2013)
- Added support for dumping resources using the right-click in the Tree view
- Check for Directories outside of the Image (and thus avoid crash of Pestudio with some malformed images)
- Added Indicators for Directories outside of Image
New in PeStudio 6.70 (Apr 26, 2013)
- Added a new "Lookup at VirusTotal" link
- Removed a bug that disabled all check boxes
New in PeStudio 6.65 (Apr 22, 2013)
- Added a context menu to Libraries Tab to test the MD5 of the pointed Library on www.virustotal.com using the default Browser (only the MD5 is HTTP posted, NOT the image!)
- Added a context menu to Indicators Tab to test the MD5 of the analyzed image on www.virustotal.com using the default Browser (only the MD5 is HTTP posted, NOT the image!)
- Added a context menu to Libraries Tab to analyse dependent libraries with a new instance of PeStudio
- Added a context menu to Strings Tab to dump and copy to clipboard
- Added Indicator "The image has no Translation information"
- Added detection of MOFDATA (Managed Object Format - MOF) Resources
- Added detection of WEVT_TEMPLATE (Windows XML Event Log - EVTX) Resources
New in PeStudio 6.60 (Apr 15, 2013)
- Added Support for dumping the Sections into a file from the GUI using the right-mouse click
- Added Support for dumping the Resources into a file from the GUI using the right-mouse click
New in PeStudio 6.55 (Apr 13, 2013)
- Added full RAW access to Icons items
- Corrected handling of obsolete Functions
- Created handling of Resources CodePages via PeStudioCodePages.XML file
New in PeStudio 6.50 (Apr 9, 2013)
- Added detection of 7zSFX files embedded in Resources
- Added Mapping of Language Code of StringFileInfo to Human friendly name into the XML Report
- Added Mapping of Code Page of StringFileInfo to Human friendly name into the XML Report
- Icon at the UI is now directly loaded from the Resource using our own interface
New in PeStudio 6.40 (Apr 5, 2013)
- Dump the content of StringFileInfo in the XML report
- Dump the content of VarFileInto in the XML report
New in PeStudio 6.30 (Apr 1, 2013)
- Corrected a bug in the Console version of PeStudio
- Added Version VS_VERSIONINFO raw data in the XML Report
- Added Version VS_FIXEDFILEINFO raw data in the XML Report
- Should an error take place when handling an image, shows its description at the UI and in the XML file
- Added Indicator "The image masquerades UPX compression" (sections are named as UPX, BUT the image is NOT compressed with UPX!)
New in PeStudio 6.20 (Mar 25, 2013)
- Added Indicator "The image File Version is %s"
- Added Indicator "The image is encrypted with UPX (version %s, level %i)"
- Added UPX information details in XML report file
New in PeStudio 6.10 (Mar 18, 2013)
- Release Image analyzed when handling a new one
- Enable Reporting for invalid images
- Show number of Items in Report Tab at the UI
- Added Search String feature at the UI
- Added Indicator "The image is a Executable"
- Added Indicator The image is a Dynamic-Link Library (DLL)"
- Added Indicator "The image size on the Disk (as reported) is %i Bytes"
- Added Indicator "The File is Not a Windows Portable Executable (PE) image"
- PeStudioFunctionsDepracated.XML is now loaded once
- PeStudioIndicators.XML is not loaded once
- Handle missing PeStudiIndicators.XML file
- Corrected Offset Addresses of Strings detection
New in PeStudio 6.00 (Feb 23, 2013)
- Added Indicator "The image file contains %i unused Bytes (Caves)"
- Added Indicator "The image Name has been Changed"
- Added Indicator "The image original name was %s"
- Added Indicator "The image contains %i bytes of Code"
- Added Indicator "The image contains %i embedded Visual Stylesheet XML Items(s)"
- Added Indicator "The image contains %i Custom Resource Item(s)"
- Added Indicator "The image contains %i Built-in Resources Item(s)"
New in PeStudio 5.55 (Feb 23, 2013)
- Added Indicator "The image references (%s) Debug Symbols"
- Added Indicator "The image has %i Writable and Executable Section(s)"
- Added Indicator "The image has %i Writable and Shared Section(s) which can be used as Attack Verctor"
- Added Indicator "The image does NOT use Data Execution Prevention (DEP) as Mitigation technique"
- Added Indicator "The image does NOT use Address Space Layout Randomization (ASLR) as Mitigation technique"
- Added Indicator "The image does NOT use Safe Structured Exception Handling (SafeSEH) as Mitigation technique"
- Added Indicator "The image does NOT use Cookies placed on the Stack (GS) as Mitigation technique"
- Fixed a bug by reading Symbols
New in PeStudio 5.50 (Feb 23, 2013)
- Added Indicator "The image exports %i Symbols"
- Added Indicator "The image exports %i Obsolete Symbols"
- Added Indicator "The image exports %i Anonymous Symbol(s)"
- Added Indicator "The image exports %i Forwarded Symbol(s)"
- Added Indicator "The image exports %i Decorated Symbol(s)"
- Added Indicator "The image imports %i Symbol(s)"
- Added Indicator "The image imports %i Obsolete Symbol(s)"
- Added Indicator "The image imports %i Anonymous Symbol(s)"
- Added Indicator "The image imports %i Forwarded Symbol(s)"
- Added Indicator "The image imports %i Decorated Symbol(s)"
- Added Collection of IMAGE_BOUND_IMPORT_DESCRIPTOR details in XML Report
- Added Indicator "The image is bound to %i Libraries"
New in PeStudio 5.40 (Feb 23, 2013)
- Extended Indicators for Embedded Resources
- Corrected missing Dependencies for some types of images
New in PeStudio 5.30 (Feb 23, 2013)
- Renamed *.XML files to PeStudio*.XML
- Interfaces to PeParser (PeParser.h and PeParser.lib) are now part of the Package.
- Added Indexing of String
- Added Detection of duplicated Section Names
New in PeStudio 4.90 (Jan 31, 2013)
- Added MachineType in Indicators.XML
- Added FileSignature in Indicators.XML
New in PeStudio 4.80 (Jan 31, 2013)
- Add items in Indicators.XML
- Custom Resources are shown in orange color
New in PeStudio 4.70 (Jan 26, 2013)
- Corrected handling of Certificate Directory
- Corrected coloring of Indicators
New in PeStudio 4.60 (Jan 26, 2013)
- Increased detection for obfuscated images
- Increased stability of the tool against malformed images
- Added better support for obfuscated images
- Extented Indicators of Malformations (IOM)
- Created a new file (Indicators.XML) containing the Indicators shown at the UI and in the XML report that can be created by the tool
- Added better detection of Missing Libraries
New in PeStudio 4.50 (Oct 29, 2012)
- Correct discovery of Delay-loaded libraries
New in PeStudio 4.40 (Oct 29, 2012)
- When handling a resources only image, some validity checks are differents
New in PeStudio 4.30 (Oct 29, 2012)
- Enhanced detection of device driver images
New in PeStudio 4.20 (Oct 23, 2012)
- Renamed parameters for command prompt
- Added detection of CAB files embedded as Resource in an Image
- Added detection of PDF files embedded as Resource in an Image
- Added detection of RIFF files embedded as Resource in an Image
- Added detection of GIF files embedded as Resource in an Image
- Added detection of PNG files embedded as Resource in an Image
- Added detection of Delphi Forms embedded as Resource in an Image
- Added detection of "requireAdministrator" Execution Level from the Manifest
- Corrected custom Resources detection
New in PeStudio 4.10 (Oct 4, 2012)
- Added Command Prompt support (see Prompt support description above)
- Added "The image exports XY Symbols" as new Indicator
- Added more obsolete functions in the WindowsFunctionsDeprecated.xml file (delivered with this project)
New in PeStudio 4.00 (Sep 20, 2012)
- Now fully support 64bit Images on 32bit Platform
- Validate IMAGE_OPTIONAL_HEADER.SectionAlignment
- Validate IMAGE_OPTIONAL_HEADER.FileAlignment
- Validate IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData
- Validate IMAGE_OPTIONAL_HEADER.SizeOfInitializedData
- Validate IMAGE_OPTIONAL_HEADER.SizeOfCode
- Validate IMAGE_OPTIONAL_HEADER.NumberOfRvaAndSizes
- Validate IMAGE_OPTIONAL_HEADER.SizeOfImage
- Validate IMAGE_FILE_HEADER.SizeOfOptionalHeader
- Validate IMAGE_FILE_HEADER.NumberOfSections
- Validate IMAGE_FILE_HEADER.TimeStamp
- Validate IMAGE_FILE_HEADER.PointertoSymbolTable
- Validate IMAGE_FILE_HEADER.NumberOfSymbols
- Show Resources Languages
- Show Type of Debug information (NB09, NB10, NB11, RSDS )
- Show imported Functions of missing libraries
- Show total number of Bytes available in Caves
- Show Gaps in Exported Symbols collection
- Show Section Name the Base of Data belongs to
- Added validation of IMAGE_DOS_HEADER, IMAGE_NT_HEADERS
- Added validation of IMAGE_DIRECTORY_ENTRY_IMPORT, IMAGE_DIRECTORY_ENTRY_RESOURCE
- Added OptionalHeader to XML report
- Added detection of non-standard Sections is NOT based on their names anymore
- Added detection of invalid Directory (IMAGE_DATA_DIRECTORY)
- Added detection of invalid Export Table Directory (IMAGE_EXPORT_DIRECTORY)
- Added detection of duplicated Sections names
- Added detection of Codeless images
- Added detection of Section containing the Entry point
- Corrected filtering of Obsolete Imported Functions
- Corrected Imported Symbols for 64bit images
- Corrected Pageable Section Flag
- Corrected detection of msstyles "Resources Only" Images
- Corrected a crash that takes place when switching between Tree and list View in Resources Tab
- Corrected Missing DLL path in XP
- Corrected Names Undecoration for exported symbols
New in PeStudio 3.69 (May 9, 2012)
- Added detection of "Resources Only" images
- Added detection of Borland compiler
- Show presence of Delphi Turbo Pascal Filers (TPF) in Resources
New in PeStudio 3.68 (May 7, 2012)
- Added MD4 footprint
- Corrected sections handling for encrypted/compressed files
- Corrected filtering of deprecated exported Symbols
New in PeStudio 3.67 (May 4, 2012)
- Fixed a bug when handling resources of encrypted/compressed files
- Show presence of Embedded Type Library files in Resources
- Show presence of Embedded Registry files in Resources
New in PeStudio 3.66 (Apr 30, 2012)
- Show presence of Embedded Compressed HTML files in Resources
- Show presence of Embedded Executables files in Resources
- Show Resources instances and their characteristics
- Show MD5 footprint
New in PeStudio 3.65 (Apr 9, 2012)
- Added detection of SafeSEH mitigation technique
- Added detection of Cookies on the Stack (GS) mitigation technique
- Added a new Mitigation classification as Indicator
- If no Error found then show Warnings
- If no Warning found then show Evidences
New in PeStudio 3.63 (Apr 3, 2012)
- The image is linked with Debug Symbols, show this as Evidence
- The Image exports anonymous symbols, show this as Evidence
- Renamed Evidences as Indicators
- Created errors, warning and evidences nodes in indicators node in XML
- Show existence of Manifest as evidence
- Show Executable AND Writable Section as Warning
- Show image renamed as Warning
New in PeStudio 3.62 (Apr 2, 2012)
- Set Error, Warning levels for evidences
- Show Image target 64bit Processor as Evidence
- Show Missing Libraries in the imports Tab
- Show Missing Libraries as Error
- Shwo CPU mismatch as Error
- Don't translate Resources 241 to Manifest anymore
- Re-enable display of Debug information
- Re-enable display of Core .NET information
New in PeStudio 3.61 (Mar 28, 2012)
- Show new evidence when at least one Directory is invalid
- Show new evidence when at least one Section is invalid
- Show new evidence when Entry point is NULL
- Corrected Directories validity test
- Corrected filtering of Writable and executable section
New in PeStudio 3.60 (Mar 24, 2012)
- Added support of Forwarded functions discovery
- Corrected Bug when reading the Resources of some images
- Added Resources to the Report
- Detect invalid directoires
- Added filtering of Sections
- Added support for Delay-loaded Libraries
- Improved performance by reading dependencies from memory whenever possible
- Added Core .NET information to the Report
- Added Manifest to the Report
- Put more details to Libraries into the Report
- Put more details to Sections into the Report
- Added Imported Symbols to the Report
- Added Exported Symbols to the Report
- Added File Header to the Report
- Added Exported Symbols in Report
- Added Sections in Report
- Handle Imported Libraries without version information
- Corrected missing path on some Imported libraries
- Icon of the image sometimes not shown when PeStudio is started from the command prompt.
- Distinguish between .NET and native images when gathering Evidences
- Add discovery of the Directories for x64 Images
- Corrected a bug when dragging an Image onto PeStudio
- Resolved "Visual C++ Runtime Error"
New in PeStudio 3.54 (Dec 20, 2011)
- Put more details to Libraries the Report
- Added Imported Symbols to the Report
- Added Exported Symbols to the Report
- Added File Header to the Report
New in PeStudio 3.53 (Dec 13, 2011)
- Added Exported Symbols in Report
- Added Sections in Report
- Handle Imported Libraries without version information
- Corrected missing path on some Imported libraries
New in PeStudio 3.52 (Dec 6, 2011)
- Icon of the image sometimes not shown when PeStudio is started from the command prompt.
- Add discovery of the Directories for x64 Images
New in PeStudio 3.50 (Nov 29, 2011)
- Added Report of Libraries
- Added Report of Manifest
- Corrected a bug when reading 64Bit Imported Libraries
- Corrected filtering of Imported Libraries
New in PeStudio 3.47 (Nov 21, 2011)
- Resolved a crash when creating the Report
New in PeStudio 3.46 (Nov 21, 2011)
- Improved performance by reading dependencies from memory whenever possible
- The Obsolete Functions are now available as external (and extensible) "WindowsObsoleteFunctions.XML" file
- Show OptionalHeader.MajorImageVersion and OptionalHeader.MinorImageVersion
- Show OptionalHeader.MajorSubsystemVersion and OptionalHeader.MinorSubsystemVersion
- Show the original file name of the Image when available
- Show FileHeader.IMAGE_FILE_REMOVABLE_RUN_ FROM_SWAP and FileHeader.IMAGE_FILE_NET_RUN_FROM_SWAP
- Selectively report of Evidences and Debug information
- Resolved "Visual C++ Runtime Error"
New in PeStudio 3.45 (Jan 6, 2011)
- Resolved crashed on unexpected Manifest content.
- Added Dump of Section
- Added IPeSection interface
- Added IsLocatedInStandardDirectory function
- Extended GetImportedLibraries function with a parameter to filter (Windows) standard directories
- Extended IPeSectionHeaders interface to access Section Header per Name or Index
New in PeStudio 3.44 (Dec 22, 2010)
- Make Resources Types and Instances available
- Added IPeResourceTypeManifest interface
- Added IPeResourceTypeVersionInfo interface
- Consolidated IPeOptionalHeader interface
- Consolidated IPeDirectories interface
- Added Number of Sections as Evidences ( 2 < Sections < 96 )
- Added FileAlignment and SectionAlignment fields to IPeOptionalHeader interface
- Added PeParser.lib to the ZIP file
New in PeStudio 3.43 (Dec 4, 2010)
- Added Detection of launching process functions as Evidence
- Added Detection of Image Obfuscation (encryption, compression) as Evidence
New in PeStudio 3.42 (Nov 28, 2010)
- Make the Interface file PeParser.h public
- Added offset (hint) of exported functions
New in PeStudio 3.41 (Nov 18, 2010)
- Added Large Address Space awareness as Evidence
- Added Structured Storage as functions group
- Added OLE as functions group
- Added ImageHelp as functions group
- Added Setup API as functions group
- Addet Thread Local Storage (TLS - dynamic) as functions group
- Added Resource Section size bigger as Code Section size as Evidence
- Added Image Digital Signature test as Evidence
- Added Thread Local Storage (TLS - static) usage as Evidence.
- Added Image Bound detection as Evidence
- Added Custom Resource Types as Evidence
- Added Detection of programmatic loading of libraries as Evidence
New in PeStudio 3.40 (Nov 10, 2010)
- Added number of Sections as Evidence
- Added empty Checksum as Evidence
- Added other (Borland) standard sections as known sections
- Make size of DosStub (very small or very big) as Evidence
- Make Windows Network Functions as Evidence
- PeStudio.exe %1 and PeStudio.exe "%1" are now supported
- Make functions addresses available
- Make Dos Stub size available
- Make Preferred Base Address available for Libraries
- Added support for a single Command Line parameter: e.g PeStudio.exe %1 will open the file to analyse
- Show whether the Section Names are standard as Evidence
- Number of imported symbols as Evidence
- Handle sectionless files
- Handle invalid Directories
- Show usage of Debugging functions as Evidence
- Show usage of NetBios functions as Evidence
- Show Usage of Service Control Manager (SCM) functions as Evidence
- Show usage of Hooking functions as Evidence
- Corrected problem with upx compressed files
- Show unused image file space (Caves) as Evidence
- IAT size estimation for Evidences adjusted
- Show Obsolete Imported functions as Evidence
- Show Obsolete Exported functions as Evidence
- Show usage of HTTP functions as Evidence
- Show usage of RAS functions as Evidence
- Show usage of Winsock functions as Evidence
- Resolve crash on Window 64 bit
New in PeStudio 3.39 (Nov 9, 2010)
- Added other (Borland) standard sections as known sections
- Make size of DosStub (very small or very big) as Evidence
New in PeStudio 3.38 (Nov 5, 2010)
- Make Windows Network Functions as Evidence
- PeStudio.exe %1 and PeStudio.exe "%1" are now supported
New in PeStudio 3.37 (Nov 5, 2010)
- Make functions addresses available
- Make Dos Stub size available
- Make Preferred Base Address available for Libraries
- Added support for a single Command Line parameter: e.g PeStudio.exe %1 will open the file to analyse
New in PeStudio 3.36 (Nov 1, 2010)
- Show whether the Section Names are standard as Evidence
- Number of imported symbols as Evidence
- Handle sectionless files
- Handle invalid Directories
New in PeStudio 3.35 (Oct 29, 2010)
- Show usage of Debugging functions as Evidence
New in PeStudio 3.34 (Oct 27, 2010)
- Show usage of Hooking functions as Evidence
- Corrected problem with upx compressed files
New in PeStudio 3.33 (Oct 26, 2010)
- Show unused image file space (Caves) as Evidence
New in PeStudio 3.32 (Oct 26, 2010)
- IAT size estimation for Evidences adjusted
- Show Obsolete Imported functions as Evidence
- Show Obsolete Exported functions as Evidence
- Show usage of HTTP functions as Evidence
- Show usage of RAS functions as Evidence
- Show usage of Winsock functions as Evidence
New in PeStudio 3.31 (Oct 17, 2010)
- Resolve crash on Window 64 bit
New in PeStudio 3.30 (Oct 15, 2010)
- Test COM Server Support
- Show COM Server support in Evidences
- Put Evidences in XML file
- Corrected duplicated items in Exported functions list
New in PeStudio 3.29 (Oct 13, 2010)
- Corrected a bug with *.DRV files
- Native image files with empty IAT are valided as normal
New in PeStudio 3.28 (Oct 13, 2010)
- Directories in XML Report
- Detection of some validity indicators
- Retrieve SizeOfCode
- Better libraries filtering at the UI
New in PeStudio 3.27 (Oct 4, 2010)
- Show Directories at the User interface
New in PeStudio 3.26 (Oct 2, 2010)
- Show Footprint (MD5) of the analyzed file in the XL Report
- Show Section PointerToRawData information
- Show Section Name associated with the Entry Point
New in PeStudio 3.25 (Sep 30, 2010)
- Retrieve the Age of the debug file and show in XML Report
- Show Manifest in XL Report
New in PeStudio 3.24 (Sep 29, 2010)
- Put GUID of PDB in the XML Report file
New in PeStudio 3.23 (Sep 29, 2010)
- Retrieve GUID of PDB out of the Analyzed PE File
New in PeStudio 3.22 (Sep 29, 2010)
- Check presence of digitally-signed data
- Compute MD5
- Log file in XML format
- Check Debug Information and path to PDB file
- Check COM Libraries
- Detection of (some) compression Algorithms
- Undecorating function names
New in PeStudio 3.18 (Sep 3, 2010)
- Imported and exported functions that are decorated can now be undecorated.