Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adlice PEViewer


  • Please log in to reply
1 reply to this topic

#1 Tigzy

Tigzy

  • Security Colleague
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:France
  • Local time:09:36 AM

Posted 15 March 2017 - 11:58 AM

Hello, I'm Tigzy, owner and lead dev @AdliceSoftware.
Today I come here to present you a tool that I think could be useful for all the researchers of this forum, Adlice PEViewer.
 
Adlice PEViewer (RogueKillerPE) is a PE parsing tool, able to show internal structure of executable files.
 
It's able to read either the memory image (process module) or the disk image (filesystem) of a given executable.
 
rkpe3-700x400.png
 
 
Features:
  • Open PE from file, and read disk image.
  • Open PE from process, and read memory or disk image.
  • Open file from command line.
  • Drag and drop support.
  • Explorer context menu integration.
  • Process general information (pid, parent, ...)
  • File general information (attributes, size, ...)
  • Process module general information (address, size, ...)
  • A bunch of hashes (MD5, SHA1, SHA256, ...)
  • Process memory pages, with ability to dump.
  • Injected pages detection, non-readable pages detection.
  • Ability to dump injected pages to file.
  • Hex code, with ability to search (hex values, or string ANSI/UNICODE).
  • Assembly code, with ability to navigate.
  • PE Headers (MZ, PE, Optional, ...)
  • RunPE detection, shows which header fields are modified.
  • Checksum validation.
  • PE Sections, with ability to watch hex code and dump to file.
  • PE Debug, with ability to watch hex code and dump to file.
  • PE Imports, with ability to watch APIs assembly code (memory only).
  • PE Exports, with ability to watch APIs assembly code.
  • Hooks detection in imports/exports (table and inline hooks).
  • PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, ...)
  • Ability to scan resources, sections, debug on VirusTotal.
  • Executable files detection in resources.
  • Ability to watch hex code of resources.
  • Ability to dump resources to file.
  • PDB path detection.
  • Strings scanner, with classification (Registry, files, ...)
  • Ability to dump all strings (by category or not) to file.
  • Digital Signature parsing (embedded only).
  • Bright or dark theme (Premium).
  • Samples Comparator (Premium).
  • Sample Scoring.
  • Maliciousness Indicators.

 

 

 


Edited by Tigzy, 15 March 2017 - 12:01 PM.


BC AdBot (Login to Remove)

 


#2 Tigzy

Tigzy
  • Topic Starter

  • Security Colleague
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:France
  • Local time:09:36 AM

Posted 03 October 2017 - 01:58 AM

Version 2.0 is online:

V2.0.0 10/02/2017
=========================
- Updated EULA
- NEW! Dump RT_ICON as true image
- NEW! DLL characteristics as checkboxes
- NEW! Sections flags as checkboxes
- NEW! Dos Stub, Rich string
- Refactored dashboard
- NEW! Binary image
- Added VBA symbols table
- Added many new indicators
- Removed NAG screen for FREE users
- Fixed multiple bugs





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users