This is the official Adlice PEViewer Documentation, a PE parsing software which can be downloaded here. The documentation is a basic walk-through, summarizing the features available in the software.
Files can be analysed from disk image either with the Open button, a drag-drop or from command line. Once loaded you will find the PE structure in the different tabs, see below for detailed information.
Processes can be analysed directly from memory, or from disk image (choice made with the radio buttons). To open a process, you first need to load the processes list in the left panel, then select the process you want to open. In fact, we don’t analyse a process, but a process module and by default the main module is opened for analysis.
Process memory gives us extra features compared to the simple static analysis: Memory Pages, RunPE and hooks detection, Imports disassembly, etc…
You can of course select any module you want from the Loaded modules list.
PE files are well documented now, for example here.
Adlice PEViewer parses the PE file structure, and displays all the members nicely in a user friendly way.
PE Headers, Sections, Resources, Imports/Exports are shown in respective tabs, with enhanced syntax highlighting. Some extra features are also available like Hex View (with search), Disassembly, Version Info and Digital Signature parsing.
Indicators are decision items that give hints about the maliciousness of a file. They have a score, and a weight, depending on their nature.
Altogether, indicators form a maliciousness score (percentage).