This is the official Adlice PEViewer Documentation, a PE parsing software which can be downloaded here. The documentation is a basic walk-through, summarizing the features available in the software.

 

FILE ANALYSIS

 
Files can be analysed from disk image either with the Open button, a drag-drop or from command line. Once loaded you will find the PE structure in the different tabs, see below for detailed information.

rkpe_3

 

PROCESS ANALYSIS

 
Processes can be analysed directly from memory, or from disk image (choice made with the radio buttons). To open a process, you first need to load the processes list in the left panel, then select the process you want to open. In fact, we don’t analyse a process, but a process module and by default the main module is opened for analysis.

rkpe

Process memory gives us extra features compared to the simple static analysis: Memory Pages, RunPE and hooks detection, Imports disassembly, etc…

You can of course select any module you want from the Loaded modules list.

rkpe_imports

rkpe-pages

 

PE STRUCTURE

 
PE files are well documented now, for example here.

Adlice PEViewer parses the PE file structure, and displays all the members nicely in a user friendly way.

PE Headers, Sections, Resources, Imports/Exports are shown in respective tabs, with enhanced syntax highlighting. Some extra features are also available like Hex View (with search), Disassembly, Version Info and Digital Signature parsing.

rkpe-header

rkp-strings

 

INDICATORS

 
Indicators are decision items that give hints about the maliciousness of a file. They have a score, and a weight, depending on their nature.

Altogether, indicators form a maliciousness score (percentage).

rkpe-indicators