The best PE analysis toolkit



  • Our rating
Sending
User Rating 4.35 (23 votes)
Adlice PEViewer (RogueKillerPE) is a PE parsing toolkit, helping during malware analysis.

It's able to read memory image (process module) or disk image (filesystem) of a given file.
Choose your plan
  •    Registration
    If machine registration is available
  •    Machines
    Number of machines allowed to register
  •    Custom plans
    If custom plans are available (Ex: company)
  •    Analysis
    Parse PE files
  •    Support
    Get support for your questions or feedback
  •    Automatic Updates
    Update the software with one click
  •    Themes
    Customize the software appearance using built-in themes

Pro

$37/year
  • 5
    You can register up to 5 machines with your license.
  • Special plans available for companies.

Free

$0
  • Public Forum.
  • Manual Updates.

IconAdlice PEViewer Download
AuthorAdlice Software
Version2.0.3
Download6,517
Category,
File Size21.79 MB
LicenseFreemium
Operating SystemWindows XP, Vista, 7, 8, 8.1, 10. 32/64 bits
Tags   analysis     editor     malware     parser     pe     portable executable     research  
 
SCREENSHOTS
 
DESCRIPTION and REVIEW

 
Adlice PEViewer is a tool used by many researchers at Antivirus companies or CERT worldwide in order to perform malware static analysis.

Malicious software sometimes try to hide their goals in order to evade detection and static analysis. By doing so, they leave indicators, metadatas and suspicious modifications behind.

Adlice PEViewer searches, finds and lists these artifacts to help researchers making up their mind on a suspicious file. The tool uses robust PE parser as well as analysis engine and heuristics detections to build these indicators. PEViewer also relies on 3rd party scanners like VirusTotal for which it displays the results. All of this together allows the tool to build severity scores.

 

Features:

  • Open PE from file, and read disk image.
  • Open PE from process, and read memory or disk image.
  • Open file from command line.
  • Drag and drop support.
  • Explorer context menu integration.
  • Process general information (pid, parent, ...)
  • File general information (attributes, size, ...)
  • Process module general information (address, size, ...)
  • A bunch of hashes (MD5, SHA1, SHA256, ...)
  • Process memory pages, with ability to dump.
  • Injected pages detection, non-readable pages detection.
  • Ability to dump injected pages to file.
  • Hex code, with ability to search (hex values, or string ANSI/UNICODE).
  • Assembly code, with ability to navigate.
  • PE Headers (MZ, PE, Optional, ...)
  • RunPE detection, shows which header fields are modified.
  • Checksum validation.
  • PE Sections, with ability to watch hex code and dump to file.
  • PE Debug, with ability to watch hex code and dump to file.
  • PE Imports, with ability to watch APIs assembly code (memory only).
  • PE Exports, with ability to watch APIs assembly code.
  • Hooks detection in imports/exports (table and inline hooks).
  • PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, ...)
  • Ability to scan resources, sections, debug on VirusTotal.
  • Executable files detection in resources.
  • Ability to watch hex code of resources.
  • Ability to dump resources to file.
  • PDB path detection.
  • Strings scanner, with classification (Registry, files, ...)
  • Ability to dump all strings (by category or not) to file.
  • Bin2Img (binary to image).
  • Digital Signature parsing (embedded only).
  • Bright or dark theme (Premium).
  • Samples Comparator (Premium).
  • Sample Scoring.
  • Maliciousness Indicators.
  • VirusTotal full information.

 

User guide

Please refer to the general documentation.

 
Download
FileAction
setup.exe (Installer 32/64 bits)Download 
RogueKillerPE.exe (32 bits)Download 
RogueKillerPE64.exe (64 bits)Download