The best PE analysis toolkit
- Our rating
Able to read memory image (process module) and disk image (filesystem) of a given file.
- Custom plans
- Automatic Updates
|Download Adlice PEViewer|
|File Size||21.79 MB|
|Operating System||Windows XP, Vista, 7, 8, 8.1, 10. 32/64 bits|
|Tags||analysis editor malware parser pe portable executable research|
Adlice PEViewer is a tool used by many researchers at Antivirus companies or CERT worldwide in order to perform malware static analysis.
Malicious software sometimes try to hide their goals in order to evade detection and static analysis. By doing so, they leave indicators, metadatas and suspicious modifications behind.
Adlice PEViewer searches, finds and lists these artifacts to help researchers making up their mind on a suspicious file. The tool uses robust PE parser as well as analysis engine and heuristics detections to build these indicators. PEViewer also relies on 3rd party scanners like VirusTotal for which it displays the results. All of this together allows the tool to build severity scores.
- Open PE from file, and read disk image.
- Open PE from process, and read memory or disk image.
- Open file from command line.
- Drag and drop support.
- Explorer context menu integration.
- Process general information (pid, parent, ...)
- File general information (attributes, size, ...)
- Process module general information (address, size, ...)
- A bunch of hashes (MD5, SHA1, SHA256, ...)
- Process memory pages, with ability to dump.
- Injected pages detection, non-readable pages detection.
- Ability to dump injected pages to file.
- Hex code, with ability to search (hex values, or string ANSI/UNICODE).
- Assembly code, with ability to navigate.
- PE Headers (MZ, PE, Optional, ...)
- RunPE detection, shows which header fields are modified.
- Checksum validation.
- PE Sections, with ability to watch hex code and dump to file.
- PE Debug, with ability to watch hex code and dump to file.
- PE Imports, with ability to watch APIs assembly code (memory only).
- PE Exports, with ability to watch APIs assembly code.
- Hooks detection in imports/exports (table and inline hooks).
- PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, ...)
- Ability to scan resources, sections, debug on VirusTotal.
- Executable files detection in resources.
- Ability to watch hex code of resources.
- Ability to dump resources to file.
- PDB path detection.
- Strings scanner, with classification (Registry, files, ...)
- Ability to dump all strings (by category or not) to file.
- Bin2Img (binary to image).
- Digital Signature parsing (embedded only).
- Bright or dark theme (Premium).
- Samples Comparator (Premium).
- Sample Scoring.
- Maliciousness Indicators.
- VirusTotal full information.
Please refer to the general documentation.