This is the official Adlice PEViewer Documentation, a PE parsing software which can be downloaded here. The documentation is a basic walk-through, summarizing the features available in the software.

 

FILE ANALYSIS
Files can be analysed from disk image either with the Open button, a drag-drop or from command line. Once loaded you will find the PE structure in the different tabs, see below for detailed information.
 
rkpe_3

 

PROCESS ANALYSIS
Processes can be analysed directly from memory, or from disk image (choice made with the radio buttons). To open a process, you first need to load the processes list in the left panel, then select the process you want to open. In fact, we don’t analyse a process, but a process module and by default the main module is opened for analysis.
 
rkpe
 
Process memory gives us extra features compared to the simple static analysis: Memory Pages, RunPE and hooks detection, Imports disassembly, etc…

You can of course select any module you want from the Loaded modules list.
 
rkpe_imports
 
rkpe-pages

 

PE STRUCTURE
PE files are well documented now, for example here.

Adlice PEViewer parses the PE file structure, and displays all the members nicely in a user friendly way.

PE Headers, Sections, Resources, Imports/Exports are shown in respective tabs, with enhanced syntax highlighting. Some extra features are also available like Hex View (with search), Disassembly, Version Info and Digital Signature parsing.
 
rkpe-header
 
rkp-strings

 

INDICATORS
Indicators are decision items that give hints about the maliciousness of a file. They have a score, and a weight, depending on their nature.

Altogether, indicators form a maliciousness score (percentage).
 
rkpe-indicators