Windows has been the most widely used operating system for several decades. However, it’s more prone to malware infection too. Undeniably, most malware authors target Windows platforms more than any other platforms. It’s the prime responsible for Windows machine owners to keep their Windows machines safe from nasty malware programs. Well, we have been keep discussing the safety of Windows and other platforms on thesecmaster.com several times. We keep doing this as much as we can. In this post, we will be covering another unique topic, how to analyze Windows executable files using PEStudio.
PEStudio is a popular tool used by malware analysts and reverse engineers to analyze and detect anomalies in Windows portable executable (PE) files like EXEs and DLLs. This comprehensive guide will explain what PEStudio is, how to download and install it, overview its key features, and provide a step-by-step walkthrough to investigate Windows executable files using PEStudio.
Before we jump into analyzing the EXE and DLL Files Using PEStudio, let’s see some of the background about the file structure of Windows files, what the PE header means, and what information you should look in a file to analyze it.
The Structure of Windows Executable File
In essence, Windows executable files follow the portable executable (PE) format, which is the standard binary interface for Windows operating systems. The PE format is fundamentally composed of the following:
Image Source: Wikipedia
The PE header contains metadata and pointers that are necessary for the operating system to load and execute the executable properly. It is like a table of contents describing the structure of the executable. Some key attributes stored in the header include:
- Machine Type – Specifies the required CPU architecture such as x86, x64, ARM etc. This determines whether the code is 32-bit or 64-bit.
- Number of Sections – Indicates the total number of sections in the executable code/data. This helps locate all sections.
- Timestamp – Contains the build timestamp of when the executable was compiled. Malware often modifies this to make it look legitimate.
- Pointer to Symbol Table – Stores pointers to debugging symbols used for crash dumps and debugging.
- Optional Header – An optional header containing further metadata like target OS version, subsystem, entry point address, image, and memory sizes, etc.
- Section Table – Contains details on each section like name, virtual address, raw data size, file pointer, permissions, etc.
- Data Directories – Has pointers to extended tables like import, export, relocation, debug directories, etc.
The header thus contains instructions for the OS loader on how to map the executable to memory and call the entry point to start execution. This is the most prominent as an invalid header can interrupt launching the executable.
The sections segment contains distinct blocks of code and data that make up the executable. Each section is separate and can have specific memory access permissions. Standard sections include:
- .text – Contains the executable program code. Has read and execute permissions.
- .data – Contains statically allocated program data that needs to be initialized. Has read, write permissions.
- .rdata – Read-only data like constants and string literals. Read permission only.
- .rsrc – Contains resources like icons, images, strings etc. embedded in the executable.
- .reloc – Relocation table for pointers that need to be fixed up when loaded at a different base address.
Malware often hides additional malicious code and data inside new sections appended to the executable.
Import Address Table (IAT)
The IAT contains the list of DLLs and functions that are imported from external libraries for use by the executable at runtime. Entries in IAT have pointers to the memory address of imported functions.
Export Address Table (EAT)
The EAT contains a table of functions exported by the executable that can be called by external programs and libraries. It is used to expose a public API from a DLL.
This data directory contains Windows resources embedded in the executable like icons, images, strings, dialog boxes, menus, etc. Resources are stored in binary format and can be analyzed for suspicious hidden data.
The overlay is a special section that contains any additional data appended at the end of the executable file. Malware can use overlay to piggyback extra malicious executable code or files into a benign host program.
This overall structure of Windows PE files enables portability and interoperability across different Windows versions. But malware can misuse various components for nefarious purposes.
What is the Role of PE Header in Executable Files?
The Portable Executable (PE) header of Windows executable files contains crucial metadata and pointers that are necessary for the operating system to load and execute the program correctly.
This 2-byte field specifies the CPU architecture for which the executable is targeted – x86, x64, ARM etc. This determines whether the executable is 32-bit or 64-bit. Running a 32-bit EXE on a 64-bit Windows can trigger compatibility modes.
Number of Sections
This 2-byte value indicates the total number of sections in the executable code/data. Based on this, the loader can locate and load all the sections.
The 4-byte timestamp indicates the date and time when the executable was built. However, malware often modifies the timestamp to make it look like the file was created a long time ago to avoid suspicion.
Pointer to Symbol Table
This 4-byte field contains the file offset where the symbol table is located. Symbols store debugging information used for crash dumps and reverse engineering. Stripping symbols is a common obfuscation technique.
This contains additional metadata about the executable structure like the magic number, target OS version, address of entry point, image base address, size of code/initialized data, linker version etc. The optional header may be malformed or manipulated by malware.
The section table has an entry for each section header, indicating its name, memory permissions, virtual address, size of raw data, file pointer, etc. Suspicious sections can reveal hidden payloads.
This table contains pointers to extended tables, including the import, export, resource, relocation, debug directories etc, which contain further details on various executable components.
Thus we see the PE header instructs the OS loader on how to map the executable to memory and execute it correctly based on the target platform, entry points, sections, resources, etc. PE headers are prime targets for malware to manipulate executables.
What Information Should You Look for in an Executable File?
When analyzing Windows executable files, you should keep note of these key aspects in the file. They are:
Entropy measures the randomness and complexity of data in a file. Encrypted and compressed files have high entropy. Malware often uses packers and crypters leading to high entropy. Normal native executables have entropy of 6.8 or less. Entropy greater than 7.2 indicates likely obfuscation or compression.
String extraction reveals human-readable plaintext strings contained in the executable. Strings may expose IP addresses, URLs, file paths, and unique identifiers used by malware. Many malware families can be identified by their distinctive strings.
The import table reveals external DLLs and API functions used by the executable. Malware often imports Windows DLLs like kernel32, advapi32, and networking-related APIs. Functions used for injection, anti-debugging, and persistence indicate malicious intent.
The export table contains functions exposed by the executable for external use. Suspicious exports may start a malicious activity when called by other programs. Malware experts decoy benign functions to hide their true purpose.
Resource sections store icons, images, metadata, etc., used by the executable. Malware can conceal payloads, custom fonts, and executable code inside resource sections obfuscated via encryption or unconventional formats.
Section names, virtual addresses, sizes, and flags can indicate anomalies. Malware appends new sections with read/execute permissions to store malicious payloads. Gaps in virtual vs raw sizes are suspicious.
The overlay portion can contain appended malicious scripts, PE files, shell codes, etc. Overlay malware is a common trick to bundle a malicious PE inside a benign host.
Linker version, compiler toolchain, timestamp, etc., reveal inconsistencies that make the executable look fabricated/fake. Malware often modifies the compiler info to pose as legitimate programs.
Key header values like machine type, subsystem, claimed linker version, etc. should match across sections. Incorrect values are tell-tale signs of manipulation.
VirusTotal checks against dozens of antivirus scanners. Detection by multiple engines indicates a high probability of malware. VirusTotal can also identify known malicious signatures.
What is PEStudio? What are Its Key Features? How Does it Help Analyzing Windows Executable Files?
PEStudio is a lightweight and portable malware analysis tool developed by Wintor to analyze and investigate the properties of executable files, particularly Windows PE (Portable Executable) files. It can process EXE, DLL, OCX, SYS, MUI, CPL, and other PE file formats. PEStudio parses the PE header and displays various metadata fields. It also scans the executable using static analysis techniques to identify anomalies that may indicate the presence of malware.
PeStudio serves as a valuable solution for software developers, security researchers, and malware analysts, offering them the ability to identify potential problems in executable files before releasing them to the public or deploying them in live environments. With PeStudio, users can conduct efficient and straightforward analyses, swiftly pinpointing any issues present in their files.
The tool is frequently used by:
- Malware analysts – To reverse engineer malware samples, understand their capabilities, and extract IOCs.
- Software developers – To validate EXE and DLL files before release for any malformed headers, insecure functions, etc.
- Security engineers – To vet files and strengthen the security of systems.
Some of the key capabilities of PEStudio include:
- Parsing PE file headers
- Dump embedded resources like icons, images, etc.
- Detect packers and protectors
- Scan imports, strings, and bytecode for suspicious indicators
- Integrate with VirusTotal
- YARA scanner
- Import reconstructor
PEStudio has a free and paid professional version. The free version contains all the major features required for malware analysis.
Features of PEStudio
Pestudio offers a range of powerful features for analyzing Windows executable files:
- Dependency Analysis: It shows the libraries and functions used by the file.
- VirusTotal Integration: It checks the file against VirusTotal’s database for malware scan results.
- File Verification: It verifies if the file has been modified since its last signing or verification.
- Imports and Exports Analysis: It provides information about the functions and libraries used by the file.
- Resource Analysis: It examines the file’s images, icons, and graphical elements.
- String Analysis: It searches for suspicious or malicious strings in the file.
- Bytecode Analysis: It detects potential security risks and malicious activity in the file’s bytecode.
- Digital Signature Analysis: It verifies the authenticity and integrity of the file’s digital signature.
How Does it Help Analyzing Windows Executable Files?
PEStudio is an awesome tool with tons of features. It helps analyze the Windows executables in various ways.
In-depth PE Header Analysis
PEStudio parses the entire PE header and displays the values of all fields like machine type, compilation timestamp, target OS version, subsystem, entry point address, claimed linker version, etc.
This provides visibility into any anomalies in the header values that are tell-tale signs of tampering by malware. For instance, if the linker version is suspicious or the subsystem doesn’t match the rest of the file, it indicates manipulation.
Detailed Section Reporting
PEStudio extracts all the sections from the executable and reports extensive details – name, virtual address, size, entropy, permissions etc. It can detect additional sections appended by malware to conceal payloads.
It also detects gaps between raw file size and the virtual memory size of sections. Large discrepancies indicate the allocation of memory for malicious activities.
Resources like icon images, version info strings, manifests, etc. are parsed and displayed. Malware frequently hides files, custom fonts, and other suspicious resources using encryption or unconventional formatting. PEStudio helps uncover them.
Imported Function Scanning
PEStudio extracts the import table and lists all DLLs and APIs imported by the executable. It detects imports of blacklisted/banned APIs that are often used by malware. Examples – LoadLibrary, InternetConnect, CreateRemoteThread, etc.
ASCII and Unicode strings present in the file are extracted for analysis. Strings may contain IP addresses, URLs, bot command and control names, launch commands, etc., which are key IOCs.
PEStudio has integrated a YARA engine that scans the executable against known YARA rules to identify malware families. Getting a YARA match provides insights into the sample’s purpose.
Various static scan checks are run to detect anomalies in the structure, metadata, sections, APIs, strings, etc. that deviate from normal. Multiple anomalies increase the likelihood the file is malicious.
PEStudio checks for signatures of known packers and protectors like UPX, MPRESS, Themida, etc. which are frequently used to obfuscate malware. Being able to unpack the file is the first step in the analysis.
The file hash is checked against VirusTotal database to see detection rates. The high number of detections by antivirus engines indicates likely malware. VT results provide reputation context.
If the executable imports have been reconstructed or wiped by the malware, PEStudio has tools to help recover and rebuild them for analysis.
The disassembler shows the executable assembly code of sections like .text to analyze the inner workings through reverse engineering.
Download and Install PEStudio
PEStudio can be downloaded from the official website https://www.winitor.com. Follow these steps to download and install the latest version:
- Go to the link https://www.winitor.com/download
- There is a free and professional version available.
- The file can be downloaded as per your browser settings and can be installed directly without any hassle
- The latest version, as the date of this post, is 9.53
How to Analyze Windows Executable Files Using PEStudio?
Once the PEStudio is ready to use, it’s time to analyze Windows executable files.
Now let’s go through a practical example of analyzing a malicious EXE sample using PEStudio to understand its workflow. Just for this demo, we have downloaded an executable file called from VirusTotal. You can do this with your suspected file.
- Launch the PEStudio application from the start menu.
- You will see the main viewer window with various tabs for different analysis sections.
- Click on the “Open” button on the top left or simply drag and drop the sample file into the viewer.
- PEStudio will automatically start analyzing the sample.
You can start recording each one of these sections for your analysis.
- Overview Section
- Compilation timestamp
- Initial bytes
- VirusTotal detection
- PE Header
- Linker version
- Address of Entry Point
- 5 sections: .text, .data, .reloc, .rsrc, .vmp0
- .text – Executable code, Permissions: READ, EXECUTE
- .data – Initialized data, Permissions: READ, WRITE
- .rsrc – Resources like icons, images, and Permissions: READ
- No obvious anomalies in section names, addresses and sizes
- Imports msvcrt.dll, kernel32.dll, advapi32.dll, user32.dll – system DLLs commonly used by malware
- No imports from blacklisted DLLs
- Suspicious API imports:
- InternetOpenUrlA – Makes HTTP/FTP requests
- InternetReadFile – Reads web content
- WriteProcessMemory – Writes to another process memory area
- CreateRemoteThread – Executes code in another process
- Likely capabilities – make web requests, inject code, download payloads
- Exports 3 functions: InitApp, DeInitApp, RegisterRoutines
- InitApp likely initializes malware components
- DeInitApp cleans up traces
- RegisterRoutines registers malicious code to be triggered
- Contains 1 icon resource – image used for icon displayed for EXE
- Nothing suspicious identified
- Contains IP address – potential C2 server
- Contains file paths to write data – %APPDATA%\log.txt
- Overall indicates – outbound connection, log file written
- Detections by antivirus vendors as malicious
- YARA Rules
- Matching YARA Rules
- Packer Detection
- Type or name of Packer
Let’s see this with the help of an example.
Time needed: 30 minutes
How to Analyze Windows Executable Files Using PEStudio?
- Analyze the Main Tab
1. PE studio has identified the file hashes, file size, etc.
2. It shows the entropy value of the file, entropy is nothing but a value that shows the encryption, packing, and obfuscation of a sample file. Its value varies from 0-8, typically, malware samples will have an entropy value above 7.2. In this case, entropy is 7.996, which says this can be a malware file.
3. PeStudio also displays the first bytes of the file in hexadecimal format, like ‘4D 5A’ in the example image. These initial bytes are crucial as they confirm that the file is Windows Executable. The first bytes in a file’s header follow a specific pattern depending on the file type. While we often identify files by their extensions like ‘.exe’, the operating system recognizes them by the byte pattern in the header. For Windows executables, this pattern is always ‘4D 5A’ in hexadecimal, which corresponds to ‘MZ’ in ASCII.
4. It shows which tool was used to build this file in the ‘tooling’ property. Here we can see Innosetup is used.
5. The subsystem shows if the file is GUI or command-line-based. Most of the ransomware files will be the command-line type.
6. The compiler stamp is the date that shows the sample compilation time. Attackers can purposefully change the date in the past or future as per their requirement.
7. Our file is a 32-bit executable file that uses GUI and is created using Innosetup. We can also see the file compilation date is 1992, which can be an attacker tactic.
- Analyze Virus Total Tab
1. PEStudio shows the rating of the file in virus total as well.
2. In this case, we can see that the file is marked malicious by 48 vendors in virus total.
- Analyze Indicator Tab
1. ‘Indicator’ tab shows any indicators of suspicious activity.
2. This section shows imports, strings, or sections within the sample file which is considered suspicious by the tool.
3. In the displayed image, PeStudio has identified several indicators and ranked them on a scale from 1 to 3, where 1 indicates a highly confident malicious indicator.
4. Following this indicator, the tabs below tabs show other parts of the sample file. We can do our analysis as per the requirement.
- Analyze Sections Tab
1. Another notable tab is the ‘section’ where we can see different types of names.
2. Generally, the commonly seen names start with a dot for example text, data, rdata, etc.
3. In some cases we can find unusual names which need to be investigated further. In our case, we didn’t find any.
4. In this tab we can see two values raw address and virtual address. The raw address is the space of the section within the binary, and the virtual address shows the size of the section once it is loaded into memory.
5. The difference in a few bytes between raw and virtual address is normal however, a large gap can indicate the presence of a payload. That is if the space occupied by the section in the raw address is zero or the file ratio is zero, and the file is taking a huge space in memory is suspicious, this might be where the malicious code is present.
6. The file ratio shows the space each section takes in the binary.
7. We may find images, cursor data, and other details in the resource file which can be something hidden by the attacker. Using resource hacker tools might help in revealing more information.
- Analyze Library Tab
1. The ‘library’ section shows the name of any shared libraries used in the executable file.
2. This tab shows all the DLL(Dynamic link library) which are imported by the malware and also shows if they are malicious or not.
- Analyze Imports Tab
1. The Imports tab in PeStudio contains the list of functions/API imported by the malware, also known as the Import Address Table (IAT). When you click on the Blacklist tab, PeStudio will sort the APIs and move all the blacklisted functions to the top.
2. This tab will help in understanding how the malware behaves after compromising the host.
3. The ‘group’ column provides information about the type of activity each API is related to.
4. The ‘imports’ tab shows the functions imported from the libraries mentioned above, if anything suspicious is observed, PE studio will mark it suspicious. In our case, we can’t observe any.
- Analyze Strings Tab
1. The strings section will extract all the strings within the binary.
2. Strings may contain IP addresses or file names, paths, commands, etc. Strings can show you if there was any network activity present.
3. The ‘overlay’ tab shows additional files that are required to execute its task. In this case, innosetup is required.
4. Some files might have a certification section. This is important as it will help in verifying the authenticity of the file.
To summarize, PEStudio is a feature-rich static analysis tool for investigating Windows executable files for anomalies and signs of malware. It parses the PE format and scans using techniques like YARA rules, Import-Export parsers, String analysis, Disassembler, etc., to detect suspicious capabilities and payloads. The interactive GUI and detailed reports simplify malware analysis and help extract key indicators of compromise. PEStudio provides immense value for threat researchers, malware analysts, SOC teams, and cybersecurity professionals to analyze advanced threats and strengthen enterprise defenses.