Version 8.99 . Fix bugs . Add Mitre Technique detection Version 8.98 . Extend indicators with function(s) group(s) . Fix bugs Version 8.97 . Change syntax of pestudiox.exe parameters . Extend indicators . Fix bugs Version 8.96 . Extend Indicators . Fix bugs Version 8.95 . Fix a bug when handling sections Version 8.94 . Indicate virtualized sections . Handle (very) long strings . Extend indicators . Extend detection of anomalies . Fix bugs Version 8.93 . Fix a bug when handling exports by ordinals . Fix a bug when handling entry-point outside the first section . Indicate when entry-point is located at the beginning of the file (aka. MZ-instructions cancellation) Version 8.92 . Fix a bug when handling the original file name of 64bit files . Fix a bug when handling the manifest of 64bit files . Fix a bug when showing the entropy in the XML report file . Add detection of auto-elevation based the manifest Version 8.91 . Extend indicators . Fix a bug when handling very long unicode strings Version 8.90 . detect more anomalies . Show first-bytes-text of resources . Add some missing items in the XML report file Version 8.89 . Fix bugs . Synchronize the content of the XML report with the GUI Version 8.88 . Fix a bug when handling export XML file from the CLI . Extend overview of time-date stamps . Handle more malformation of sections and show indicators appropriately . Add sample name analysed in the caption of pestudio GUI Version 8.87 . Fix bugs . Detect TLS Callback functions for 64bit executable . Extend sections view with "self-modifying" tag . Extend msdn search on imports . Extend google search on exports . Extend google search on strings . Show hashes of Certificates to ease hunting Version 8.86 . fix bugs . Add search Google and Virustotal for resources Version 8.85 . fix bugs . clean API classification . extend several context menus . show time date stamp of directories Version 8.84 . Fix bugs . Add google search to sections hash . Compute hashes of Version blob . Add google search using hashes of Version blob Version 8.83 . Show file hashes with and without overlay . Fix a bug when handling embedded files Version 8.82 . Fix a crash on Win10 . Fix a bug when dumping sections . Extend google search to imphash to ease hunting . Extend google search to hashes of image, pdb, dos-stub, overlay to ease hunting . Add underlining items to indicate google search URL link Version 8.81 . Add search google for strings view . Show details of virustotal report Version 8.80 . Fix bugs . Handle characteristics specific to EFI executable files Version 8.79 . Extend detection of embedded executable to all sections Version 8.78 . Fix a bug when detecting resources types Version 8.77 . Compute SHA1 and SHA256 for dos-stub . Compute SHA1 and SHA256 for debugger . Extend the detection of embedded file(s) in overlay Version 8.76 . Fix sorting of Virustotal scores . Extend context Menu of Virustotal view . Add support of "favorite-engine" for Virustotal Version 8.75 . Fix flickering of the views . Extend strings detection by indicating presence of API and Libraries strings in the Import Table Version 8.74 . Fix a bug with the creation of the XML report file Version 8.73 . Add functions groups to the strings View . Extend functions groups to the delay-loaded functions Version 8.72 . Show functions that are delay-loaded . Fix a bug when handling deprecated functions . Extend context menu for imports to cope with functions.xml file . Extend groups of imports Version 8.71 . Extend groups of imports Version 8.70 . Expose the indicators id number in the output XML file . Extend grouping of utilities . Extend grouping of imports by types and colors Version 8.69 . Add grouping of imports by types and colors . Extend strings "hint" detection and mapping Version 8.68 . Extend signatures detection . Extend strings "hint" detection and mapping Version 8.67 . Extend detection of strings "hint" Version 8.66 . Fix a bug when computing the position of the entry-point when located at the very beginning of a section . Add detection of strings "hint" (e.g. GUID, RTTI, ..) Version 8.65 . Compute the Sha256 of the image and the overlay . Extend and consolidate the Indicators . Fix a bug when handling a debug type Version 8.64 . Fix bug when showing exports of 64bit file . Fix bug when showing the offset of the Security Directory . Add in settings.xml to hide the whilelist strings . Extend Indicators Version 8.63 . Add detection of whitlelist (well-known) strings . Add detection of deprecated functions . Add detection of undocumented functions . Consolidate indicators Version 8.62 . Extend the resource type detection . Extend handling of malformed manifest . Extend handling of the file signature . Detect "unusual" dos-stub messages Version 8.61 . Increase performance when loading executable with large collection of exports . Consolidate switches in settings.xml . Consolidate API classification . Fix a bug when handling the Thread-Local Storage (TLS) . Fix a bug of the Manifest View . Fix a bug when detecting 64-bit managed files . Add online check of update in the "About" dialog . Add support for ARM detection . Indicate missing library . Extend features of standard version Version 8.60 . Add detection of Control Flow Guard (CFG) . Add details for Virustotal view Version 8.59 . Show first bytes (hex) of resources . Show first bytes (hex and text) of file . Handle empty entry-point . Extend Indicators Version 8.58 . Fix a crash with some 64bit executables . Add detection of missing libraries . Extent status-bar Version 8.57 . Extend translations . Extend Exports handling . Extend Imports handling . Extend signatures . Clean and Extend indicators . Show first bytes of entrypoint . Show first bytes of overlay . Show dos-stub message Version 8.56 . Compute file-ratio for resources, sections, overlay and dos-stub . Extent file summary . Extent file signature detection . Fix bugs Version 8.55 . Extented Indicators . Dump PKCS7 Certificate . fixed bugs Version 8.54 . fixed bug with libraries Version 8.53 . Added indicators . Show overlay strings numbers . Detect duplicated exported symbols . Enhanced unicode strings detection . Show strings location map with colors . Differentiate URLs referenced in the certificate . Fixed bugs Version 8.52 . Differentiate between standard and professional (pro) versions of pestudio . Added deletion of overlay . Added computation of entropy . Added detection of TLS Callback functions . Show more details about sections . Fixed bugs and crash Version 8.51 . renamed pestudioprompt.exe into pestudiox.exe . Added virustotal scoring of hardcoded URL . Added detection of pipes . Added Network Watchdog to update Virustotal score automatically . Added XML switches to define the colors of the front-end . Fixed ordinal functions mapping for 64bit images . Fixed a crash when handling overlay . Fixed a bug when retrieving the Description of the delay-loaded libraries Version 8.50 . Fixed a bug when handling exported functions of 54bit executables Version 8.49 . Added detection of Windows builtin services . Fixed a bug when handling strings . Leveraged Indicators for embedded files Version 8.48 . Extended Thresholds. . Extended Indicators. . Show virustotal score for Overlay (when available). . Fixed an issue in the Debug detection. . Fixed an issue in imported symbols by ordinal for 64bit files. Version 8.47 . Added computation of Imports Hash (imphash). . Added detection of strings embedded in non-PE files. . Extended detection of processor types. . Fixed a hangup. . Updated AV list. Version 8.46 . Added new thresholds . Extended detection . Fixed a crash with malformed files . Corrected duplicates during collection of functions statistics Version 8.45 . Added Virustotal aging and submission date . Extended Languages detection and mapping Version 8.44 . Added PeID Signature detection of Executable embedded in Resources . Added PeID Signature detection of Executable embedded in Overlay Version 8.43 . Added XML-based detection of PeID Signatures . Added XML-based detection of OIDs . Added XML-based detection of useragent . Extented blacklists Version 8.42 . Added detection of references to Firefox API . Added MD5 Blacklist for a file and its Resources . Extended detection of Overlay Version 8.41 . Extended validation of Sections . Resolve OpenSSL ordinals API to User friendly names Version 8.40 . Added Blacklist of MD5 dedicated to the Overlay . Extended detection of files embedded in Resources . Added detection of Regular Expressions and Threshold . Cache Virustotal scores when Internet connection drops Version 8.39 . Small cosmetic issues . Added Indicators and Thresholds . Fixed a bug when handling the imports of some images Version 8.38 . Added more Indicators and Thresholds . Added Functions Groups classification . Resources with unknown Signature and containing only text are now tagged as Text . Fixed a bug when handling the Characteristics of the FileHeader . Added MD5, SHA1 and Virustotal Score for Overlay Version 8.37 . Fixed a bug when handling the Version 8.36 . Fixed a bug when handling the virustotal Engines . Added Thresholds for DOS Stub and Header size . Added Thresholds for Blacklisted Imported Libs and Blacklisted functions number . Added Thresholds for Blacklisted Strings count . Added Thresholds for Blacklisted Exported Functions count Version 8.35 . Added XML Threshold of number of Antivirus detecting the image as infected Version 8.34 . Extended Imported Symbols View . Extended Indicators . Added XML Thresholds for several values . Added XML "prefered" Antivirus Engine Name Version 8.33 . Added XML Threshold on Libraries count Version 8.32 . Added support for White listing of Libraries per name in PeStudioWhiteListLibraries.xml . Fixed a bug in the collection of libraries Version 8.31 . Extended Sections View . Extended Blacklists . Extended detection . Extended the XML report resulting of the analysis . Fixed update of Virustotal Lookup . Fixed Ordinal to Name mapping for 64bit images Version 8.30 . Images analysed are now parsed in separated Thread . Extended detection of Overlay . Added Thresholds for Image Size . Added Thresholds for Certificate Size . Added Default Threshold for Resources . Fixed a crash when analysing some 64bit files Version 8.29 . Extended Blacklisted Libraries and Functions . Extended detection of embedded Registry items . Added Threshold (PeStudioThresholds.xml) for DateTimeStamp . Added Threshold (PeStudioThresholds.xml) for Debug Age Version 8.28 . Detect access to Group Policy Version 8.27 . Consolidated Libraries and Functions Blacklisting . Extended the detection of privileged APIs Version 8.26 . Begin detection of Functions requiring Access Rights (privileges) to be set . Extended Thresholds detection Version 8.25 . Extended features and blacklist detection Version 8.24 . Extended features and blacklist detection Version 8.23 . Extended blacklist and Features detection . Fixed a bug when handling 64bit Images Version 8.22 . Added detection of bound Libraries . Setup detection of Common folder variables . Setup detection of KNOWNFOLDERID constants represent GUIDs Version 8.21 . Detect Clipboard Chain hooking . Extended Blacklist of API . Extended detection of Undocumented API Version 8.20 . Extended blacklist of API . Extended the detection of Smartcard usage Version 8.19 . Extended blacklist of API . Detect Mouse and Keyboard Events programmatic synthesis Version 8.18 . Extended detection of files embedded in Resources and Overlay Version 8.17 . Added support for detection of Undocumented API (PeStudioFunctionsUndocumented.xml) Version 8.16 . Fixed a bug when invoking PeStudio.exe from the prompt with a file Version 8.15 . Extended Features detection . Extended Blacklisted functions detection Version 8.14 . Extended detection of Overlay for InnoSetup . Show shrinked DOS-Header Version 8.13 . Extended detection of Overlay . Added PeStudioWhiteListLibraries.xml Version 8.12 . Show Overlay Signature . Blacklist Well-Known SID Version 8.11 . Fixed a bug when Dumping a resource . Images in Windows directories are considered as trusted . Extended Features detection . Extended Blacklisting Version 8.10 . Blacklist DNS and IP APIs Version 8.09 . Added detection of Microsoft Detour . Added detection of Hooking Version 8.08 . Added detection of AutoIt Version 8.07 . Allow RAW-dumping using the context menu of any resource . Extended Features detection . Added Detection of Resources reuse Version 8.06 . Extended Features detection . Extended Blacklisting . Show default Icon of the Image being analysed (which often helps as first suspicious indicator) Version 8.05 . Extended Features detection . Extended Blacklisting . Extended detection of embedded IP Adresses Version 8.04 . Added Feature detection of Regular Expressions (Regex) . Added Feature detection of Service Control Manager (SCM) Version 8.03 . Added "Anomalies" Indicators. . Added detection of fake Microsoft executables . Extended "Features" Version 8.02 . Added PeStudioFeatures.xml . Added "Features" as part of the "Indicators". Features translates the APIs, and other data into "Features" of the executable being analysed (e.g. The API "FindFirstUrlCacheEntry()" is translated as "The image accesses the IE Protected Storage" Feature) Version 8.01 . Extented PeStudioOrdinals.xml for LDAP by ordinals . Added a Threshold for size of Custom Resources . Extended PeStudioThresholds.xml Version 8.00 . Fixed a crash when disabling VirusTotal query . Show the Signature of the files Embedded in the Custom Resources Version 7.99 . Added Min/Max Threshold checks on HTML Resource size and Extented PeStudioThresholds.xml . Extented PeStudioIndicators.xml . Extented PeStudioOrdinals.xml Version 7.98 . Extended PeStudioBlackListFunctions.xml . Extended PeStudioBlackListLibraries.xml . Correct an issue when showing the Resources friendly names at the GUI Version 7.97 . Extended PeStudioThresholds.xml to detect the Min/Max size of Manifest Version 7.96 . New classification of Strings . Extended detection (and Indicator) of File Version Information suspicious fields . Extended PeStudioOrdinals.xml . Corrected Ordinals mapping for 64 bit images . Better visualization of Relocations entries . Added Detection of Blacklisted Function of Delayed-loaded Libraries . Added Support for Strings Tables . Added Detection of Self-Registering DLLs Version 7.95 . Added detection (and Indicator) of anonymous Exported Functions . Added detection (and Indicator) of multiple Executable Sections . Added detection (and Indicator) of multiple instance Imported Functions Names . Added PeStudioEvasions.xml to support the detection of attempts Evasions (Antidebugging) . Added (part of) exported MFC42 ordinals to PeStudioOrdinals.xml Version 7.94 . Map Version Translation Information to user friendly string . Show Version Translation Information Blacklisted Languages . Extented PeStudioOrdinals.xml to Resolve SNMP functions imported by Ordinals back to their original names Version 7.93 . Added Dumping of Overlay Version 7.92 . Added Detection of discrepency between Image Name and Manifest and (Hint of reuse of other Manifest) . Added Detection of misspelling of the"VarFileInfo" internal tag of the Version Information (Hint to Evasion) Version 7.91 . Extended PeStudioBlackListFunctions.xml . Fixed a bug when creating the XML report file Version 7.90 . Extended detection of fake and missing fields in the File Version Information block . Show more fields of Version Information block . Added new Indicators Version 7.89 . Extended anomalies detection of File Version Information fields Version 7.88 . Added detection of signature for the Resources Version 7.87 . Extended detection of embedded IP Addresses . Extended malicious usage of Resource Icons . Added new Indicator for suspicious Resource Icons Version 7.86 . Added Support for Sections -> Context Menu -> Dump . Added Support for Dumping ICO as RAW and ICO.file format Version 7.85 . Extended detection of suspicious debugger fields (invalid content - e.g.: flame) . Added PeStudioFunctionsMapping.XML to map Function Names (e.g. SystemFunction036 to RtlGenRandom ) Version 7.84 . Better detection of hard-coded IP Addresses . Added Tag in PeStudioBlackListStrings.xml to hide the strings that are Imported Libraries (with the goal to concentrate on strings that really matter) Version 7.83 . Extended PeStudioBlackListFunctions.xml . Added Tag in PeStudioBlackListStrings.xml to hide the strings that are Imported Libraries (with the goal to concentrate on strings that really matter) Version 7.82 . Consolidated Indicators about blacklisted Resources Languages . Show the Resources Tree leaf in Red when a Resource Language has been detected as Blacklisted Version 7.81 . Added PeStudioBlackLanguages.XML to support detection of Resources Blacklisted Languages Version 7.80 . Extended Blacklist of Libraries . Map dynamically loaded libraries to the content of PeStudioBlackListLibraries.xml . Map dynamically loaded functions to the content of PeStudioBlackListFunctions.xml Version 7.79 . Corrected Imported Functions names for 64bit images . Added Correlation between strings and imported Libraries . Extended PeStudioTranslations.xml Version 7.78 . Added Detection and Indicator for ComSpec . Added Correlation between strings and imported Symbols Version 7.77 . Added Detection and Indicator for MIME64 Encoding string . Added Detection and Indicator for hard-coded IP Adresses Version 7.76 . Added PeStudioOrdinals.xml to map Imported Ordinals to their original Function Names Version 7.75 . Fixed a bug with the Exported Symbols of 64 bit Images Version 7.74 . Added detection of GINA . Extended Directories Validation . Added Valid, Missing, Empty fields for Directories . Extended PeStudioBlackListLibraries.xml . Extended PeStudioIndicators.xml Version 7.73 . Extended validation of Debug fields . Extended PeStudioIndicators.xml . Added Context Menu at the image level . Added Certificates validity handling . Added Indicator Id in the output XML report Version 7.72 . Created PeStudioBlackListLibraries.xml for the Detection of blacklisted Libraries . Added a new Indicator in PeStudioIndicators.xml Version 7.71 . Fixed a bug when handling empty Relocation Table Version 7.70 . Created PeStudioPrompt.exe, a stand-alone version of PeStudio running exclusively at the prompt Version 7.69 . Fixed a problem when disabling the Lookup to VT Version 7.68 . Added detection of Debug File without PDB extension . Added detection of Debug File name different than the image name . Changed Sections UI . Changed VirusTotal UI Version 7.67 . Added Query MSDN context menu for Exported Functions . Show Gaps in Exported Functions Table . Extended PeStudioTranslations.xml . Extended PeStudioIndicators.xml Version 7.66 . Show more details of VirusTotal Version 7.65 . Added detection of PeCompact compressor Version 7.64 . Fixed a bug with Ctrl+T Version 7.63 . Extended PeStudioThresholds.xml (which enables your to define your own thresholds) . Extended PeStudioTranslations.xml (which enables you to change the text at the UI) . Extended PeStudioSettings.XML (which enables you to change the behaviour of PeStudio) . Added R/W support UI PeStudioSettings.XML Version 7.62 . Extended PeStudioBlackListFunctions.xml . Fixed an Issue when closing all files Version 7.61 . Added detection of missing Trust Information inside Manifest . Extended PeStudioIndicators.xml . Extended PeStudioTranslations.xml Version 7.60 . Added a switch (see PeStudioBlackListStrings.xml) for case-sensitiveness when scanning the black strings . Added a switch (see PeStudioBlackListStrings.xml) for substrings when scanning the black strings . Added Support for Windows File Redirection Version 7.59 . Added DOS Stub at the UI . Added new Indicator related to the (suspicious) size of the DOS Stub . Added PeStudioThresholds.xml that contains the Min, Max values used as thresholds . Fixed enabling/disabling Virustotal lookup switch Version 7.58 . Added filtering of Windows (standard vs. custom) Resources . Added filtering of obfuscated Sections . Added filtering of forwarded exported Symbols . Added Indicator about Expired Certificate(s) Version 7.57 . Added test of Exported Blacklisted Functions . Extended PeStudioIndicators.xml Version 7.56 . Added PeStudioSectionsNames.xml containing a Whitelist of Sections Names ( Sections names NOT in this list will be detected as Blacklisted ) . Extended PeStudioIndicators.xml Version 7.55 . Extended Validation Handling . Extended Certificates Handling Version 7.54 . Enable to open ANY image (to show the results with VirusTotal) . Added Creation, Last Access and Last Write times . Extended validation and reflect it on the Tree View . Extended Version Information handling . Added Deprecated column to the Imported Symbols view Version 7.53 . Added CTRL-C and CTRL-A support for all views . Added details for Relocations . Extended PeStudioTranslations.xml . Added translation of Machine Type . Fixed a hangup when running on XP Version 7.52 . Extended details about Sections . Fixed a bug with the Certificates Version 7.51 . Added PeStudioRemoveFromExplorerContextMenu.reg file to remove PeStudio from Explorer context menu . Added validation of OptionalHeader.CheckSum . Added result of OptionalHeader.CheckSum validation as Indicator . Released Image being analysed earlier Version 7.50 . Added more details for each Certificate found in an additional View . Extended Blacklisted Functions list . Extended Obsolete Functions list Version 7.49 . Added Certificates Expiration Validity Check . Added Dump of Indicators . Added Dump of Manifest Version 7.48 . Added Context menu for Certificates . Added Dump of Certificates Version 7.47 . Raw discovery of fundamental characteristics of the Certificate(s) embedded in the Image . Extended Indicators for Certificates Version 7.46 . Corrected execution of PeStudio from the command prompt . Images that cannot be opened (e.g. invalid format,...) are shown in Gray . Extended Tree Context Menu for VirusTotal Version 7.45 . Extended Tree Context Menu . Added Relocation Tables discovery . Added Indicator about Relocation Items in PeStudioIndicators.xml Version 7.44 . Added discovery of registered Exception handlers of 64bit Images . Added Indicators for registered Exception handlers . Added discovery of static usage of Thread Local Space (TLS) . Added Indicator for usage of Thread Local Space (TLS) . Extented Filtering Version 7.43 . Added a Filtering mechanism in the Parser . Added a UI to filter according to the presence of Certificate Version 7.42 . Corrected FileVersion shown when pointing the image . Extended context menu for imported libraries . Extended context menu for resources Version 7.41 . Implemented the "default_view" (see PeStudioSettings.xml) . Added general Information when pointing an Image root . Added Tree coloring (e.g. VirusTotal score) . Added Tree context menu Version 7.40 . Fixed the dependencies of the new UI of PeStudio Version 7.39 . Added context-menu for all lists . Added Accelerators . Added Close All Images button Version 7.38 . Redesign of the User Interface . Support loading of multiple images . Demangled the Parser programmatic interface . Issue: when loading too many images simultaneously, the VT results are not retrieved for some images. This is "normal" since the current key PeStudio is using is restricted as far as the amount of request pro seconds is concerned. This issue will be handled with VT until in the next version. Version 7.37 . Added detection of empty fields in the Version Information block . Added Indicator "The Version field '%s' is Empty" (e.g The Version field 'CompanyName' is Empty) Version 7.36 . Added Support of images packed with FSG Version 7.35 . Better imports detection Version 7.34 . Handled misalignement of Version buffer Version 7.33 . Better validation of certificat Version 7.32 . fixed a crash with files depending on a specific library. Version 7.31 . Handled an issue when loading the same image multiple times Version 7.30 . Correct Load Configuration Directory validation . Added detection of in-process COM Server (e.g. BHO Plugin) Version 7.29 . Handle malformed or empty App Paths entries . Show/Hide Virustotal TAB from the UI and Show/Hide the Virustotal XML Section according to the switch in PeStudioVirusTotal.xml Version 7.28 . fixed a bug when opening PeStudio with a right-mouse click on in Explorer . "PeStudio Handbook.pdf" is now directly available at www.winitor.com Version 7.27 . Support usage of PeStudio from the Command Prompt . Started a "PeStudio Handbook.pdf" Version 7.26 . Added Validity checks (and Indicators) on Section Headers (e.g. file missalignment) . fixed SHA1 issue Version 7.25 . Fixed an issue with 64bit Images. Version 7.24 . Handle Resources distributed among several Sections (à la Themida) . Added TAG in the PeStudioSetting.xml file to determine in which TAB the GUI must start Version 7.23 . Added an Indicator when the Offset of a Directory is outside any Section . Added an Indicator for duplicate Sections Offset . Corrected mapping of Sections . Handle non-printable characters in XML report Version 7.22 . Added more Indicators specific to the location of the Entry Point . Added more details (offset and size) for each file Cave detected Version 7.21 . Show the name of the section BaseOfCode is located in . Fixed reporting of the Libraries in the XML report Version 7.20 . Simplified Indicators XML file . Added Indicators specific for First and Last Sections . Take virtual Section into account when pointing the overlay Version 7.19 . Fixed detection of MPRESS under 64bit . Added detection and Indicator of suspicious Certificate size . Added detection and Indicator of suspicious Certificate content (e.g. padding) Version 7.18 . Added MD5 computation for Resources Version 7.17 . Added MD5 computation for Sections . Extented Severity levels with "positive" (green) indicators Version 7.16 . Handle shrinked (hand-crafted) File Header . Added collection of Unicode Strings Version 7.15 . Detect (direct) usage of Native API Version 7.14 . Detection of Embedded Executable in malformed Images . Detect Images statically linked to the C-Runtime and show this as Indicator Version 7.13 . Added Detection of Device Drivers and handle Indicators accordingly Version 7.12 . Extended detection of Custom Embedded files in standard Resources Version 7.11 . Removed many strings from Parser and put these in a new PeStudioTranslations.XML file . Corrected NB10 debug detection Version 7.10 . Show Section:Offset for Resources . Extended Types and location of embedded Executables . More validity checks on Exports . More detection of Masquerated UPX Version 7.09 . Enhanced detection of fake UPX . Extented Blacklist of Functions . Fixed a bug when handling exported functions . Show Section:Offset Addresses where exports, imports and strings are located in Version 7.08 . Added more validation check on Version info to handle hand-crafted version block (e.g. corkami\version_cust.exe) . Added Detection of Images based on the Visual Basic Virtual Machine . Corrected size of Overlay when the image is signed. Version 7.07 . Show Offset and Subsystem type of Embedded Executable(s) Version 7.06 . Added detection of Overlay (extra-data appended to the end of the image) as Indicator (e.g. spotify) Version 7.05 . Added Detection of Fake UPX (sections named as UPX but the image is NOT UPXed) . Extended detection of Executable(s) embedded in the image . Extended "Severity" Indicator (see PeStudioIndicators.xml) to increase the granularity when scoring an image. . Added "PeStudioIntoExplorerContextMenu.reg" file to the package to *manually* integrate PeStudio in the context Menu of Explorer Version 7.04 . Added Handling of Blacklisted imported Functions (API) based on the PeStudioBlackListFunctions.XML (You can edit this file according to your needs and tag any function as being BLACK). . Blacklisted imported functions and strings shown with a dark gray background color. . Detect Directories outside any Section . Detect unusual contruct of Version Information block ("VarFileInfo" preceeding "StringFileInfo") Version 7.03 . Added detection of MPRESS compression . Added detection of UPX evasion (one or more standard UPX section names changed) . Added computation of SHA1 of the image analyzed . fixed issue with right mouse copy at the UI Version 7.02 . Added Items in Blacklist XML file . PeStudioSettings.xml now centralizes the names (which are not hardcoded anymore) of the others XML files . The Blacklist engine can now be switched ON and OFF in the XML file enumerating the the Blacklisted strings. . The minimum length of strings detected is now determined in the Blacklist XML file . Show more details about the content of ollybugs images . cleaning up comments in this ChangeLog.txt file . fixed an issue with strings enumeration Version 7.01 . Added a new PeStudioStringsBlackList.xml file. This file contains the list of "blacklisted" strings which will be used to detect suspicious strings in the Image. You must manually edit this file to add strings to your convenience. The "blacklisted" strings will be shown as Indicators and at the UI in the Strings Tab. . Added validation on Number of Sections Version 7.00 . Added additional Hints about suspicious size of the Version Resource (some malware place custom stream in standard Windows Resources) . Added additional Hints about Invalid Directories as Indicator and at the UI . Extended handling to handle Ollybugs images Version 6.99 . Added support for suspicious imported file names (e.g. unprintable name, not null terminated) . Added PeStudioSettings.xml and handling VirusTotal switch ON/OFF based on this XML file . Enhanced validation of EAT (ollybug.exe) Version 6.98 . Detect INVALID DATA found in the VERSION_INFO stream (some malware place custom stream in standard Windows Resources) . Extended support for corkami malformed samples . Added more items in PestudioIndicators.xml Version 6.97 . Fixed side-effect in libraries enumberation Version 6.96 . Enhanced support for Delay-loaded libraries . Enhance detection of invalid entries in the import table . Fixed a malformation of the XML report created by PeStudio . removed superflous controls from the UI . Detect Executables Embedded inside Executables embedded in Resources (eg. procexp) Version 6.95 . Add detection of Embedded Executable Files Outside the Resources . Differentiate between Embedded Executable Files inside and Outside the Resources and show these as Indicators (see PeStudioIndicators.xml file) Version 6.94 . Radio Buttons for the Indicators are back in the UI Version 6.93 . corrected a bug by right-click Copy Version 6.92 . Check for duplicates in the Export Symbols . Truncate original file name when needed (malformed images attempting to escape analysis) . Added detection of fake (unprintable characters) imported library names (malformed images attempting to escape analysis) . Added dependency type in the UI list Version 6.91 . All lists support right-click context menu . Added ordering by number in all lists . Added size in Strings List Version 6.90 . Severity flags (red, yellow color for the UI Indicators) are now read from PeStudioIndicators.XML . Added support for Sorting by Color for Indicators . Added support for sorting by Text for lists . Added detection of PKZIP, PKLITE, PKSFX and JAR Embedded in Resources . Added new items to PeStudioFunctionsDeprecated.XML file and simplified its format . Added Indicators for any Directory (e.g. Import Directory) located outside Sections . Added detection of RTF Embedded in Resources . Simplified format of PeStudioIndicators.XML . Changed many Indicators (e.g. Resources, Directories, MachineTarget) to more generic Indicators . Ignore SEH for managed code Version 6.89 . Added Detection of ZM instead of MZ at the begin of the image . Added Query of Imported Functions at MSDN using the Context Menu . Fixed a bug in the XML report . Filter Directories types on the UI Version 6.88 . Added Detection of Qt Embedded Resources . Added Translation of OptionalHeader.Subsystem into human friendly name . Added support for Directories located outside of Section (aka. TinyPe.exe) . Corrected computation of MS-DOS Header . Added Indicator "The size (%i Bytes) of the MS-DOS Stub is very uncommon" Version 6.87 . Handle unsual MS-DOS Header size and show at the UI and XML report accordingly . Added Indicator "The size of the MS-DOS Header (%i Bytes) completes to the PE specification" . Added Indicator "The size of the MS-DOS Header (%i Bytes) has been Increased" . Added Indicator "The size of the MS-DOS Header (%i Bytes) is Smaller than the standard" . Added Indicator "The count (%i) of Section Headers has reached the Windows Limits" . Added Indicator "The count (%i) of Section Headers is very unusual" Version 6.86 . Put Directories Tab into Headers Tab . Add new Indicators and validation tests . Add more coloring for showing fields validation for many samples of corkami . Handle another type of malformation of image (and thus avoid crash of PeStudio) Version 6.85 . Added *ALL* details of the VirusTotal scan report in the XML report file . Consolidated the UI of the Debug, .NET, Manifest items in the Miscelllaneous Tab . Added DosHeader output to UI . Consolidated DosHeader list, File Header list, Optional Header list and SectionHeader list in one view . Added the Version details to the Miscelllaneous Tab . Added .NET basic information . Addes support for CTRL-A selection for ALL lists . Added Copy & Paste with the context Menu in All lists . Corrected a bug by showing the libraries image base Addresses . Consolidated headers (DOS, File, Section, Directory) in XML Report file Version 6.80 . The Lookup at VirusTotal has been totally integrated into PeStudio, no browser is started anymore . The result of VirusTotal is now shown at the UI . The result of VirusTotal is now available in the XML report file . ALL corkami images have been tested against PeStudio Version 6.75 . Added support for dumping resources using the right-click in the Tree view . Check for Directories outside of the Image (and thus avoid crash of Pestudio with some malformed images) . Added Indicators for Directories outside of Image Version 6.70 . Added a new "Lookup at VirusTotal" link . Removed a bug that disabled all check boxes Version 6.65 . Added a context menu to Libraries Tab to test the MD5 of the pointed Library on www.virustotal.com using the default Browser (only the MD5 is HTTP posted, NOT the image!) . Added a context menu to Indicators Tab to test the MD5 of the analyzed image on www.virustotal.com using the default Browser (only the MD5 is HTTP posted, NOT the image!) . Added a context menu to Libraries Tab to analyse dependent libraries with a new instance of PeStudio . Added a context menu to Strings Tab to dump and copy to clipboard . Added Indicator "The image has no Translation information" . Added detection of MOFDATA (Managed Object Format - MOF) Resources . Added detection of WEVT_TEMPLATE (Windows XML Event Log - EVTX) Resources Version 6.60 . Added Support for dumping the Sections into a file from the GUI using the right-mouse click . Added Support for dumping the Resources into a file from the GUI using the right-mouse click Version 6.55 . Added full RAW access to Icons items . Corrected handling of obsolete Functions . Created handling of Resources CodePages via PeStudioCodePages.XML file Version 6.50 . Added detection of 7zSFX files embedded in Resources . Added Mapping of Language Code of StringFileInfo to Human friendly name into the XML Report . Added Mapping of Code Page of StringFileInfo to Human friendly name into the XML Report . Icon at the UI is now directly loaded from the Resource using our own interface Version 6.40 . Dump the content of StringFileInfo in the XML report . Dump the content of VarFileInto in the XML report Version 6.30 . Corrected a bug in the Console version of PeStudio . Added Version VS_VERSIONINFO raw data in the XML Report . Added Version VS_FIXEDFILEINFO raw data in the XML Report . Should an error take place when handling an image, shows its description at the UI and in the XML file . Added Indicator "The image masquerades UPX compression" (sections are named as UPX, BUT the image is NOT compressed with UPX!) Version 6.20 . Added Indicator "The image File Version is %s" . Added Indicator "The image is encrypted with UPX (version %s, level %i)" . Added UPX information details in XML report file Version 6.10 . Release Image analyzed when handling a new one . Enable Reporting for invalid images . Show number of Items in Report Tab at the UI . Added Search String feature at the UI . Added Indicator "The image is a Executable" . Added Indicator The image is a Dynamic-Link Library (DLL)" . Added Indicator "The image size on the Disk (as reported) is %i Bytes" . Added Indicator "The File is Not a Windows Portable Executable (PE) image" . PeStudioFunctionsDepracated.XML is now loaded once . PeStudioIndicators.XML is not loaded once . Handle missing PeStudiIndicators.XML file . Corrected Offset Addresses of Strings detection Version 6.00 . Added Indicator "The image file contains %i unused Bytes (Caves)" . Added Indicator "The image Name has been Changed" . Added Indicator "The image original name was %s" . Added Indicator "The image contains %i bytes of Code" . Added Indicator "The image contains %i embedded Visual Stylesheet XML Items(s)" . Added Indicator "The image contains %i Custom Resource Item(s)" . Added Indicator "The image contains %i Built-in Resources Item(s)" Version 5.55 . Added Indicator "The image references (%s) Debug Symbols" . Added Indicator "The image has %i Writable and Executable Section(s)" . Added Indicator "The image has %i Writable and Shared Section(s) which can be used as Attack Verctor" . Added Indicator "The image does NOT use Data Execution Prevention (DEP) as Mitigation technique" . Added Indicator "The image does NOT use Address Space Layout Randomization (ASLR) as Mitigation technique" . Added Indicator "The image does NOT use Safe Structured Exception Handling (SafeSEH) as Mitigation technique" . Added Indicator "The image does NOT use Cookies placed on the Stack (GS) as Mitigation technique" . Fixed a bug by reading Symbols Version 5.50 . Added Indicator "The image exports %i Symbols" . Added Indicator "The image exports %i Obsolete Symbols" . Added Indicator "The image exports %i Anonymous Symbol(s)" . Added Indicator "The image exports %i Forwarded Symbol(s)" . Added Indicator "The image exports %i Decorated Symbol(s)" . Added Indicator "The image imports %i Symbol(s)" . Added Indicator "The image imports %i Obsolete Symbol(s)" . Added Indicator "The image imports %i Anonymous Symbol(s)" . Added Indicator "The image imports %i Forwarded Symbol(s)" . Added Indicator "The image imports %i Decorated Symbol(s)" . Added Collection of IMAGE_BOUND_IMPORT_DESCRIPTOR details in XML Report . Added Indicator "The image is bound to %i Libraries" Version 5.40 . Extended Indicators for Embedded Resources . Corrected missing Dependencies for some types of images Version 5.30 . Renamed *.XML files to PeStudio*.XML . Interfaces to PeParser (PeParser.h and PeParser.lib) are now part of the Package. . Added Indexing of String . Added Detection of duplicated Section Names Version 5.20 . Allow Strings length choice for filtering at the UI . Added more items in Indicators.XML Version 5.10 . Show Strings at the UI . Added Strings count in output XML . Detect Section-less images and added in Indicators.XML . Correct Address Offset of reported Strings Version 5.00 . The Strings contained in the file analyzed can now be exported to the output XML file . Added validation Check of AddressOfEntryPoint field . Added new items in Indicators.XML Version 4.90 . Added MachineType in Indicators.XML . Added FileSignature in Indicators.XML Version 4.80 . Add items in Indicators.XML . Custom Resources are shown in orange color Version 4.70 . Corrected handling of Certificate Directory . Corrected coloring of Indicators Version 4.60 . Increased detection for obfuscated images . Increased stability of the tool against malformed images . Added better support for obfuscated images . Extented Indicators of Malformations (IOM) . Created a new file (Indicators.XML) containing the Indicators shown at the UI and in the XML report that can be created by the tool . Added better detection of Missing Libraries Version 4.50 . Correct discovery of Delay-loaded libraries Version 4.40 . When handling a resources only image, some validity checks are differents Version 4.30 . Enhanced detection of device driver images Version 4.20 . renamed parameters for command prompt (see Prompt support description above) . Added detection of CAB files embedded as Resource in an Image . Added detection of PDF files embedded as Resource in an Image . Added detection of RIFF files embedded as Resource in an Image . Added detection of GIF files embedded as Resource in an Image . Added detection of PNG files embedded as Resource in an Image . Added detection of Delphi Forms embedded as Resource in an Image . Added detection of "requireAdministrator" Execution Level from the Manifest . * Corrected custom Resources detection Version 4.10 . Added Command Prompt support (see Prompt support description above) . Added "The image exports XY Symbols" as new Indicator . Added more obsolete functions in the WindowsFunctionsDeprecated.xml file (delivered with this project) Version 4.00 · Now fully support 64bit Images on 32bit Platform · Validate IMAGE_OPTIONAL_HEADER.SectionAlignment · Validate IMAGE_OPTIONAL_HEADER.FileAlignment · Validate IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData · Validate IMAGE_OPTIONAL_HEADER.SizeOfInitializedData · Validate IMAGE_OPTIONAL_HEADER.SizeOfCode · Validate IMAGE_OPTIONAL_HEADER.NumberOfRvaAndSizes · Validate IMAGE_OPTIONAL_HEADER.SizeOfImage · Validate IMAGE_FILE_HEADER.SizeOfOptionalHeader · Validate IMAGE_FILE_HEADER.NumberOfSections · Validate IMAGE_FILE_HEADER.TimeStamp · Validate IMAGE_FILE_HEADER.PointertoSymbolTable · Validate IMAGE_FILE_HEADER.NumberOfSymbols · Show Resources Languages · Show Type of Debug information (NB09, NB10, NB11, RSDS ) · Show imported Functions of missing libraries · Show total number of Bytes available in Caves · Show Gaps in Exported Symbols collection · Show Section Name the Base of Data belongs to · Added validation of IMAGE_DOS_HEADER, IMAGE_NT_HEADERS · Added validation of IMAGE_DIRECTORY_ENTRY_IMPORT, IMAGE_DIRECTORY_ENTRY_RESOURCE · Added OptionalHeader to XML report · Added detection of non-standard Sections is NOT based on their names anymore · Added detection of invalid Directory (IMAGE_DATA_DIRECTORY) · Added detection of invalid Export Table Directory (IMAGE_EXPORT_DIRECTORY) · Added detection of duplicated Sections names · Added detection of Codeless images · Added detection of Section containing the Entry point · Corrected filtering of Obsolete Imported Functions · Corrected Imported Symbols for 64bit images · Corrected Pageable Section Flag · Corrected detection of msstyles "Resources Only" Images · Corrected a crash that takes place when switching between Tree and list View in Resources Tab · Corrected Missing DLL path in XP · Corrected Names Undecoration for exported symbols Version 3.69 · Added detection of "Resources Only" images · Added detection of Borland compiler · Show presence of Delphi Turbo Pascal Filers (TPF) in Resources Version 3.68 · Added MD4 footprint · Corrected filtering of deprecated exported Symbols · Corrected sections handling for encrypted/compressed files Version 3.67 . Fixed a bug when handling resources of encrypted/compressed files . Show presence of Embedded Type Library files in Resources . Show presence of Embedded Registry files in Resources Version 3.66 . Show presence of Embedded Compressed HTML files in Resources . Show presence of Embedded Executables files in Resources . Show Resources instances and their characteristics . Show MD5 footprint Version 3.65 . Added detection of SafeSEH mitigation technique . Added detection of Cookies on the Stack (GS) mitigation technique . Added a new Mitigation classification as Indicator . If no Error found then show Warnings . If no Warning found then show Evidences . The image is linked with Debug Symbols, show this as Evidence . The Image exports anonymous symbols, show this as Evidence . Renamed Evidences as Indicators . Created errors, warning and evidences nodes in indicators node in XML . Show existence of Manifest as evidence . Show Executable AND Writable Section as Warning . Show image renamed as Warning . Set Error, Warning levels for evidences . Show Image target 64bit Processor as Evidence . Show Missing Libraries in the imports Tab . Show Missing Libraries as Error . Show CPU mismatch as Error . Don't translate Resources 241 to Manifest anymore . Re-enable display of Debug information . Re-enable display of Core .NET information . Show new evidence when at least one Directory is invalid . Show new evidence when at least one Section is invalid . Show new evidence when Entry point is NULL . Corrected Directories validity test . Corrected filtering of Writable and executable section Version 3.60 . Added support of Forwarded functions discovery . Corrected Bug when reading the Resources of some images . Added Resources to the Report . Detect invalid directoires . Added filtering of Sections . Added support for Delay-loaded Libraries . Improved performance by reading dependencies from memory whenever possible . Added Core .NET information to the Report . Added Manifest to the Report . Put more details to Libraries into the Report . Put more details to Sections into the Report . Added Imported Symbols to the Report . Added File Header to the Report . Added Exported Symbols in Report . Added Sections in Report . Corrected missing path on some Imported libraries . Icon of the image sometimes not shown when PeStudio is started from the command prompt. . Add discovery of the Directories for x64 Images . Corrected a bug when dragging an Image onto PeStudio . Resolved "Visual C++ Runtime Error" Version 3.50 . Added Report of Libraries . Corrected a bug when reading 64Bit Imported Libraries . Corrected filtering of Imported Libraries . Resolved a crash when creating the Report . The Obsolete Functions are now available as external (and extensible) "WindowsObsoleteFunctions.XML" file . Show OptionalHeader.MajorImageVersion and OptionalHeader.MinorImageVersion . Show OptionalHeader.MajorSubsystemVersion and OptionalHeader.MinorSubsystemVersion . Show the original file name of the Image when available . Show FileHeader.IMAGE_FILE_REMOVABLE_RUN_ FROM_SWAP and FileHeader.IMAGE_FILE_NET_RUN_FROM_SWAP . Selectively report of Evidences and Debug information . Resolved crashed on unexpected Manifest content. . Added Dump of Section . Extended GetImportedLibraries function with a parameter to filter (Windows) standard directories . Make Resources Types and Instances available . Added Number of Sections as Evidences . Added FileAlignment and SectionAlignment fields to IPeOptionalHeader interface . Added Detection of Image Obfuscation (encryption, compression) as Evidence . Make the Interface file PeParser.h public . Added offset (hint) of exported functions . Added Large Address Space awareness as Evidence . Added Resource Section size bigger as Code Section size as Evidence . Added Image Digital Signature test as Evidence Version 3.40 . Added number of Sections as Evidence . Added empty Checksum as Evidence . Added other (Borland) standard sections as known sections . Make size of DosStub (very small or very big) as Evidence . Make Windows Network Functions as Evidence . PeStudio.exe %1 and PeStudio.exe "%1" are now supported . Make functions addresses available . Make Dos Stub size available . Make Preferred Base Address available for Libraries . Added support for a single Command Line parameter: e.g PeStudio.exe %1 will open the file to analyse . Number of imported symbols as Evidence . Handle sectionless files . Handle invalid Directories . Show usage of Debugging functions as Evidence . Show usage of Hooking functions as Evidence . Corrected problem with upx compressed files . Show unused image file space (Caves) as Evidence . IAT size estimation for Evidences adjusted . Show Obsolete Exported functions as Evidence . Show usage of HTTP functions as Evidence . Show usage of RAS functions as Evidence . Show usage of Winsock functions as Evidence . Resolve crash on Window 64 bit Version 3.30 . Test COM Server Support . Show COM Server support in Evidences . Put Evidences in XML file . Corrected duplicated items in Exported functions list . Corrected a bug with *.DRV files . Native image files with empty or very small IAT are valided as normal . Directories in XML Report . Detection of some validity indicators . Retrieve SizeOfCode . Better libraries filtering at the UI . Show Directories at the User interface . Show Section PointerToRawData information . Show Section Name associated with the Entry Point . Retrieve the Age of the debug file and show in XML Report . Show Manifest in XL Report . Put GUID of PDB in the XML Report file . Retrieve GUID of PDB out of the Analyzed PE File . Check presence of digitally-signed data . Compute MD5 . Log file in XML format . Check Debug Information and path to PDB file . Check COM Libraries . Detection of (some) compression Algorithms . Undecorating function names Version 3.0 . Support Manifest dependentAssembly. Version 2.0 . support Side-by-Side libraries. . Support Forwarded Functions . Filtering Obsolete Functions Version 1.0 . Enumeration of Implicit dependencies and other general information