Five Anti-Analysis Tricks That Sometimes Fool Analysts

Five PE Analysis Tools Worth Looking At

In the world of malware analysis, having the right tools can make all the difference.

When looking at malicious binaries, they are often in the Windows Portable Executable (PE) format. For this reason, it’s good to have a tools capable of performing in-depth analysis of this file format; fortunately, there are many to choose from, many of which are absolutely free.

Number 5 – PEview Download

As the name suggests, PEview is a viewer for PE files. It is developed and actively maintained by Wayne J. Radburn, who also has some other neat software you can find on his website.

PEview is a lightweight program, being a small standalone executable around 70kb in size. For determining basic PE information, PEview the job done well.

PEview observing the export names in a Ransomware Dll

PEview observing the export names in a Ransomware Dll

On the other hand, for those looking for a feature-rich PE analysis tool, PEview may disappoint, as it only provides basic information about the PE.

In addition, those who haven’t studied the PE file format may find the tool a bit difficult to use, as PEview doesn’t provide any tips or hints to find the information you may be looking for. Nonetheless, despite these inconveniences, PEview remains one of the best tools for simple PE analysis, and that makes it number five on our list of PE analysis tools worth looking at.

Number 4 – FileAlyzer Download

The Next PE analysis tool on our list is FileAlyzer by Safer Networking Ltd., the same group that brought us Spybot – Search and Destroy. According to their website, the name FileAlyzer was “initially just a typo of FileAnalyzer”, but they decided to stick with it.

FileAlyzer brings more to offer than PEview as far as features, being able to provide basic PE information as well as offer some new functionality,  such as automated unpacking for files packed with UPX and PECompact.

FileAlyzer observing the PE header of a Ransomware Dll. Notice the tabs at the top, each bringing different features with it.

FileAlyzer observing the PE header of a Ransomware Dll. Notice the tabs at the top, each bringing different features with it.

Like PEview, FileAlyzer assumes you know what you’re doing. However, there are some tools to help you quickly identify the file as possibly malicious, such as the VirusTotal and Classification Sources tabs, the latter using various web sources to help you in your search.

Some of the features you’ll find in FileAlyzer include: file and property hashes, header information, a disassembler, and more.

One downside I find about this tool is the interface. Although there might be some out there that like it more than myself, re-sizing the program’s window causes the tabs to move, which can be frustrating when you’re trying to find the right one. Perhaps the developers should have went with more of a tree-like interface, allowing the user to “drill-down” and find the information they’re looking for, something we will see in our number three pick.

Regardless of how you might feel about the interface, FileAlyzer is a great tool that offers a lot of information to analysts, which is why it makes number four on our list of PE analysis tools worth looking at.

Number 3 – CFF Explorer Download

CFF Explorer is a PE Editor by Daniel Pistelli and is also part of the NTCore Explorer Suite. CFF Explorer has a lot of the same functionality that you’ll find in the other tools we’ve mentioned here, however, there are some noticeable advantages to the tool.

For starters, the interface is likely easier to navigate than tools like FileAlyzer, and CFF Explorer also brings some new features we haven’t seen in the tools we’ve already mentioned. Some of those features include a file identification, address conversion, dependency scanning, and the ability to add imported functions to a PE.

CFF Explorer identifying any necessary files required for the Ransomware Dll to run.

CFF Explorer identifying any necessary files required for the Ransomware Dll to run.

Some of these features, particularly address conversion, are very helpful when analyzing malware, allowing analysts to perform address conversions rapidly instead of by hand. Others tools like the Import Adder are likely only useful for advanced analysts needing to create unpacked binaries.

While CFF Explorer is a great PE analysis tool, it doesn’t provide analysts with many clues as to what the observed PE might be doing, or simply what the PE is. The Identifier attempts to do this, however, I have found it to be fairly inaccurate, sometimes displaying a lengthy list of possible compilers and/or protectors applying to the PE; this is especially true when dealing with malware.

Even still, CFF Explorer has many strong points, making it a very popular tool among malware analysts. It’s easy to use coupled with its feature list make it number three on our list of PE analysis tools worth looking at, so make sure you try this one out if you haven’t already.

Number 2 – PEstudio Download

PEstudio is a rather interesting tool. In addition to bringing the basic functionality you’d expect from a PE analysis tool, PEstudio also attempts to determine if a file is malicious based on certain “indicators” it may have.

Developed by Marc Ochsenmeier, PEstudio is free for non-commercial use. For commercial users, licenses are available along with an SDK featuring the PeParser engine that powers PEstudio.

To give you an idea of how these indicators work, assume, for example, that a file we’re observing carries version information related to a Microsoft file. However, that same file is clearly not from Microsoft, so PEstudio will let you know of this discrepancy.

PEstudio provides

PEstudio provides “indicators” that may lead the analyst to decide if a file is malicious.

The information provided by the indicators can sometimes be useful when you might already have a suspicion about the file yourself. In some cases, the information provided is enough to solve your problem, but in any case it will provide you with a good starting point.

While PEstudio is a great program, the interface is a bit dull, and sometimes the indicators are of limited value when dealing with specially crafted binaries. However, if your end-goal is a program that works hard to identify a file as potentially malicious, PEstudio does an excellent job, and that’s why it makes number two on our list of PE analysis tools worth looking at.

Number 1 – Exeinfo PE Download

While performing malware analysis, I’ve found Exeinfo PE to be an invaluable tool. Exeinfo PE is a lightweight program that usually answers one of my main questions: what am I looking at? Even when the program fails to give you the exact information you may be looking for, it provides nice hints that in turn help you to streamline the process of identifying a file.

Exeinfo PE has an interface that is somewhat reminiscent of the now unsupported PEiD that many analysts still use, however, unlike PEiD, Exeinfo PE is actively developed and maintained. Exeinfo PE is good about telling you most of the information you care about up front, and has most of the features analysts are looking for.

Exeinfo PE does not detect what this file is, however, it will provide you with hints to run Advanced Scan.

Advanced Scan points us in the right direction, giving us a nice starting point for analyzing this Ransomware Dll

Advanced Scan points us in the right direction, giving us a nice starting point for analyzing this Ransomware Dll

Just like our other analysis tools, though, Exeinfo PE has downsides. It’s not going to be your one-stop shop for analyzing files; I don’t think any tool ever will be, at least for malware.

One area where Exeinfo PE fails is not detecting older packers and protectors, something the author states on their website, but you could use PEiD for this purpose. With a sharp interface and a lot of great features, Exeinfo PE comes in at our number one PE analysis tool worth looking at.

After looking at all of these tools, it’s important to note that all of them are great in their own way, each excelling in different areas.

Also, there are lots of other tools out there that aren’t on this list, so make sure to try out several different ones and see which you like best.

Lastly, if there are any tools that you know of that you could add to this list, feel free to mention them in the comments. Thanks for reading!

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and malware analysis. Twitter: @joshcannell

ABOUT THE AUTHOR

Joshua Cannell

Malware Intelligence Analyst

Gathers threat intelligence and reverse engineers malware like a boss.