The Finest Hand-Selected Downloads
Individually reviewed & tested
Store News

Investigate suspect EXEs with Professional PE Explorer

20 July 2016, Mike Williams

PPEEProfessional PE Explorer is a portable tool which allows investigating Windows executables including EXE files, SYS, DLL and more.

The download is so tiny you’ll wonder if it’s broken – 78.1KB, really? – but no, this is all you get. Unzip it and run PPEE.exe to get started.

Drag and drop a suspect file onto the program and a left-hand tree lists some of its structures: DOS Header, NT Header, Section Headers, assorted directory entries and more.

If you’re happy with this low-level detail, you’ll also appreciate the program’s “anomaly detection”, where unusual elements of the section are highlighted in orange for Warning and red for Error.

Other expert-level features include entropy and MD5 calculations, section editing, the ability to dump elements of the file, even browse it in depth with a built-in hex editor.

PPEE

Find key strings in the file – URLs, Registry keys – with a click

This can get complicated, but fortunately there are also elements here which could be useful to anyone.

Click NT Header > File Header and the summary tells you whether this is a 32 or 64-bit EXE.

NT Header > Optional Header has an item indicating whether it’s a GUI or console program.

If the EXE has a digital signature, a DIRECTORY_ENTRY_SECURITY section gives you details on its name, date and more. This relies on the Windows API but should still work just fine in most situations.

Sometimes there’s a DIRECTORY_ENTRY_DEBUG section which shows you when the EXE was compiled, and its location on the developer’s hard drive.

A “Strings in file” section locates strings of characters in the file and organises them into four categories: ASCII, Unicode, URL and Registry. If the EXE contacts a URL or accesses a Registry key, you might find it listed here. Beware, though, malware usually tries to obscure this kind of detail, preventing it being displayed.

If you see an interesting item – the name attached to a digital signature, an unusual string – then right-clicking it displays options to search at Google or MSDN.

Professional PE Explorer lacks the VirusTotal integration of PEStudio, but it’s still a likeable static analysis tool, comfortable to use and with a strong set of features. One to watch.

Professional PE Explorer is a free application for Windows 7 and later.

Your Comments & Opinion

44,810,215
Downloads
Secure & Tested Software
6,478
Reviews
Instant Download 24/7
314,859
Members
10+ Years of Service