This is an official walkthrough with PEscope tool made by me to make basic static analysis more easier, in one place instead of grabbing it to many tools, and surely with cool colors! The tool is still beta though as i wrote it in less than 2 days!
If you haven’t download the tool yet, you can find it here: PEscope
How it works
The tool can analyze PE files (EXE/DLL) by inspecting the file’s PE structure in order to retrieve its information and also the tool provides some hashing and searching for interesting strings such as URLs, emails, IP addresses, etc…
or you can even provide your own regex to search the file’s strings!
Full analysis
When providing a PE file to the tool with no arguments it performs full analysis meaning that it will perform all the functionalities the tool can perform as follows:
1
> pescope foo.exe
No colors
If you prefer not to see colors or your OS doesn’t support that you can use the -c flag to disable colors
1
> pescope -c foo.exe
NOTE: When using this option with other arguments it will also make them colorless!
File information
The -i flag will get basic information about the file such as:
- File type (EXE/DLL)
- File size (in KB if small)
- 32 or 64-bit
- Number of sections
and so on:
1
> pescope -i foo.exe
API libraries
The tool gets the imports of the file and this done explicitly by printing the libraries’ names and the functions used within:
1
> pescope -I foo.exe
or implicitly by printing only the libraries’ names:
1
> pescope -l foo.exe
Hashes
It’s basically hashes the file using (md5, sha1, sha256) algorithms so if it’s confirmed as suspicious it can then be beneficial in IoCs (Indicators of Compromise)
Sections
As expected it prints information about the file’s sections in a cool table:
1
> pescope -s foo.exe
Interesting strings
Because analyzing sample’s strings can be like searching for a needle in a haystack this option can save lots of precious analysis time by only looking for URLs, Emails, IP addresses, Errors, Warnings and suspicious words:
1
> pescope -S bar.exe
Match RegEx
Obviously, Interesting strings option can sometimes be not what the analyst’s looking for so here comes the match option to give the analyst more control on the analysis process!
1
> pescope -m [a-zA-Z]{10,}[\d]$ foo.exe
Make your scope!
Now definitely you don’t need to run the command for each feature because the main purpose of this tool is to save time! so you can make your mix all in one command!
Example:
1
> pescope -H -i -s -l foo.exe
Conclusion
This was PEscope tool explanation!
I hope that helped you out and if you want to contribute with a feature that will be awesome!
Happy analysis time!