Portable Executable Scanner (pescan)

pescan is a command line tool to scan portable executable (PE) files. While the current functionality of pescan is limited, the tool was intended to provide a framework so that additional options could be easily incorporated as they were needed. For example, the codebase pescan uses, incorporates platform agnostic, portable routines to extract and analyze any portion of the PE internals. This means extending the functionality of pescan to include other heuristics can be accomplished rather quickly.

The output of pescan shows 2 types of data:

• 1. Basic statistics of the PE file analyzed, which includes: type of PE file, compile time, entrypoint address, imagebase address, company name (if present), linker version, minimum version of Windows required to run, etc. Since there is a large amount of data available, only a few items were chosen for output. Consequently, if other metrics are desired, please let us know.
• 2. The second type of data presented, will be an inference about the PE internals. This can include a number of items. If one provides pescan a PEiD formatted (text) signature file, it will consume it and use it to try to identify how the PE was compiled or packed. Independently, pescan will also try to determine if the construction of the PE file looks like something that would warrant offline analysis. For example, if pescan determines that a file is packed, has an embedded executable file buried into one of the sections, or if there is a section with high entropy, it will indicate so.

For those who like to process large amounts of data, pescan allows files to be piped into its front end while outputting the results into a comma separated values (csv) formatted file for viewing in your choice spreadsheet utility.

There are compiled versions for Windows, Linux and Mac OS X, should one want to analyze Windows PE files on another platform.