logo
line
HOME
TOOLBOX
ON MY MIND RIGHT NOW
MISC
ABOUT
line
forest

PEriscope

Download v3.2 (for Windows 95 / 98 / ME / NT 4.0 / 2000 / XP / 2003 / Vista)


Introduction


PEriscope is a PE file inspection tool. For example you can use it as an aid when you are looking for malicious code in files.

Usage instructions


Download the exe file and run it from the Command Prompt. It will give you the instructions you need.

Q&A


Q: How do I redirect or stop the output?

A: You can redirect the output to a file by appending for example "> file.txt" at the end of what you write at the Command Prompt. You can stop the output by appending "| more".

Q: I get a warning that the entry point does not point into the code segment. What does that mean?

A: It means that when you run the file, the first instruction that is executed isn't located at any of the places where instructions are normally located. This can be a sign of virus infection. Please note that even if you don't get this warning the file can still be infected by a virus!

Q: Can I trust that all DLL's and functions in them that the file uses are listed in the imports table?

A: No. The only way to be completely sure of what a file does is to disassemble it and go through every single instruction.

Q: What are the numbers before the function names in the import table?

A: The function ordinals.

Q: What are the numbers before the function names in the export table?

A: The function ordinals and the RVA's in that order.

Q: Which algorithm is used for hashing the exported function names?

A: One where the hash value is rotated 13 positions to the right for each character and then has the character value added to it.

Q: When I double-click on the file a window comes up and disappears immediately. What's wrong?

A: You must run the file from a Command Prompt.

Q: I have a question that is not covered here. Where can I get help?

A: Send me your question. I can't promise that I will have time to answer, but I'll do my best.



© Arne Vidstrom. All rights reserved.