(for Windows 95 / 98 / ME / NT 4.0 / 2000 / XP / 2003 / Vista)
PEriscope is a PE file inspection tool. For example you can use it as an aid when you are looking for malicious code in files.
Download the exe file and run it from the Command Prompt. It will give you the instructions you need.
Q: How do I redirect or stop the output?
A: You can redirect the output to a file by appending for example "> file.txt" at the end of what you write at the Command Prompt. You can stop the output by appending "| more".
Q: I get a warning that the entry point does not point into the code segment. What does that mean?
A: It means that when you run the file, the first instruction that is executed isn't located at any of the places where instructions are normally located. This can be a sign of virus infection. Please note that even if you don't get this warning the file can still be infected by a virus!
Q: Can I trust that all DLL's and functions in them that the file uses are listed in the imports table?
A: No. The only way to be completely sure of what a file does is to disassemble it and go through every single instruction.
Q: What are the numbers before the function names in the import table?
A: The function ordinals.
Q: What are the numbers before the function names in the export table?
A: The function ordinals and the RVA's in that order.
Q: Which algorithm is used for hashing the exported function names?
A: One where the hash value is rotated 13 positions to the right for each character and then has the character value added to it.
Q: When I double-click on the file a window comes up and disappears immediately. What's wrong?
A: You must run the file from a Command Prompt.
Q: I have a question that is not covered here. Where can I get help?
A: Send me
your question. I can't promise that I will have time to answer, but I'll do my best.