Analyzing suspicious files

Suspicious files are nice. We could probably think about lots of suspicious characteristics that PE files may have and all we know is on pescan:

$ pescan -v Nota.cpl 

file entropy:                    7.986840 (probably packed)
cpl analysis:                    malware
fpu anti-disassembly:            no
imagebase:                       normal - 0x400000
entrypoint:                      normal - va: 0x15c330 - raw: 0x65530
DOS stub:                        suspicious - raw: 0x40
TLS directory:                   not found
section count:                   3
.text:                           self-modifying
.rsrc:                           self-modifying
.reloc:                          small length
timestamp:                       normal - Wed, 26 Jun 2013 12:22:16 UTC

pescan is the PE scanner program intented to find any suspicious characteristic on it. It's good for an initial analysis. Further you can analyze things deeply with readpe, pedis, peres and so on.

Strings are also good indicators in general PE file analysis. To avoid the problem with Unicode and ASCII strings, we've developed our own strings dumper for PE files. With pestr you know exactly where the string is inside the file and you don't need to specify wether you are looking for ASCII or Unicode strings. pestr catches both.

$ pestr --so dotnet.exe
0x2a69c .text Button4
0x2a6a9 .text TextBox1
0x2a6b6 .text 3System.Resources.Tools.StronglyTypedResourceBuilder
0x2a6eb .text
0x2a6f7 .text KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
0x2a744 .text
0x2a752 .text My.Settings
0x2a972 .text _CorExeMain
0x2a97e .text mscoree.dll
0x2be7c .rsrc IHDR
0x2be95 .rsrc pHYs
0x2beaa .rsrc IDATx
0x2c1bb .rsrc IEND
0x2d742 .rsrc VS_VERSION_INFO
0x2d79e .rsrc VarFileInfo
0x2d7be .rsrc Translation
0x2d7e2 .rsrc StringFileInfo

All tools are provided with manpages. Check it out and discover what you can do with pev. ;)