SecurityXploded.com
ExeScan : PE File Anomaly Detector Tool
 
 
 
ExeScan - PE File Anomaly Detector Tool
Author: Amit Malik 
 
 
 
 
See Also
 
 
 
 
Contents
 
 
About ExeScan
ExeScan is the FREE console based tool to detect anomalies in PE (Portable Executable) files. It quickly scans given executable file and detect all kind of anomalies in its PE header fields including checksum verifications, size of various header fields, improper size of raw data, non-ascii/empty section names etc.

Various packers/protectors modify PE header to make reversing harder. Sometimes anomalies in PE header may crash Debugging tools thereby blocking your attempt to reversing. Such anomalies can also make some of the GUI based PE analysis tools to fail to parse PE headers.

In such cases ExeScan can come handy by helping you to quickly detect such anomalies. Then you can fix them and proceed to further analysis of malware.

In addition to finding various anomalies, it can also detect packer/compiler used to pack/build the target executable file. Being console based tool, you can easily integrate it with your malware automation suite.  
 
 
 
Features
Here are the main feature highlights
  • Quickly detect all kind of Anomalies in EXE/PE file.
  • Console tool makes it easy for automation.
  • Compiler and Packer signatures detection
  • Scan for commonly used malware APIs
  • PE header and Import table structure dispaly
  • Native support for report generation
 
 
Requirements
ExeScan requires following components
  • Python - Install latest version of Python.
  • PEFile - PE File Python Module by Ero Carrera 
 
 
Using ExeScan
ExeScan is very simple and easy to use. 

Here are the brief usage details
  • Before you launch - make sure you have installed all the above mentioned requirements.
  • Next launch command prompt (start=>Run=>cmd.exe) and move to directory where you have extracted ExeScan file
  • Then type 'exescan.py -a <path to exe file>' and instantly it will show all the anomalies along with other PE information as shown in the screenshot below.
 
 
Screenshots
Here is the screenshot of ExeScan detecting various anomalies in packed PE file
 
ExeScan analyzing PE file
 
 
 
Release History
Version 2.6 :  16th Sep 2012
Display the type of file (EXE/DLL). Listing of export table. Store the reports in more organized way with MD5 hash name for that folder.
 
Version 2.5 :  12th Apr 2012
Supports extraction of all ASCII strings from the executable. Also improves the accuracy of "Malware API" results.
 
Version 2.0 :  31st Jan 2012
Native support for report generation, better display of PE file header, more professional look,  bug fixes in regular expression etc
 
Version 1.5 :  5th Oct 2011
New version v1.5 adds support for automatically processing all EXE files in the directory.
 
Version 1.0 :  5th June 2011
First public release of ExeScan
 
 
 
Disclaimer
ExeScan tool is released "as is" without any warranty of any kind, neither SecurityXploded nor the author is responsible for any damage due to use or misuse of this tool.

Read complete License & Disclaimer terms here.
 
 
 
Download ExeScan
FREE Download ExeScan v2.6

License  : Freeware
Platform : Windows XP, 2003, Vista, Win7

Download
 
 
 
See Also
 
 
 
 
 
 
 
 
 
 
 
 
XenArmor