A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #20994  by bantempmail
 Fri Sep 27, 2013 5:49 pm
Sweet! Sehr operativ.

Everything imo.
But I think its a bad idea to move the section header characteristics/flags into a subwindow. Now you have to click on every section separately to know if its r/w/e. I think its important information that should be available at one glace.
To be honest, I dont see the reason for the subwindow. I guess its there for additional space for additional info but there is really not that much info on section headers. I guess one could put entropy in there or maybe even draw a graph of it. I dont know. But the flags belong where they used to be. So one can see them all at once.

Its also kinda odd that they get sorted by size if you click on Name and wont sort by anything else. Well, when you first open the window, they are sorted 'normally'.

Now the Imported Libraries could profit from a subwindow with Imported Symbols in it...

With the debug and resource stuff, that was my mistake. PeStudio just leaves out some stuff.
I mean, it does not just plain parse stuff byte for byte and display it. Its picks some things and interprets or resolves it. I wont find IMAGE_DEBUG_DIRECTORY byte for byte anywhere, but I will find PdbFileName[] in Debug Information.
I guess it depends on the target audience. This one looks like its more for security semi/professionals, with the Indicators and VirusTotal integration, for a high level overview. So one might have no need or simply want all the details.
 #20995  by bantempmail
 Fri Sep 27, 2013 5:54 pm
Oh gee, I just realized that PeStudio uses no GUI library like QT, its all native... Must be a pain in the ass... ;p
 #20999  by bantempmail
 Sat Sep 28, 2013 12:33 am
Uh, just looked deeper. MFC for GUI? I hear, its a pain. Have fun! )
 #21021  by bantempmail
 Mon Sep 30, 2013 5:17 pm
Nice.

Opening a 100mb files takes time... Hashing?

Opening a setup file that is 100mb and clicking on the Strings view with 500000 entries hangs the UI for good :P
Well, actually it recovered after 5 minutes (nice! although using 1 gig ram) but I wouldnt have waited that long and just closed it.
Maybe just loading it partially? But again, this is extra boring code for a small time, no-one-cares feature...

Also, it seems to reread the values from the PE file every time I click on a different view?
Example: clikcing on Imported Symbols, PeStudio loads, read, displays the values, now clicking on Dos Header or whatever, same procedure and than clicking on Imported Symbols again leads to a full reread. No storing/caching of the results?
I arrive at this conclusion because the 500k strings that were read and displayed in 5 minutes froze the UI again for 5 minutes after a clicked on another view and than back to Strings. Dunno, maybe worth working on.
 #21023  by Marc Ochsenmeier
 Tue Oct 01, 2013 8:04 am
@bantempmail: yes, currently the analysis is taking place in one single thread. I'll change that later. Quite unusual to have a malware of that size....(VT has also a limit Maximum file size: 64MB). Regarding the switching view issue, Yes I know. I'll change that later. My current focus are validation of PE file and valid output.
 #21095  by ArkKup
 Mon Oct 07, 2013 12:17 pm
it's crashing on windows 8 x64 when exit.
BTW. using scissors icon in the toolbar is a bit confusing since this icon is kind of reserve for "cut selection to clipboard" operation.