Download PEriscope

PEriscope is a PE file inspection tool. It works on ordinary 32-bit files as well as 64-bit and .NET ones.

Usage instructions

Download the exe file and run it from the Command Prompt. It will give you the instructions you need.

Questions and answers

Q: When I double-click on the file a window comes up and disappears immediately. What's wrong?

A: You must run the file from a Command Prompt.

Q: How do I redirect or stop the output?

A: You can redirect the output to a file by appending for example "> file.txt" at the end of what you write at the Command Prompt. You can stop the output by appending "| more".

Q: I get a warning that the entry point does not point into the code segment. What does that mean?

A: It means that when you run the file, the first instruction that is executed isn't located at any of the places where instructions are typically located. This can be a sign of virus infection. Please note that even if you don't get this warning, the file can still be infected by a virus!

Q: Can I trust that all DLL's and functions in them that the file uses are listed in the imports table?

A: No. The only way to be entirely sure of what a file does is to disassemble it and go through every single instruction.

Q: What are the numbers before the function names in the import table?

A: The function ordinals.

Q: What are the numbers before the function names in the export table?

A: The function ordinals and the RVA's in that order.

Q: Which algorithm is used for hashing the exported function names?

A: One where the hash value is rotated 13 positions to the right for each character and then has the character value added to it.