PEriscope is a PE file inspection tool. It works on ordinary 32-bit files as well as 64-bit and .NET ones.
Download the exe file and run it from the Command Prompt. It will give you the instructions you need.
Q: When I double-click on the file a window comes up and disappears immediately. What's wrong?
A: You must run the file from a Command Prompt.
Q: How do I redirect or stop the output?
A: You can redirect the output to a file by appending for example "> file.txt" at the end of what you write at the Command Prompt. You can stop the output by appending "| more".
Q: I get a warning that the entry point does not point into the code segment. What does that mean?
A: It means that when you run the file, the first instruction that is executed isn't located at any of the places where instructions are typically located. This can be a sign of virus infection. Please note that even if you don't get this warning, the file can still be infected by a virus!
Q: Can I trust that all DLL's and functions in them that the file uses are listed in the imports table?
A: No. The only way to be entirely sure of what a file does is to disassemble it and go through every single instruction.
Q: What are the numbers before the function names in the import table?
A: The function ordinals.
Q: What are the numbers before the function names in the export table?
A: The function ordinals and the RVA's in that order.
Q: Which algorithm is used for hashing the exported function names?
A: One where the hash value is rotated 13 positions to the right for each character and then has the character value added to it.
Copyright © 2019 Arne Vidstrom. All Rights Reserved.