RogueKillerPE 1.1.0.0 Final (x86/x64) Portable

RogueKillerPE is an analysis tool for portable executable files, displaying the internal structure of the adjacent process or the file itself, as stored on the hard disk. In other words, it provides users with a powerful parsing tool for executable files, in an attempt to help them detect potentially dangerous activity on the system.

Inspect running processes to detect suspicious files

Used together with RogueKiller, RogueKillerPE can become a redoubtable weapon in the fight against malicious processes and files that can end up harming the host system. Unlike RogueKiller, the PE edition is not designed to automatically target and terminate suspicious processes, but it succeeds in providing a complete overview on any running application.

RogueKillerPE can automatically load the list of running processes, but it can also be used to inspect the structure of a file located anywhere on the hard drive. Be it a process or an EXE file, the input is parsed in seconds.

Analyze the structure of any process or portable executable in detail

As for the actual information that RogueKillerPE retrieves, the list comprises general details regarding the process (PID, creation time, architecture), hash codes, the file location and its digital signature, file properties and the compiler that was used to create it, alongside the latest known VirusTotal scanning results and statistics.

Additionally, it shows addresses in the memory of the selected process and analyzes its hex code, PE headers, sections, imports, and exports, while also offering an insight of the disassembly data. Furthermore, it extracts the PE resources, parsing images, icons, bitmaps, dialogs, strings, versions, and manifest data, and displays it all in a user-friendly manner.

Analyze any portable executable and detect malicious content

RogueKillerPE offers a simple means of finding out what is running on the local computer and detecting malicious processes. It is capable of analyzing processes in detail, showing you the internal structure of a PE file and allowing the user to decide whether it is safe or it should be terminated immediately.

Features
• Open PE from file, and read disk image.
• Open PE from process, and read memory or disk image.
• Open file from command line.
• Drag and drop support.
• Process general information (pid, parent, …)
• File general information (attributes, size, …)
• Process module general information (address, size, …)
• A bunch of hashes (MD5, SHA1, SHA256, …)
• Process memory pages, with ability to dump.
• Injected pages detection, non-readable pages detection.
• Ability to dump injected pages to file.
• Hex code, with ability to search (hex values, or string ANSI/UNICODE).
• Assembly code, with ability to navigate.
• PE Headers (MZ, PE, Optional, …)
• RunPE detection, shows which header fields are modified.
• Checksum validation.
• PE Sections, with ability to watch hex code and dump to file.
• PE Imports, with ability to watch APIs assembly code (memory only).
• PE Exports, with ability to watch APIs assembly code.
• Hooks detection in imports/exports (table and inline hooks).
• PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …)
• Executable files detection in resources.
• Ability to watch hex code of resources.
• Ability to dump resources to file.
• PDB path detection.
• Strings scanner, with classification (Registry, files, …)
• Ability to dump all strings (by category or not) to file.

New in version 1.1.0 Final (December 4, 2015)
• Fixed crashes.
• Added ability to submit unknown files to VirusTotal
• Added about window
• UI is now locked during work to avoid analysis collisions.
• Now handles LNK / Reparse files, opening target and displaying information.
• Removed not-ready-yet Yara Editor menu.

OS: Windows All

HomePage