2iteg
pls add if exe file is Inno Setup = show tab "Setup Script"
and like UPXPath= you can use something like innounpPath=
PE Viewer 3.0
Moderators: Hacker, petermad, Stefan2, white
Re: PE Viewer 3.0
OS: Win10 | TC: latest x64
Re: PE Viewer 3.0
2KozakMak
1)
2)
3)
4)
1)
Added to ToDo list.Pls add wdx functional
2)
Entropy reflects the uniformity of the byte frequency distribution. The entropy value ranges from 0 (0%) to 8 (100%).It is not clear what and why all these percentages are!
3)
The plugin shows all resources from IMAGE_DIRECTORY_ENTRY_RESOURCE, but resources can be stored in other sections. I planned to implement the resource search algorithm.In C:\Windows\System32\shell32.dll plugin does not show icons on the Resources tab. Bug?
4)
Added to ToDo list.pls add if exe file is Inno Setup = show tab "Setup Script"
Re: PE Viewer 3.0
v3.0.17
---------------------------
Totalcmd64
---------------------------
System Error. Code: 1400.
Недопустимый дескриптор окна.
---------------------------
ОК
---------------------------
---------------------------
Totalcmd64
---------------------------
System Error. Code: 1400.
Недопустимый дескриптор окна.
---------------------------
ОК
---------------------------
OS: Win10 | TC: latest x64
Re: PE Viewer 3.0
okey, TOTALCMD64.EXE is 75% - and what does it mean?iteg wrote: 2024-12-29, 21:51 UTC Entropy reflects the uniformity of the byte frequency distribution. The entropy value ranges from 0 (0%) to 8 (100%).
...and one fine day we will be able to replace ICLView completely!iteg wrote: 2024-12-29, 21:51 UTC The plugin shows all resources from IMAGE_DIRECTORY_ENTRY_RESOURCE, but resources can be stored in other sections. I planned to implement the
OS: Win10 | TC: latest x64
Re: PE Viewer 3.0
Entropy shows the degree of "randomness" of the data inside the file. But there are nuances:
A regular executable file:
The standard one .exe file entropy is usually average (in the range of 50-70%). This is because,
that it contains structured data:
)Headers, metadata.
)The program code that the compiler organizes in a certain order.
)Link tables, rows, and sometimes "empty" areas.
Such a file usually has noticeable repeating patterns, which reduces entropy.
Compressed or packaged executable file:
If the .exe has been compressed (for example, by utilities like UPX), its entropy increases (closer to 75-85%),
because the content becomes more "dense" and chaotic.
Encrypted executable file:
The fully encrypted one .exe entropy will be very high (90-100%). This is because,
that the encrypted data looks like random "noise". Deliberate noise.
A regular executable file:
The standard one .exe file entropy is usually average (in the range of 50-70%). This is because,
that it contains structured data:
)Headers, metadata.
)The program code that the compiler organizes in a certain order.
)Link tables, rows, and sometimes "empty" areas.
Such a file usually has noticeable repeating patterns, which reduces entropy.
Compressed or packaged executable file:
If the .exe has been compressed (for example, by utilities like UPX), its entropy increases (closer to 75-85%),
because the content becomes more "dense" and chaotic.
Encrypted executable file:
The fully encrypted one .exe entropy will be very high (90-100%). This is because,
that the encrypted data looks like random "noise". Deliberate noise.
#146217 personal license
Re: PE Viewer 3.0
sounds very complicated 
this line must be hidden by default
this line must be hidden by default
OS: Win10 | TC: latest x64
Re: PE Viewer 3.0
2KozakMak
I planned to implement the resource search algorithm.
Already done. In the next version....and one fine day we will be able to replace ICLView completely!
Re: PE Viewer 3.0
2iteg
Can you add .msi info? Like in viewtopic.php?t=76566
Can you add .msi info? Like in viewtopic.php?t=76566
OS: Win10 | TC: latest x64
Re: PE Viewer 3.0
2KozakMak
A known mistake.System Error. Code: 1400.
Unfortunately, MSI files are not a PE format.Can you add .msi info?
Re: PE Viewer 3.0
Hang on 400MB file, do it have a disable option?
Last edited by Hurdet on 2025-04-14, 03:28 UTC, edited 1 time in total.
Re: PE Viewer 3.0
I should notice that to find exe which will be more than 400MB and only compressed with UPX - is not a simple case.
As I know very often EXE with such big size is a simple SETUP exe. So it's like an compressed archive.
BUT you are talking about the single, solid 'exe'? With size>400MB? Am I right?
Which one do you have on your hands?
SETUP exe's which I have and even with size ~1GB - are very easy "opening" with this plugin. No hanging.
As I know very often EXE with such big size is a simple SETUP exe. So it's like an compressed archive.
BUT you are talking about the single, solid 'exe'? With size>400MB? Am I right?
Which one do you have on your hands?
SETUP exe's which I have and even with size ~1GB - are very easy "opening" with this plugin. No hanging.
Last edited by AntonyD on 2025-04-14, 09:17 UTC, edited 1 time in total.
#146217 personal license
Re: PE Viewer 3.0
I tryed again Today and it not hang.
But I have 10s "Please wait" for MD5, SHA256 and VirusTotal.
Re: PE Viewer 3.0
I had ~6/7 seconds. And that's not a big problem imho...
Especially for VT
Especially for VT
#146217 personal license
Re: PE Viewer 3.0
Test version 3.0.17.3:
- Fixed a bug in checking the validity of certificates.
- For the "Valid To" certificate field added color indication of relative current time validity.
- A revocation check has been added for a chain of signature certificates and an individual certificate. The check is performed on the OS cache without any requests to the network.
- Internal code optimization.
https://www.upload.ee/files/17984417/wlx_peviewer_3.0.17.3.rar.html
- Fixed a bug in checking the validity of certificates.
- For the "Valid To" certificate field added color indication of relative current time validity.
- A revocation check has been added for a chain of signature certificates and an individual certificate. The check is performed on the OS cache without any requests to the network.
- Internal code optimization.
https://www.upload.ee/files/17984417/wlx_peviewer_3.0.17.3.rar.html
Re: PE Viewer 3.0
Test version 3.0.17.4:
- Support for "Reparse Point" Tags "Appexeclink" for UWP applications (%Localappdata%\Microsoft\WindowsApps). On the "Info" tab, the "Reparse Point" label and the parameters of "Appexeclink" are displayed.
- Implementation of the absolute path to the file when opening a symbolic link is implemented (for example, created using mklink.exe).
https://www.upload.ee/files/18042024/wlx_peviewer_3.0.17.4.rar.html
- Support for "Reparse Point" Tags "Appexeclink" for UWP applications (%Localappdata%\Microsoft\WindowsApps). On the "Info" tab, the "Reparse Point" label and the parameters of "Appexeclink" are displayed.
- Implementation of the absolute path to the file when opening a symbolic link is implemented (for example, created using mklink.exe).
https://www.upload.ee/files/18042024/wlx_peviewer_3.0.17.4.rar.html