PEiD

INTRODUCTION

PEiD v0.8 is a PE File Identifier. It currently identifies more than 300 signatures in PE files. It detects most common packers, encryptors, protectors and compilers.

PEID MAIN DIALOG

FEATURES

1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Commandline support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning.
6. Task viewer and controller.
7. Generic OEP Finder module.

THE GRAPHICAL USER INTERFACE

PEiD can be told to scan a file by browsing for it through the Open File Button, or simply by dragging the file to scan onto the main dialog. Since v0.8, PEiD supports scanning of multiple files. You can select multiple files in the Open File Dialog or simply drag and drop multiple files onto the main dialog to bring up the Multiple File Scan dialog.

PEiD SHOWING FILE INFORMATION

PEiD MULTIPLE FILE SCAN DIALOG

You can also scan through all the files in a given directory. Clicking Scan Directory in the Multiple File Scan dialog or by clicking Menu>Directory Scan brings up a Directory Selection Dialog through which you can choose which directory to scan. You can then option Skip Non-PE Files and choose the extensions you wish to scan. Drag and Drop capabilities have also been added to the Multiple File Scan dialog.

PEiD MAIN MENU

PEiD DIRECTORY SCAN DIALOG

SCANNING MODES

PEiD has 3 scanning modes to detect signatures in the files it scans.

The Normal Scan mode scans the PE file at its EntryPoint for the known signatures. This is the most general and common approach used by all other identifiers as well.
The Hardcore Method 1 or the Deep Scan mode scans the PE file throughout the EntryPoint section. This generally takes care of most simple modifications or simple redirecting tricks.
The Hardcore Mehtod 2 or the HardCore Scan mode scans the whole PE file. This way all simple modifications are taken care off. However some signatures in the database are quite small and common and maybe present in some PE files without them actually corresponding to the packer or encryptor which it is identified with. Hence this mode may very rarely give some erroneously detections. However PEiD has inbuilt correcting techniques which try to fix these detection errors.

We recommend that you use atleast Hardcore Method 1 ( if not Hardcore Method 2 ) as your default setting.

TASK SCANNING MODULE

Since v0.8 PEiD has a Task/Process module, which lets you view and control the process currently running on your system. PEiD can scan or even optionally terminate these process.

PEiD TASK SCANNER DIALOG

The Scan Process (File) option loads the file which is currently running from disk and scans it.
The Scan Process (Dump) option lets you dump an image of the file in the memory to a temporary file and scan it. You can select the SizeOfImage of the temporary file to be created during dumping. These option takes care of the general Anti-Dump feature in some protectors.

PEiD TASK DUMPING OTPIONS

OEP MODULE

Since v0.8 PEiD has a Generic OEP Scanning module. It uses the Generic OEP Finder ( GENOEP.DLL ) to scan for the OEP of packed and protected files. This option should be used with caution as it involved running of the executable whose OEP you wish to find. If all goes well, the a message box with the Probable OEP will be displayed. Please keep in mind that the technique is absolutely generic and thus is bound to have some bugs and flaws. It will not work with Console Mode executables and also with packers and protectors which use the CreateProcess API. Apart from these, GENOEP should work with most other protections out currently.