PE iDentifier v0.95 (2008.11.03) by snaker, Qwerton, Jibz & xineohP ------------------------------------------------------ PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files. There are 3 different and unique scanning modes in PEiD. The *Normal Mode* scans the PE files at their Entry Point for all documented signatures. This is what all other identifiers also do. The *Deep Mode* scans the PE file's Entry Point containing section for all the documented signatures. This ensures detection of around 80% of modified and scrambled files. The *Hardcore Mode* does a complete scan of the entire PE file for the documented signatures. You should use this mode as a last option as the small signatures often tend to occur a lot in many files and so erroneous outputs may result. The scanner's inbuilt scanning techniques have error control methods which generally ensure correct outputs even if the last mode is chosen. The first two methods produce almost instantaneous outputs but the last method is a bit slow due to obvious reasons! Command line Options -------------------- PEiD now fully supports commandline parameters. peid -time // Show statistics before quitting peid -r // Recurse through subdirectories peid -nr // Don't scan subdirectories even if its set peid -hard // Scan files in Hardcore Mode peid -deep // Scan files in Deep Mode peid -norm // Scan files in Normal Mode peid You can combine one or more of the parameters. For example. peid -hard -time -r c:\windows\system32 peid -time -deep c:\windows\system32\*.dll Task Viewing / Control Module ----------------------------- You can scan currently running tasks with PEiD. The files are scanned from memory. Processes can also be terminated. You can also optionally dump a module and scan the dumped image. You can also view all dependant modules of the processes. Multiple File Scan Module ------------------------- You can scan multiple files at one go with PEiD. Just drag and drop the files on the PEiD main dialog and the Multiple File Scan Dialog will popup displaying the results. You can keep dragging and dropping files onto this dialog as well. It also offers you to choose from the different scanning modes and optionally load a single file in PEiD. It allows you to skip the non PE files so that the list looks clean. You can also scan the contents of a directory choosing files of custom extension if required. MFS v0.02 now supports recursive directory scanning. Disassembler Module ------------------- You can have a quick disassembly of the file loaded in PEiD. Double click to follow JMPs and CALLs and use the Back button to trace back to the original positions. You can copy disassembled output to the clipboard. A new CADT core with custom String Reference Finder has been cooked up. CADT is coded by Ms-Rem. Hex Viewer Module ------------------- You can have a quick hex view of the file loaded in PEiD. A modified version of 16Edit by y0da is used for this purpose. You can check out the PEiD homepage at http://www.peid.info and the PEiD Forums at http://www.peid.info/forum