Easily examine suspicious files with a tool from the past: Peek 1.1

Posted on May 10th, 2008 by vaelek

This review is of a tool that is now 12 years old. Originally written for Windows 95/NT, and last updated in 1996, Peek is a tool that has withstood the test of time. To the best of my knowledge, there is nothing quite like it.

Peek is an Explorer shell extension. It comes with no formal just a DLL and an inf. Once installed, it adds a new entry to the context menu for files.

image

These are the items shown with the default installation. For most people, this is enough, for those that want more options, Peek has the ability to add entries via the registry. Everyone’s had a file you didn’t know what it was, or something downloaded from a questionable source. Even if something is not a [known] virus, it could still be malicious. For executable files you would likely select the Binary Files option.


image Selecting Binary Files for the peek.dll produces this output. The binary option does two things. First it scans the file for ANSI strings1. This is denoted by the ANSI SECTION header. Before each string, the Offset2. By default, a string is defined as any sequence of at least 4 letters or numbers. Again this is configurable but we’ll get to that later on. What you see in this image is typical of an executable file or DLL. The first line is present in almost all windows executables. Under that you see the names of functions used in the file. One thing this is useful for is to quickly scan a file to see if it is making use of networking functions when there is no reason (ie a program that should not access the net for any of its functions).

image Scrolling down a ways, you will come to the Unicode3 section. Typically this will contain product information. Files of non US origin are more likely to have a larger if not exclusive Unicode section.

The next option, Standard, will display only the ANSI section, without printing the offset information. Selecting Unicode does the opposite and shows only the Unicode section, again without offset information.

As I said, this is usually enough options for most people. I have yet to have a need to add any more. Nevertheless, it can be done. To do so, you need to fire up your favorite Registry editor and make your way to HKEY_LOCAL_MACHINE\SOFTWARE\Aries\Peek. There you will see the entries for the 3 default options. (Click the image to zoom)

image

Each preset gets its name directly from the key name. For example to create a new item Test , you would create a Key ‘Test’ under Peek. All of the options are String values, defined as follows.

  • Character Count
    The minimum number of characters from the set that must appear sequentially for a string match to occur.
  • Character Set
    The characters that are considered to be text. Special characters can be used by entering \t (tab), \r (CR), \n (LF), etc. A character set of 0123456789AB..YZ (assume the whole alphabet is shown) would include all numbers and capital letters.
  • Delimiter Count
    The number of occurrences a character from the Delimiter Set can appear sequentially.
  • Delimiter Set
    Characters that can appear between words. This would typically include mostly punctuation as such: .!?,;:-\\{}[]()/+*~°^’%#<>|
  • Display Offset
    0 = Do not display the offset
    1 = Display the offset
  • Help String
    The text that is displayed in the Explorer status bar when the mouse is over the menu item.
  • Unicode
    0 = Only scan for ANSI text
    1 = Only scan for Unicode text
    2 = Scan for ANSI and Unicode

Pro’s

  • Very simple to use
  • Highly effective as a quick solution to examine a binary file
  • Very small at only 16k for the DLL (3x the size of the inf!)
  • Configurable

Con’s

  • No longer maintained
  • The user must be comfortable editing the Registry to change or add options.

I was thinking of making a GUI to manage the options for Peek. My attempt to contact the author was not successful. As a result I cannot obtain permission to distribute my GUI with Peek. I am not sure I would technically require permission due to the age of the software. In any case, I am now considering writing a tool similar to this having further abilities to analyze files. I would welcome any comments for the kinds of things people think might be useful. For example, an option to scan only for known API function names. Please take a moment to post a comment if you have any thoughts on it.

  1. ANSI strings are stored as 1 byte per character
  2. The offset is the position in the file that the string occurs. It is displayed in hex. An offset of is displayed. An offset of AF25 would mean the first letter of the string appears 44,837 bytes into the file.
  3. Unicode uses 16 bits rather than 8 to store each character. This is to accommodate for international languages that have more letters than ANSI has room for.

Filed under: Shell Extensions, System Utilities

« Keep applications under control with Process Lasso SUPER, The end all video converter »

Leave a Reply