I created this tool to quickly identify modifications in the PE, use of a TLS callback and Alternate Data Streams.
-> Some modifications done in the PE structure of an executable can prevent debuggers or other tools to open the executable.
-> A TLS callback can be used to execute code at the moment you open the executable in a debugger. (very dangerous)
-> Listing all the streams is essential when you analyse a file.
The PE and TLS functions are very basic and might not work on heavily modified executables.
For example it will crash on Delphi executables that have an unused TLS table or on optimised PE files.
Those will be fixed in future versions.
When you scan for Alternate data Streams, you will always see a record:
This is the default stream, the files itself.
The name of alternate data stream will appear between ::
For example, in the screenshot below, one alternate stream is called 1337stream3.exe
You can then open that file (stream) in notepad for example using:
Note that Alternate Data Streams will be lost if you transfer them using a non NTFS support.
(99% of mail servers)
But between you and me, it is possible to keep those streams if you compress the file with winrar :)
Click here to see a screenshot of the program.
Click here to download the program.
I'm in the process of cleaning and commenting the sources. They will be available later.