Microsco-PE -- Modern Portable Executable Analyzer for Windows\n\nSee inside any Windows executable.\n\nMicrosco-PE is a beautifully crafted, modern Windows application that lets you drag, drop, and explore the inner workings of any Portable Executable file. Whether you're a security researcher, malware analyst, software developer, or just curious about what makes your favorite apps tick -- Microsco-PE gives you deep, instant insight with a stunning interface built on WinUI 3.\n\nDETAILED TOOLTIPS EVERYWHERE\nEvery data field, column header, badge, and metric includes a detailed tooltip explaining what the value means, why it matters, and how to interpret it. Perfect for learning the PE format or quickly referencing field definitions.\n\nKEY FEATURES (30+ ANALYSIS VIEWS)\n----------------------------------\n\nOVERVIEW\nA comprehensive dashboard showing file identification, hashes (MD5, SHA-1, SHA-256, ImpHash), security features (ASLR, DEP, CFG, Code Integrity), version information, debug data, entry point details, packer detection, API categorization, trust and signature status, and ClamAV signature export. Everything you need at a glance.\n\nHEADERS & DATA DIRECTORIES\nExplore the DOS Header, File Header, Optional Header, and all Data Directories in an organized layout. Every field includes a brief description column and a detailed tooltip explaining its purpose, valid values, and significance.\n\nSECTIONS ANALYSIS\nView all PE sections with their names, virtual addresses, raw sizes, characteristics, and entropy values. Color-coded entropy indicators help you quickly spot packed, encrypted, or suspicious sections at a glance.\n\nIMPORTS\nBrowse the complete import table organized by DLL, with function names, ordinals, and hints. Expandable DLL groups, function counts, and search-friendly layout make dependency analysis effortless.\n\nDEPENDENCY TREE\nRecursive dependency resolver that walks the entire import chain. See exactly which DLLs your binary depends on, what those DLLs depend on, and so on -- revealing the full dependency graph with missing-DLL detection.\n\nEXPORTS\nView all exported functions with their addresses, ordinals, and names. Quickly identify the public API surface of any DLL or library.\n\nCALL GRAPH\nASCII call graph visualizer showing the PE file's import dependencies, export surface, and internal call targets. Scans executable sections for CALL instructions to discover internal function references, sorted by caller count. Rendered with box-drawing characters in a monospace font for clarity.\n\nSTRINGS EXTRACTION\nExtract all readable ASCII and Unicode strings embedded in the file. Filter by encoding type, set minimum length thresholds, and search through results. Color-coded type indicators, monospace formatting, and cross-reference analysis showing which sections contain each string.\n\nEMBEDDED RESOURCES & IMAGE GALLERY\nDiscover every image hidden inside the executable. Microsco-PE extracts icons, bitmaps, and cursors from the PE resource table, and scans the raw binary data for embedded JPEG, PNG, GIF, TIFF, and WebP images. View them all in a beautiful gallery grid with type badges, dimensions, and metadata.\n\nCERTIFICATE & DIGITAL SIGNATURE\nVerify Authenticode signatures and view complete signing details: signer name, issuer, serial number, timestamp authority, and the full certificate chain. Instantly see whether a binary is validly signed, unsigned, or has a broken signature.\n\nRICH HEADER ANALYSIS\nDecode the undocumented Microsoft Rich header to reveal exactly which compiler, linker, assembler, and resource compiler versions were used to build the binary. Includes a detailed explanation of what the Rich header is and why it matters for forensic analysis.\n\nRELOCATIONS\nInspect base relocation blocks and entries. View relocation types, offsets, and virtual addresses used by the Windows loader to fix up addresses when a binary is loaded at a non-preferred base address.\n\nENTROPY VISUALIZATION\nA color-coded heatmap showing the entropy distribution across the entire file, with both linear and Hilbert curve rendering modes. Per-section entropy bars and an overall entropy score help identify packed, encrypted, or compressed regions at a glance. The Hilbert curve view preserves spatial locality for a more intuitive visualization.\n\nPE STRUCTURE MAP\nVisual map of the PE file layout showing every header, section, and data directory as colored blocks with their file offsets and sizes. See at a glance how the binary is organized on disk.\n\nHEX VIEWER\nExamine raw file bytes in a classic hex dump format with offset, hexadecimal, and ASCII columns. Section offset table provides quick navigation to key areas of the file.\n\n.NET / CLR METADATA\nFor managed (.NET) assemblies, view the CLR header including runtime version, metadata directory, entry point token, and CLR flags. Quickly determine if a binary targets the .NET runtime.\n\nTLS CALLBACKS\nInspect the Thread Local Storage directory for TLS callback addresses. TLS callbacks execute before the main entry point and are commonly used by packers and malware for anti-debugging techniques.\n\nLOAD CONFIGURATION\nView the IMAGE_LOAD_CONFIG_DIRECTORY including Structured Exception Handling (SEH) tables, Control Flow Guard (CFG) function tables, guard flags, and the security cookie address. Essential for understanding a binary's security posture.\n\nDELAY-LOAD IMPORTS\nBrowse delay-loaded DLLs and their functions. Delay imports are loaded on-demand at first use rather than at process startup, reducing memory footprint and startup time.\n\nEXCEPTION HANDLERS\nView x64 RUNTIME_FUNCTION entries from the .pdata section. Each entry describes exception handling and unwind information for a function, used by the Windows exception dispatcher for stack unwinding.\n\nMANIFEST VIEWER\nDisplay the embedded application manifest XML with intelligent analysis badges showing requested execution level (admin/user), DPI awareness settings, long path support, and Windows compatibility declarations.\n\nPE ANOMALIES & WARNINGS\nAutomated detection of suspicious characteristics: disabled security features (ASLR, DEP, CFG), high-entropy sections suggesting packing or encryption, writable+executable sections, TLS callbacks, suspicious section names (UPX, Themida, etc.), missing Rich headers, and invalid signatures. Color-coded severity levels (Info, Warning, Suspicious, Danger) help prioritize findings.\n\nDISASSEMBLY\nDisassemble executable sections with raw assembly. Navigate to the entry point or any function address, view instruction bytes alongside mnemonics, and export disassembly output.\n\nSYSCALL TABLE\nView Windows NT syscall numbers used by the binary. Identifies direct and indirect syscall usage patterns commonly employed by malware to bypass API hooking.\n\nBOOKMARKS\nSave and annotate interesting offsets, functions, or findings within any PE file. Bookmarks are persisted per-file (keyed by SHA-256) so your notes survive across sessions.\n\nBINARY DIFF\nCompare two PE files byte-by-byte. View similarity percentage, split hex comparison, and section-by-section differences. Ideal for patch analysis or identifying changes between binary versions.\n\nCOMPARE\nSide-by-side comparison of two PE files showing differences in headers, sections, imports, exports, and security features.\n\nPROCESSES\nLive process explorer showing all running processes on the system with their PID, path, architecture, and loaded PE metadata. Includes search filtering, animated refresh, and a Memory Diff sub-view for comparing a process's on-disk image against its in-memory representation to detect runtime modifications.\n\nPRODUCTIVITY FEATURES\n---------------------\n\nCOMMAND PALETTE (Ctrl+K)\nQuick-access command palette for instant navigation to any page, function, or action. Type to filter and press Enter to jump.\n\nKEYBOARD SHORTCUTS\nCtrl+O to open files, Ctrl+K for command palette, Ctrl+S to save sessions, F5 to reload, Escape to return to welcome. Full keyboard-driven workflow.\n\nRECENT FILES\nQuickly reopen previously analyzed files from the welcome page. History is persisted across app sessions.\n\nSESSION SAVE & RESTORE (Ctrl+S)\nSave your current analysis session including the loaded file, active page, and window state. Resume exactly where you left off from the welcome page.\n\nJSON & HTML EXPORT\nExport complete analysis data as structured JSON or a styled HTML report. One-click export from the Overview page or via the command palette.\n\nCLAMAV SIGNATURE EXPORT\nGenerate ClamAV-compatible malware signatures from the loaded PE file for use with open-source antivirus scanning.\n\nCLIPBOARD INTEGRATION\nCopy any analysis data to the clipboard with a single click. Formatted for easy pasting into reports, tickets, or documentation.\n\nNOTIFICATION TOASTS\nNon-intrusive toast notifications for file load status, export completion, clipboard operations, and other events.\n\nSTATUS BAR\nPersistent status bar showing the loaded file name, size, architecture, and key metadata at all times.\n\nSETTINGS & CUSTOMIZATION\nLight, Dark, and System theme modes. Configurable analysis options (string extraction, hash computation, image scanning). Customizable navigation -- show or hide any analysis page. Export format preferences.\n\nDRAG & DROP ANYWHERE\nSimply drag any executable file onto the window at any time -- even while viewing another file. Or use the Browse button. Microsco-PE accepts .exe, .dll, .ocx, .sys, .drv, .cpl, .scr, .efi, .mui, .tsp, and .ax files.\n\nDETAILED TOOLTIPS EVERYWHERE\nEvery data field, column header, badge, and metric includes a detailed tooltip explaining what the value means, why it matters, and how to interpret it. Perfect for learning the PE format or quickly referencing field definitions.\n\nSUPPORTED FILE TYPES\n--------------------\n\n- .exe -- Windows Executables\n- .dll -- Dynamic Link Libraries\n- .ocx -- ActiveX / OLE Control Extensions\n- .sys -- System & Kernel Drivers\n- .drv -- Device Drivers\n- .cpl --