PE Capture

Product Overview

NoVirusThanks PE Capture is a handy Windows software application useful mainly to capture PE files, such as executables, DLLs and drivers, loaded in the system. It saves a copy of the loaded PE file (renamed as its file hash) on the “Intercepted” folder for further analysis, moreover it logs the execution events to easily find a specific PE file previously captured. This is a swiss army knife to speed-up the malware analysis by capturing the PE files executed in the test environment.


PE Capture is able to capture every PE file loaded (not just executed) in the system, it can capture any image that is being prepared to execute. This makes it possible to capture even PE files copied or moved to a folder, or even PE files remapped in the system. This assures a more complete method of monitoring PE files. Please note, to save performance, the program logs\captures PE files uniquely (using a caching method). This means if you run C:\ABC.exe the second time, it is not logged or re-captured again, since the hash is already recorded for the run-time session.

Useful to capture new executables, DLLs and kernel-mode drivers of rootkits and stealth malware. The program is fully portable, we offer the installer mainly for beginner users. The kernel driver is automatically copied to C:\WINDOWS\System32\drivers\ folder when the application is executed, and it is automatically deleted when the application is closed. Recommended for malware analysts and security professionals.

Key features and characteristics

  • Simplify Malware Analysis Process
  • Effectively Capture Non-system Processes, DLLs, Drivers
  • Exclude Files from Being Logged\Captured (Support Wildcards)
  • Log All Execution Events to a Log File
  • Save Captured PE Files Renamed as Their MD5 File Hash
  • Support all Microsoft Windows operating systems
  • Very lightweight in memory and CPU usage

Additional Details

File Version
Last Updated 28 January 2016
Category Malware Analysis
License Type Freeware
Operating System Windows All (32-bit / 64-bit)

Recent Changes and Fixes