PE-bear – version 0.3.8 available

It has been a long time since I abandoned PE-bear project (version 0.3.7 was released in 2014!). But due to the fact that it still has new downloads, and I keep getting messages from its users, I understood it would be a shame to leave it without any support. A tool is alive as long as someone wants to use it, so, here is an update for PE-bear.

https://hshrzd.wordpress.com/pe-bear/

As I wrote in the release notes, the latest release fixes several bugs . In this post I will elaborate on the most important changes and illustrate them with examples.

  1. Fixed bugs in parsing Delay Load Imports (64bit)

So, this is the old, incorrect version (example: winnet.dll, 64bit)

delayed_imp_old

And in the new, corrected one:

delayed_imp_new2. Fixed bugs in parsing Load Config Directory (64bit)

This is the old, incorrect version:

load_config_old The fields ProcessHeapFlags and ProcessAffinityMask should be flipped, otherwise their sizes are incorrectly identified. It is fixed in the new release:

ld_cfg_new

3. While adding a new section, the selected access rights were applied only if the section was loaded from the file. Also, in some alignments, there was a cave appearing between the previous section and the added one, that needed to be fixed manually in headers, or otherwise the application won’t run. This all is fixed in the current version.

add_section

Section test added by new version:

added_by_new

I fixed also some other, smaller bugs here and there. So if you like PE-bear, it’s time to update. And if you don’t know it yet, feel free to give it a try, because from now onward I am not gonna leave this app without support, and if you find any bug it will be fixed as soon as possible. However, I will do only minimalistic mantainance, so don’t ask me for some super cool new extra features. (Or maybe I get tempted for more… No, I won’t 😉)

 

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in PE-bear. Bookmark the permalink.

2 Responses to PE-bear – version 0.3.8 available

  1. Realtebo says:

    Thanks. Thanks thanks thanks

  2. 2co says:

    Thank you very much!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s