PE-bear – version 0.3.9 available

[UPDATE] This release introduced some stability issues, fixed in 0.3.9.5

Hello! Several months have passed since I released PE-bear 0.3.8. Since it was my old, abandoned project, I did not plan to start developing it again. Initially, I got convinced to be adding only bugfixes, treating it rather as a legacy app. However, it started doing pretty good for a “dead” project. It got 15K+ new downloads, has been mentioned in some cool presentations, featured on OALabs, and added to FlareVM. It all made me reconsider my decision. Also, I started getting messages from users requesting new features. Finally, I decided to break what I said before, and prepare another release.

The current one (0.3.9) comes with some new features. You can download it from the main site of the project:

https://hshrzd.wordpress.com/pe-bear/

1. Added Rich Header (viewing and editing), with calculated checksum. Preview:

New PE-bear displays all the fields of RichHeader, and allows for their editing. It automatically calculates and verifies the Checksum, so it can help spotting the cases when the Rich Header was forged.

2. Added support for the new fields in Load Config Directory. Preview:

Since PE-bear is a pretty old project, it was not able to parse the full Load Config Directory, but only its basic form, ending on SEHHandlerCount. Now it supports the extensions introduced in Windows 8.1 and Windows 10.

3. In Debug Directory: parse and display RSDSI Table (including PDB path etc):

In the old version, Debug Directory was displayed, but without parsing the structure nested inside. Now, one of the most popular types, including PDB path, is also parsed: you can view the project path, and also edit it.

In addition, project underwent some internal refactoring, and I added some other tiny improvements.

I must say I started enjoying working on PE-bear again, and already got several new ideas that I am planning to implement. So, this release is not gonna be the last.

Big thanks to all of you who motivated me to “resurrect” this project. I hope you will enjoy the new version, and the PE-bear’s comeback. As always, I am open for any comments and suggestions.

About hasherezade

Programmer and researcher, interested in InfoSec.

View all posts by hasherezade →

This entry was posted in PE-bear, Tools. Bookmark the permalink.

6 Responses to PE-bear – version 0.3.9 available

moshe says:

January 14, 2019 at 12:56 pm

thanks, as someone that want to be in your place a few years from now, im happy to see that you didn’t lose your passion.

- moshe says:
  
  January 14, 2019 at 12:56 pm
  
  as good as you!!
  
Hamad Ali says:

February 12, 2020 at 2:45 am

could you please show how to add functions to imports (the file is packed). I tried several times but fruitless.

- hasherezade says:
  
  February 19, 2020 at 6:39 pm
  
  Please check if this small tutorial helps you: https://github.com/hasherezade/pe-bear-releases/wiki/Import-adding
  If not, can you share the file with which you tried? If it is on VirusTotal, you can just share a hash, if not, you can send a sample to my email (me-at-hasherezade.net), packed with a password. I will check your particular case.
  
  - Hamad Ali says:
    
    June 23, 2020 at 11:14 pm
    
    Thanks hasherezade for your reply and for the provided link. Its really useful but my question why we need to go for this long route in order to add some new imports. Namely, why not you simplify this feature to be similar/like for example CCF suite. The CCF suite is really very handy and simple to do.
  - hasherezade says:
    
    July 8, 2020 at 4:39 pm
    
    I will keep it in mind for the next release!