What it is?
PE-bear is a freeware, multi-platform reversing tool for PE files, based on bearparser (license) & capstone (license). Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Since 18 September 2022 PE-bear is Open Source, available here.
I officially discontinued the project in April 2014 after releasing 0.3.7 (23.03.2014). However, as per user requests, in April 2018 I released a version 0.3.8 with bugfixes. That release has been downloaded 15,918 times – that exceeded my expectations. Due to the fact that this project still has a group of active users and gets positive reviews, I decided to reopen development.
- PE-bear has been featured in a Korean drama “Start-Up” :
- …CIA uses it 😉
source: “Vault 7: CIA Hacking Tools Revealed”
Features and details
- handles PE32 and PE64
- views multiple files in parallel
- recognizes known packers (by signatures)
- fast disassembler – starting from any chosen RVA/File offset
- visualization of sections layout
- selective comparing of two chosen PE files
- adding new elements (sections, imports)
- and more…
Special thanks to Ange Albertini – for valuable advises and excellent set of corner-case samples
Issues? Feature requests?
Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.
The preferred ways of reporting an issue is via Github Issues (here).
See the sections and visualization of their layout:
PE-bear comes also with a simple, interactive disassembler: