Latest release (8 March 2023) – Qt5

What it is?

PE-bear is a freeware, multi-platform reversing tool for PE files, based on bearparser (license) & capstone (license). Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.

Since 18 September 2022 PE-bear is Open Source, available here.

Check the 🎬 intro to PE-bear by SEKTOR7


I officially discontinued the project in April 2014 after releasing 0.3.7 (23.03.2014). However, as per user requests, in April 2018 I released a version 0.3.8 with bugfixes. That release has been downloaded 15,918 times – that exceeded my expectations. Due to the fact that this project still has a group of active users and gets positive reviews, I decided to reopen development.

Fun Facts

  • …CIA uses it 😉

source: “Vault 7: CIA Hacking Tools Revealed”

Features and details

  • handles PE32 and PE64
  • views multiple files in parallel
  • recognizes known packers (by signatures)
  • fast disassembler – starting from any chosen RVA/File offset
  • visualization of sections layout
  • selective comparing of two chosen PE files
  • adding new elements (sections, imports)
  • and more…

Special thanks to Ange Albertini – for valuable advises and excellent set of corner-case samples

Issues? Feature requests?

Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.

The preferred ways of reporting an issue is via Github Issues (here).


See the sections and visualization of their layout:


PE-bear comes also with a simple, interactive disassembler:

102 Responses to PE-bear

  1. Pingback: Introducing new PE files reversing tool | hasherezade's 1001 nights

  2. logan says:

    Hi, it seems like a very promising tools, I like binary comparison, which is quite rare feature among different RE tools. I will be watching your project, good luck!

  3. Carlos says:

    This looks pretty neat, I’ll give it a try. Thanks!

  4. Nice promising PE tool – good luck with the development!
    many tricky PE cases are not supported yet – feel free to check my page to make it more robust.

  5. sendersu says:

    Please add drag-n-drop support (1 file and many files at a time)

  6. BadEnglish says:
    bad-english translation

    Flint: “Can’t open files with menu, not removed from context menu. Very crude tool”
    TryAga1n: “11MB of shitcode. Qt is really cool”
    ELF_7719116: “One core loaded on 100%. Cant open files with cyrilic chars in filename”
    deniskore: “Buggy disasm with files >2MB”
    Vovan666: “This shit typed without ask”
    ajax: “Pe-do-bear. Obscure project. For what?”

  7. Pingback: PE-bear – version 0.1.8 avaliable! | hasherezade's 1001 nights

  8. Pingback: Artigo: PE-bear | VCT Tecnologia - BLOG

  9. Pingback: Security News » PE-bear

  10. Pingback: PE-bear – version 0.2.0 avaliable! | hasherezade's 1001 nights

  11. iNfLuEnCe says:

    Very nice project. Too bad there’s no Linux port, since you’re using Qt :))

    By the way, don’t be discouraged by russian trolling!

    • hasherezade says:

      The source code will be available after some time, so it will work at any platform on which Qt works 🙂

      BTW – I am not discouraged (just right now I have to dedicate my time to some other project – so new PE-bear will come after some weeks). But anyways, thanks for words of support 🙂

  12. Pingback: PE-bear- Portable Executable reversing tool | SecTechno

  13. Pingback: PE-bear – version 0.2.5 avaliable! | hasherezade's 1001 nights

  14. looks great!! Kudos! 🙂

  15. Goblin80 says:

    Can it edit version information ?

  16. Pingback: .:[ d4 n3wS ]:. » PE-BEAR

  17. Pingback: PE-bear – version 0.2.8 avaliable! | hasherezade's 1001 nights

  18. Eli Kuly says:

    i really like the tool, and am gonna use it,
    tnx, zirek

  19. Pingback: Outils, services, sites à (re)découvrir 2013 S42 | La Mare du Gof

  20. dhoorjati says:

    Its cooooool

  21. Pingback: PE-bear – version 0.3.0 avaliable! | hasherezade's 1001 nights

  22. Vincent says:

    Great tool.

    >recognizes known packers (by signatures)
    Can you use PEiD userdb.txt ??

    Thank you.

  23. Vincent says:


    Can you add search for “All referenced text strings” ??
    I need to follow the text strings.

    ASCII text 1 Byte for English.
    ASCII text 2 Bytes for Chinese/Korea/Japan.
    UniCode text.


  24. James says:

    Thanks for a great tool!

  25. Vincent says:


    Compare Window:

    Two button:
    Hex View and Next Diff

    Please add Disasm button.
    When PE-Bear find any diff,i want to Disasm.


  26. Vincent says:


    Copy selected text to clipboard(Ctrl+C or Right-button popmenu)

    Disasm Window:
    Copy One Line or Multi-Lines text to clipboard(Ctrl+C or Right-button popmenu)

    Compare Window(Hex View):
    Copy selected Hex to clipboard(Ctrl+C or Right-button popmenu)


  27. Javier says:

    Great tool! … and Linux version! Thanks!

    Some suggestions: Automatic hash calculation, automatic signature detection (you could add it as a row in “General” tab), and additional hashes (sha1, sha256, ssdeep).

    • hasherezade says:

      ok, I will add other hashes 🙂
      for now signature detection is automatic in the Entry Point. only in other cases must be applied manually. i didn’t wanted to make too much “on load’ operations, because i didn’t wanted to decrease speed of loading. that’s why those features, which are not always required, are on demand.

  28. Pingback: PE-bear – version 0.3.6 avaliable! | hasherezade's 1001 nights

  29. Vincent says:


    Load MAP file into Disam: Code Hint.

    Configure –> User Data Directory.
    If “User Data Directory”==”” Load/Save tags to the same as PE directory(Not PE-Bear directory).

    Ctrl+G add option(checkbox) to VA(Not RAW).


    Tags file with ERROR codepage.
    For example:
    A.I can input some comments into Hint and see is OK.
    B.Exit PE-Bear and Restart.
    C.Load PE file again,show ERROR comments in ????????

    Please save tags file in system codepage or UTF-16 codepage.

    Thank you.

  30. Vincent says:


    Optional Hdr –> Checksum
    Add fix Checksum option.

    Thank you.

  31. Pingback: PE-bear – version 0.3.7 available! | hasherezade's 1001 nights

  32. Alex says:

    The disassembler is using wrong bitness when inspecting DOS stub. It should be switched into 16-bit mode but instead it treats all instruction as 32 bit code which is not the case.

    • hasherezade says:

      It’s not a bug, it’s a feature 😉
      Bit mode is set for full file, but can be changed manually in settings. It is because some malicious samples are jumping to code located anywhere, i.e. in resources or in a DOS stub.

  33. pepek says:

    Complains about missing Qtgui4.dll… is it possible to compile them statically? I am on Win7 Ultimate.

    • hasherezade says:

      It is feasible, however the free license of Qt does not allow me to do so. If you downloaded only PE-bear.exe, try to download it in a full zip package. Required dlls are inside.

  34. Pingback: Masamune Soshu :The Making of the tachi and tantō of reverse engineering . | Reverse Engineer's Diary

  35. Hey, PE-bear is a great tool, thank you.

    I’m wondering if it is open source, as bearparser is?

    My main problem is that it doesn’t handle hidpi quite well, so if you point me to sources somewhere I could possibly add that or if not, can I ask you to take a look at it?

    A screenshot:

  36. kanenas says:

    Not sure if anybody is still looking at this page but here it is.
    I’m using v3.7 beta in Windows 7 SP1 x64.
    PE Bear has been working great for all I use it for but I get some strange behavior in one thing.
    Following the “Import Adding” tutorial that used to be on the earlier site, I try to add an import entry to a DLL.
    All is fine up to step 6 (type a library name).
    Soon as I type it, it shows up fine but also corrupts another library higher up in the list.

    I’m ‘almost’ sure I had done it once successfully but I just can’t get past this point now.
    Any idea what I am doing wrong? Is some step missing from the tutorial?
    Thanks in advance.

    • hasherezade says:

      First of all, thanks for using PE-bear! Soon I am gonna make a new app that will have those things simplified. But for now my advice is: you must choose a different address as the “name RVA”. Choose something in the new section, where you will have enough space to fit the name without colliding with some existing content. I made for you also this example, maybe it will help: (password: demo)

      • kanenas says:

        Thanks for the response.
        Your link is not accessible for some reason.
        “You can’t access this item because it is in violation of our Terms of Service.”
        Could you post it somewhere else or email it to me please?

      • hasherezade says:

        I updated the link – now the zip is password protected. I don’t know why Google marked it as suspicious – of course it is not malicious, but you can check it on VM if you don’t trust me. It’s just a set of two DLLs – one deploys calc.exe, and another display a messagebox.

  37. kanenas says:

    I got it and tried it. It works as it’s supposed to.
    I’ll try again my sample in case I missed something.
    Looking forward to the forthcoming application 🙂
    Thank you much for looking into it.

  38. Pingback: Reverse engineering tools review – Sound's Blog

  39. Pingback: missing links | Phage InfoSec Blog

  40. I really love this tool, it’s the best PE editor i ever used.
    Would you mind sharing the source-code via Github maybe?
    Maybe we can integrate the new BearParser into the GUI.

    • hasherezade says:

      I am happy that you like, thank you! Regarding integrating the old GUI with the new bearparser, I don’t think it will pay off. I have ideas for the new GUI, just lack of time. But if I would start the project again, I don’t want to start from the old mistakes 😉 I am planning to rewrite it in much better way.

      • Florian Dollinger says:

        Cannot think of any better way, at least not in the sense of the “ease of use”!
        If I can help you in any way, let me know.

  41. Buenisimo ! Para lo que lo uso me alcanza y me sobra ! Felicitaciones por el PE-Bear, saludos desde Buenos Aires ! .

  42. Pingback: Setting Up a Safe Malware Analysis Environment – 0ffset

  43. Vincent says:

    It is good news on 2019.
    PE-bear is a very great tool and i like.

    Thank you hasherezade.

  44. Daniel says:

    Thanks! I like PE-Bear a lot.

  45. Pingback: Лучший редактор PE файлов для Windows 2019

  46. John says:

    was the disassembler written by u?

  47. Ale says:

    please add dark theme (altrough there is already a dark part on bottom-right), Thank you any way!

  48. Pingback: Reverse Engineering Packed Malware

  49. TK says:

    I’ve used PE-bear for long time and I’m also watching your channel 🙂

  50. Hamad Ali says:

    Can you please show an example about how to add functions to the import table in an exe-file. Tried several times but fruitless

  51. dnhof says:

    Hello. I actually used CFF Explorer(thanks goes to daniel pistelli) because I think it was the best solution for view or edit pe(32,64) file in win os. But Pe-Bear also good choice and i am downloading it know. But if you can add some feature it will make me(ok i think also any other 😀 ) happy. Like Address converter I saw this feature but it s not user friendly may you add new tab for this feature like CFF explorer Address Converter or plugin for yara pattern match.I dont want from you make all of this feature tomorrow) but just save these as notes and when you have a free time please do that. I hope Pe-Bear will take CFF explorer place. Thank you very much .

  52. Pingback: The Art of Malware – Danus Minimus – Reverse Engineer and Malware Analyst

  53. Ringles says:

    World’s best pe editor
    Keep up great work!!

  54. Pingback: GitHub - rshipp/awesome-malware-analysis: Defund the Police.

  55. Hamad Ali says:

    Thanks for this great PE tool. I was wondering if you can tell me whether the new update has a similar function as the one in CFF by which you can change the DLL characteristics. Also another one like changing the section flags etc.


  56. I try with PE file build with fasm and not works:
    pe_001.exe: PE32 executable (console) Intel 80386, for MS Windows
    see the result :
    [mythcat@desk PE-bear_0.5.2.3_x64_linux]$ ./PE-bear
    Segmentation fault (core dumped)

  57. Ivan says:

    Amazing tool! Could the CLI-header/CLRRuntimeHeader be added to the DataDirectories node of the Section Header tab?

  58. Pingback: Flare-On 7 - Challenge 2 | Chuong Dong

  59. Jeffrey says:

    Thank you so much for continuing the development of this powerful tool! I love it!

  60. Pingback: Awesome Malware Analysis – Massive Collection of Resources – Learn Practice & Share

  61. bizdon says:

    Good program! She should have had a better disassembler.. incorrectly parses simple sections of code. And command-line options for opening the file by offset.

  62. Pingback: Top 15 Essential Malware Analysis Tools - SentinelLabs

  63. Pingback: Malwarebyte Crackme Writeup [Part 1/2] – Kataware Tech Blog

  64. Stardust says:

    1 .The size of the overlay data is not accurate. this is bug

    2. I wish I had a global shortcut to move between Disasm – General – Doshdr – Filehdr – Option Hdr – Section hdr – imports – Security – Debug
    (Ctrl + left arrow or Ctrl + right arrow)

    3. Hex editor’s block is column mode, It is very difficult to copy large blocks.

  65. Pingback: Analyze DLL Export with PE Bear – Cyber Security | Penetration Test | Malware Analysis

  66. PE-bear Tester says:

    Dear hasherezade! Thank you for this marvelous program. It helps me a lot in my researches.

    Let me leave here some small bug report: PE-bear can’t handle tiny, but valid (working) PE files: 61 bytes, 97 bytes, 252 bytes and so on, while CFF Explorer handles this files correctly.

    Here is a collection of valid (working) tiny PE files for testing:

  67. Jake says:

    lol I found this precious tool when I extract the icons that trying to disguise as document files from the bunch of malware executables. It’s a so impressive tool that has neat functions and also the icon :-0. Nice work!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s