PE-bear

What it is?

PE-bear is a freeware reversing tool for PE files. It is coded and designed basically by me (hasherezade), however I welcome every suggestion or feature proposal.

Objective: to deliver fast and flexible “first view” tool for malware analysts. Stable and capable to handle malformed PE files.

NOTE:  I am sorry, but PE-bear is no longer supported. Since I started that project I learned a lot and I want to redesign many things. Please wait for my new tool to substitute this one.

For now you can take a look at the parser: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander). I am looking forward to hear any remarks!

Download

Of course the old PE-bear is still available. The latest version is 0.3.7 (beta), released: 23.03.2014

LICENSE
Changelog & more info
windows-iconAvailable here: [PE-bear 0.3.7 32bit] [PE-bear 0.3.7 64bit], *requires: Microsoft Visual C++ 2010 Redistributable Package, available here: [Redist 32bit] [Redist 64bit]

linux-iconPE-bear for Linux (for now only binary): PE-bear32 , PE-bear64,(requires: libqt4-core, libqt4-gui, libqt4-network), screenshot

Signatures (updated 22.01.2014):
SIG.txt (Included PEid’s UserDB  – converted by the script provided by crashish)

Features and details

  • handles PE32 and PE64
  • views multiple files in parallel
  • recognizes known packers (by signatures)
  • fast disassembler – starting from any chosen RVA/File offset
  • visualization of sections layout
  • selective comparing of two chosen PE files
  • adding new elements (sections, imports)
  • and more…

Currently project is under rapid development. You can expect frequent updates. Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.
Special thanks to Ange Albertini – for valuable advices and excellent set of corner-case samples

Screenshots

See the sections and visualization of their layout:

pe-bear_linux-sections

PE-bear comes also with a simple, interactive disassembler:

pe-bear_linux2.png

58 Responses to PE-bear

  1. Pingback: Introducing new PE files reversing tool | hasherezade's 1001 nights

  2. logan says:

    Hi, it seems like a very promising tools, I like binary comparison, which is quite rare feature among different RE tools. I will be watching your project, good luck!

  3. Carlos says:

    This looks pretty neat, I’ll give it a try. Thanks!

  4. Nice promising PE tool – good luck with the development!
    many tricky PE cases are not supported yet – feel free to check my page http://pe.corkami.com to make it more robust.

  5. sendersu says:

    Please add drag-n-drop support (1 file and many files at a time)
    thanks

  6. BadEnglish says:

    exelab.ru/f/index.php?action=vthread&forum=3&topic=21971
    bad-english translation

    Flint: “Can’t open files with menu, not removed from context menu. Very crude tool”
    TryAga1n: “11MB of shitcode. Qt is really cool”
    ELF_7719116: “One core loaded on 100%. Cant open files with cyrilic chars in filename”
    deniskore: “Buggy disasm with files >2MB”
    Vovan666: “This shit typed without ask”
    ajax: “Pe-do-bear. Obscure project. For what?”

  7. Pingback: PE-bear – version 0.1.8 avaliable! | hasherezade's 1001 nights

  8. Pingback: Artigo: PE-bear | VCT Tecnologia - BLOG

  9. Pingback: Security News » PE-bear

  10. Pingback: PE-bear – version 0.2.0 avaliable! | hasherezade's 1001 nights

  11. iNfLuEnCe says:

    Very nice project. Too bad there’s no Linux port, since you’re using Qt :))

    By the way, don’t be discouraged by russian trolling!

    • hasherezade says:

      The source code will be available after some time, so it will work at any platform on which Qt works🙂

      BTW – I am not discouraged (just right now I have to dedicate my time to some other project – so new PE-bear will come after some weeks). But anyways, thanks for words of support🙂

  12. Pingback: PE-bear- Portable Executable reversing tool | SecTechno

  13. Pingback: PE-bear – version 0.2.5 avaliable! | hasherezade's 1001 nights

  14. Goblin80 says:

    Can it edit version information ?

  15. Pingback: .:[ d4 n3wS ]:. » PE-BEAR

  16. Pingback: PE-bear – version 0.2.8 avaliable! | hasherezade's 1001 nights

  17. Eli Kuly says:

    i really like the tool, and am gonna use it,
    tnx, zirek

  18. Pingback: Outils, services, sites à (re)découvrir 2013 S42 | La Mare du Gof

  19. dhoorjati says:

    Its cooooool

  20. Pingback: PE-bear – version 0.3.0 avaliable! | hasherezade's 1001 nights

  21. Vincent says:

    Great tool.

    >recognizes known packers (by signatures)
    Can you use PEiD userdb.txt ??

    Thank you.
    Vincent

  22. Vincent says:

    Suggestion:

    Can you add search for “All referenced text strings” ??
    I need to follow the text strings.

    PS:
    ASCII text 1 Byte for English.
    ASCII text 2 Bytes for Chinese/Korea/Japan.
    UniCode text.

    Thanks.
    Vincent

  23. James says:

    Thanks for a great tool!

  24. Vincent says:

    Suggestion:

    Compare Window:

    Two button:
    Hex View and Next Diff

    Please add Disasm button.
    When PE-Bear find any diff,i want to Disasm.

    Thanks.
    Vincent

  25. Vincent says:

    Suggestion:

    Copy selected text to clipboard(Ctrl+C or Right-button popmenu)

    Disasm Window:
    Copy One Line or Multi-Lines text to clipboard(Ctrl+C or Right-button popmenu)

    Compare Window(Hex View):
    Copy selected Hex to clipboard(Ctrl+C or Right-button popmenu)

    Thanks.
    Vincent

  26. Javier says:

    Great tool! … and Linux version! Thanks!

    Some suggestions: Automatic hash calculation, automatic signature detection (you could add it as a row in “General” tab), and additional hashes (sha1, sha256, ssdeep).

    • hasherezade says:

      ok, I will add other hashes🙂
      for now signature detection is automatic in the Entry Point. only in other cases must be applied manually. i didn’t wanted to make too much “on load’ operations, because i didn’t wanted to decrease speed of loading. that’s why those features, which are not always required, are on demand.

  27. Pingback: PE-bear – version 0.3.6 avaliable! | hasherezade's 1001 nights

  28. Vincent says:

    Suggestion:

    1.
    Load MAP file into Disam: Code Hint.

    2.
    Configure –> User Data Directory.
    If “User Data Directory”==”” Load/Save tags to the same as PE directory(Not PE-Bear directory).

    3.
    Ctrl+G add option(checkbox) to VA(Not RAW).

    Bug:

    Tags file with ERROR codepage.
    For example:
    A.I can input some comments into Hint and see is OK.
    B.Exit PE-Bear and Restart.
    C.Load PE file again,show ERROR comments in ????????

    Please save tags file in system codepage or UTF-16 codepage.

    Thank you.
    Vincent

  29. Vincent says:

    Suggestion:

    Optional Hdr –> Checksum
    Add fix Checksum option.

    Thank you.
    Vincent

  30. Pingback: PE-bear – version 0.3.7 available! | hasherezade's 1001 nights

  31. Alex says:

    The disassembler is using wrong bitness when inspecting DOS stub. It should be switched into 16-bit mode but instead it treats all instruction as 32 bit code which is not the case.

    • hasherezade says:

      It’s not a bug, it’s a feature😉
      Bit mode is set for full file, but can be changed manually in settings. It is because some malicious samples are jumping to code located anywhere, i.e. in resources or in a DOS stub.

  32. pepek says:

    Complains about missing Qtgui4.dll… is it possible to compile them statically? I am on Win7 Ultimate.

    • hasherezade says:

      It is feasible, however the free license of Qt does not allow me to do so. If you downloaded only PE-bear.exe, try to download it in a full zip package. Required dlls are inside.

  33. Pingback: Masamune Soshu :The Making of the tachi and tantō of reverse engineering . | Reverse Engineer's Diary

  34. Hey, PE-bear is a great tool, thank you.

    I’m wondering if it is open source, as bearparser is?

    My main problem is that it doesn’t handle hidpi quite well, so if you point me to sources somewhere I could possibly add that or if not, can I ask you to take a look at it?

    A screenshot: https://imgur.com/a/BYEVy

  35. kanenas says:

    Not sure if anybody is still looking at this page but here it is.
    I’m using v3.7 beta in Windows 7 SP1 x64.
    PE Bear has been working great for all I use it for but I get some strange behavior in one thing.
    Following the “Import Adding” tutorial that used to be on the earlier site, I try to add an import entry to a DLL.
    All is fine up to step 6 (type a library name).
    Soon as I type it, it shows up fine but also corrupts another library higher up in the list.

    I’m ‘almost’ sure I had done it once successfully but I just can’t get past this point now.
    Any idea what I am doing wrong? Is some step missing from the tutorial?
    Thanks in advance.

    • hasherezade says:

      First of all, thanks for using PE-bear! Soon I am gonna make a new app that will have those things simplified. But for now my advice is: you must choose a different address as the “name RVA”. Choose something in the new section, where you will have enough space to fit the name without colliding with some existing content. I made for you also this example, maybe it will help: https://drive.google.com/open?id=0Bx0ohDGks8J0V2U3S3hjazh0dEU (password: demo)

      • kanenas says:

        Thanks for the response.
        Your link is not accessible for some reason.
        “You can’t access this item because it is in violation of our Terms of Service.”
        Could you post it somewhere else or email it to me please?

      • hasherezade says:

        I updated the link – now the zip is password protected. I don’t know why Google marked it as suspicious – of course it is not malicious, but you can check it on VM if you don’t trust me. It’s just a set of two DLLs – one deploys calc.exe, and another display a messagebox.

  36. kanenas says:

    I got it and tried it. It works as it’s supposed to.
    I’ll try again my sample in case I missed something.
    Looking forward to the forthcoming application🙂
    Thank you much for looking into it.

  37. Pingback: Reverse engineering tools review – Sound's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s