What it is?
PE-bear is a freeware reversing tool for PE files. It is coded and designed basically by me (hasherezade), however I welcome every suggestion or feature proposal.
Objective: to deliver fast and flexible “first view” tool for malware analysts. Stable and capable to handle malformed PE files.
NOTE: I am sorry, but PE-bear is no longer supported. Since I started that project I learned a lot and I want to redesign many things. Please wait for my new tool to substitute this one.
For now you can take a look at the parser: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander). I am looking forward to hear any remarks!
…CIA uses it 😉
source: “Vault 7: CIA Hacking Tools Revealed”
Of course the old PE-bear is still available. The latest version is 0.3.7 (beta), released: 23.03.2014
Features and details
- handles PE32 and PE64
- views multiple files in parallel
- recognizes known packers (by signatures)
- fast disassembler – starting from any chosen RVA/File offset
- visualization of sections layout
- selective comparing of two chosen PE files
- adding new elements (sections, imports)
- and more…
Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.
Special thanks to Ange Albertini – for valuable advices and excellent set of corner-case samples
See the sections and visualization of their layout:
PE-bear comes also with a simple, interactive disassembler: