What it is?
PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files.
The PE-bear’s parser is open source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander). I am looking forward to hear any remarks!
I officially discontinued the project in April 2014 after releasing 0.3.7 (23.03.2014). However, as per user requests, in April 2018 I released a version 0.3.8 with bugfixes. That release has been downloaded 15,918 times – that exceeded my expectations. Due to the fact that this project still has a group of active users and gets positive reviews, I decided to reopen development. In the near future you can expect a Qt5 version, and new features.
…CIA uses it 😉
source: “Vault 7: CIA Hacking Tools Revealed”
Read more about this release here.
for Linux*: [64bit], (requires: libqt4-core, libqt4-gui)
*-the Linux build is experimental
Features and details
- handles PE32 and PE64
- views multiple files in parallel
- recognizes known packers (by signatures)
- fast disassembler – starting from any chosen RVA/File offset
- visualization of sections layout
- selective comparing of two chosen PE files
- adding new elements (sections, imports)
- and more…
Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.
Special thanks to Ange Albertini – for valuable advices and excellent set of corner-case samples
See the sections and visualization of their layout:
PE-bear comes also with a simple, interactive disassembler: