Latest release 0.6.7.3 (20 January 2024) – Qt5
What it is?
PE-bear is a freeware, multi-platform reversing tool for PE files, based on bearparser (license) & capstone (license). Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Since 18 September 2022 PE-bear is Open Source, available here.
Check the π¬ intro to PE-bear by SEKTOR7
NOTE:
I officially discontinued the project in April 2014 after releasing 0.3.7 (23.03.2014). However, as per user requests, in April 2018 I released a version 0.3.8 with bugfixes. That release has been downloaded 15,918 times – that exceeded my expectations. Due to the fact that this project still has a group of active users and gets positive reviews, I decided to reopen development.
Fun Facts
- PE-bear has been featured in a Korean drama “Start-Up” :
- …CIA uses it π
source: “Vault 7: CIA Hacking Tools Revealed”
(https://wikileaks.org/ciav7p1/cms/page_20250761.html)
Features and details
- handles PE32 and PE64
- views multiple files in parallel
- recognizes known packers (by signatures)
- fast disassembler – starting from any chosen RVA/File offset
- visualization of sections layout
- selective comparing of two chosen PE files
- adding new elements (sections, imports)
- and more…
Special thanks to Ange Albertini – for valuable advises and excellent set of corner-case samples
Issues? Feature requests?
Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.
The preferred ways of reporting an issue is via Github Issues (here).
Screenshots
See the sections and visualization of their layout:
PE-bear comes also with a simple, interactive disassembler:
hasherezade's 1001 nights 
Pingback: Introducing new PE files reversing tool | hasherezade's 1001 nights
Hi, it seems like a very promising tools, I like binary comparison, which is quite rare feature among different RE tools. I will be watching your project, good luck!
This looks pretty neat, I’ll give it a try. Thanks!
Nice promising PE tool – good luck with the development!
many tricky PE cases are not supported yet – feel free to check my page http://pe.corkami.com to make it more robust.
Please add drag-n-drop support (1 file and many files at a time)
thanks
OK. I am planning to release a new version in upcoming Monday. Drag-n-drop will be included.
exelab.ru/f/index.php?action=vthread&forum=3&topic=21971
bad-english translation
Flint: “Can’t open files with menu, not removed from context menu. Very crude tool”
TryAga1n: “11MB of shitcode. Qt is really cool”
ELF_7719116: “One core loaded on 100%. Cant open files with cyrilic chars in filename”
deniskore: “Buggy disasm with files >2MB”
Vovan666: “This shit typed without ask”
ajax: “Pe-do-bear. Obscure project. For what?”
Pingback: PE-bear β version 0.1.8 avaliable! | hasherezade's 1001 nights
Pingback: Artigo: PE-bear | VCT Tecnologia - BLOG
Pingback: Security News » PE-bear
Pingback: PE-bear β version 0.2.0 avaliable! | hasherezade's 1001 nights
Very nice project. Too bad there’s no Linux port, since you’re using Qt :))
By the way, don’t be discouraged by russian trolling!
The source code will be available after some time, so it will work at any platform on which Qt works π
BTW – I am not discouraged (just right now I have to dedicate my time to some other project – so new PE-bear will come after some weeks). But anyways, thanks for words of support π
Pingback: PE-bear- Portable Executable reversing tool | SecTechno
Pingback: PE-bear β version 0.2.5 avaliable! | hasherezade's 1001 nights
looks great!! Kudos! π
Can it edit version information ?
no, it’s not implemented yet.
Pingback: .:[ d4 n3wS ]:. » PE-BEAR
Pingback: PE-bear β version 0.2.8 avaliable! | hasherezade's 1001 nights
i really like the tool, and am gonna use it,
tnx, zirek
Pingback: Outils, services, sites Γ (re)dΓ©couvrir 2013 S42 | La Mare du Gof
Its cooooool
Pingback: PE-bear β version 0.3.0 avaliable! | hasherezade's 1001 nights
Great tool.
>recognizes known packers (by signatures)
Can you use PEiD userdb.txt ??
Thank you.
Vincent
Good idea. From upcoming release (after about 1 month) it will be supported.
Not sure if this feature is present yet, but I wrote a converter to use on userdb.txt to convert to pe-bear’s format.
Somehow forgot the link: http://crashish.blogspot.com/2013/09/peid-signature-conversion-for-pe-bear.html
Thanks a lot!
Suggestion:
Can you add search for “All referenced text strings” ??
I need to follow the text strings.
PS:
ASCII text 1 Byte for English.
ASCII text 2 Bytes for Chinese/Korea/Japan.
UniCode text.
Thanks.
Vincent
Thanks for a great tool!
Suggestion:
Compare Window:
Two button:
Hex View and Next Diff
Please add Disasm button.
When PE-Bear find any diff,i want to Disasm.
Thanks.
Vincent
Suggestion:
Copy selected text to clipboard(Ctrl+C or Right-button popmenu)
Disasm Window:
Copy One Line or Multi-Lines text to clipboard(Ctrl+C or Right-button popmenu)
Compare Window(Hex View):
Copy selected Hex to clipboard(Ctrl+C or Right-button popmenu)
Thanks.
Vincent
I know that there are problems with coping and i fixed it already. It will come soon along with other fixes and features, probably in Christmas.
Good news.
Thank you.
Great tool! … and Linux version! Thanks!
Some suggestions: Automatic hash calculation, automatic signature detection (you could add it as a row in “General” tab), and additional hashes (sha1, sha256, ssdeep).
ok, I will add other hashes π
for now signature detection is automatic in the Entry Point. only in other cases must be applied manually. i didn’t wanted to make too much “on load’ operations, because i didn’t wanted to decrease speed of loading. that’s why those features, which are not always required, are on demand.
Pingback: PE-bear β version 0.3.6 avaliable! | hasherezade's 1001 nights
Suggestion:
1.
Load MAP file into Disam: Code Hint.
2.
Configure –> User Data Directory.
If “User Data Directory”==”” Load/Save tags to the same as PE directory(Not PE-Bear directory).
3.
Ctrl+G add option(checkbox) to VA(Not RAW).
Bug:
Tags file with ERROR codepage.
For example:
A.I can input some comments into Hint and see is OK.
B.Exit PE-Bear and Restart.
C.Load PE file again,show ERROR comments in ????????
Please save tags file in system codepage or UTF-16 codepage.
Thank you.
Vincent
Feat#1 (MAP files) will be implemented later,
Version with: Feat#2, #3 and the Bug fix is ready for testing:
http://hasherezade.net/PE-bear/download/devel_64/PE-bear.exe
NOTE: Feat#3 -> under Ctrl+R
All pass.
Thanks
Suggestion:
Optional Hdr –> Checksum
Add fix Checksum option.
Thank you.
Vincent
thank you! I added all your suggestions to my TODO list. You will be notified when it is ready
Thank you very much.
Pingback: PE-bear β version 0.3.7 available! | hasherezade's 1001 nights
The disassembler is using wrong bitness when inspecting DOS stub. It should be switched into 16-bit mode but instead it treats all instruction as 32 bit code which is not the case.
It’s not a bug, it’s a feature π
Bit mode is set for full file, but can be changed manually in settings. It is because some malicious samples are jumping to code located anywhere, i.e. in resources or in a DOS stub.
Complains about missing Qtgui4.dll… is it possible to compile them statically? I am on Win7 Ultimate.
It is feasible, however the free license of Qt does not allow me to do so. If you downloaded only PE-bear.exe, try to download it in a full zip package. Required dlls are inside.
Pingback: Masamune Soshu :The Making of the tachi and tantΕ of reverse engineering . | Reverse Engineer's Diary
Hey, PE-bear is a great tool, thank you.
I’m wondering if it is open source, as bearparser is?
My main problem is that it doesn’t handle hidpi quite well, so if you point me to sources somewhere I could possibly add that or if not, can I ask you to take a look at it?
A screenshot: https://imgur.com/a/BYEVy
thanks for the notice, I will be adding some fixes during my Christmas holiday, so I will take care of this.
Not sure if anybody is still looking at this page but here it is.
I’m using v3.7 beta in Windows 7 SP1 x64.
PE Bear has been working great for all I use it for but I get some strange behavior in one thing.
Following the “Import Adding” tutorial that used to be on the earlier site, I try to add an import entry to a DLL.
All is fine up to step 6 (type a library name).
Soon as I type it, it shows up fine but also corrupts another library higher up in the list.
I’m ‘almost’ sure I had done it once successfully but I just can’t get past this point now.
Any idea what I am doing wrong? Is some step missing from the tutorial?
Thanks in advance.
First of all, thanks for using PE-bear! Soon I am gonna make a new app that will have those things simplified. But for now my advice is: you must choose a different address as the “name RVA”. Choose something in the new section, where you will have enough space to fit the name without colliding with some existing content. I made for you also this example, maybe it will help: https://drive.google.com/open?id=0Bx0ohDGks8J0V2U3S3hjazh0dEU (password: demo)
Thanks for the response.
Your link is not accessible for some reason.
“You can’t access this item because it is in violation of our Terms of Service.”
Could you post it somewhere else or email it to me please?
I updated the link – now the zip is password protected. I don’t know why Google marked it as suspicious – of course it is not malicious, but you can check it on VM if you don’t trust me. It’s just a set of two DLLs – one deploys calc.exe, and another display a messagebox.
I got it and tried it. It works as it’s supposed to.
I’ll try again my sample in case I missed something.
Looking forward to the forthcoming application π
Thank you much for looking into it.
Pingback: Reverse engineering tools review – Sound's Blog
Pingback: missing links | Phage InfoSec Blog
I really love this tool, it’s the best PE editor i ever used.
Would you mind sharing the source-code via Github maybe?
Maybe we can integrate the new BearParser into the GUI.
I am happy that you like, thank you! Regarding integrating the old GUI with the new bearparser, I don’t think it will pay off. I have ideas for the new GUI, just lack of time. But if I would start the project again, I don’t want to start from the old mistakes π I am planning to rewrite it in much better way.
Cannot think of any better way, at least not in the sense of the “ease of use”!
If I can help you in any way, let me know.
Buenisimo ! Para lo que lo uso me alcanza y me sobra ! Felicitaciones por el PE-Bear, saludos desde Buenos Aires ! .
Pingback: Setting Up a Safe Malware Analysis Environment – 0ffset
Nice work!
It is good news on 2019.
PE-bear is a very great tool and i like.
Thank you hasherezade.
Thanks! I like PE-Bear a lot.
Pingback: ΠΡΡΡΠΈΠΉ ΡΠ΅Π΄Π°ΠΊΡΠΎΡ PE ΡΠ°ΠΉΠ»ΠΎΠ² Π΄Π»Ρ Windows 2019
was the disassembler written by u?
no, I used an open-source disassembling library (udis86)
please add dark theme (altrough there is already a dark part on bottom-right), Thank you any way!
Themes are not my high priority for now (there are more important things on my TODO), but I will keep it in mind, and it will be supported in the future.
please check the latest release, it has dark mode added!
https://github.com/hasherezade/pe-bear-releases/releases/tag/0.5.3
Pingback: Reverse Engineering Packed Malware
I’ve used PE-bear for long time and I’m also watching your channel π
Thanks.
Can you please show an example about how to add functions to the import table in an exe-file. Tried several times but fruitless
please check this out: https://github.com/hasherezade/pe-bear-releases/wiki/Import-adding
Hello. I actually used CFF Explorer(thanks goes to daniel pistelli) because I think it was the best solution for view or edit pe(32,64) file in win os. But Pe-Bear also good choice and i am downloading it know. But if you can add some feature it will make me(ok i think also any other π ) happy. Like Address converter I saw this feature but it s not user friendly may you add new tab for this feature like CFF explorer Address Converter or plugin for yara pattern match.I dont want from you make all of this feature tomorrow) but just save these as notes and when you have a free time please do that. I hope Pe-Bear will take CFF explorer place. Thank you very much .
hi! thank you for your kind and helpful feedback! I will note it and add on my TODO of the features to be implemented. If you have any other feature requests, or want to elaborate in more details on this one, feel free to add a github issue: https://github.com/hasherezade/pe-bear-releases/issues
Pingback: The Art of Malware β Danus Minimus β Reverse Engineer and Malware Analyst
World’s best pe editor
Keep up great work!!
Pingback: GitHub - rshipp/awesome-malware-analysis: Defund the Police.
Thanks for this great PE tool. I was wondering if you can tell me whether the new update has a similar function as the one in CFF by which you can change the DLL characteristics. Also another one like changing the section flags etc.
Thanks
Hi, so far you can change all the characteristics just manually, by editing the number. It doesn’t have an editor that will allow to select the value from the list. It is a good idea to add this feature, and I will add it to my TODO. For the future, if you have some feature request, feel free to create an issue on Github: https://github.com/hasherezade/pe-bear-releases/issues
I try with PE file build with fasm and not works:
pe_001.exe: PE32 executable (console) Intel 80386, for MS Windows
see the result :
[mythcat@desk PE-bear_0.5.2.3_x64_linux]$ ./PE-bear
“/proc/11817/root”
Segmentation fault (core dumped)
hi, can you send me the PE that caused the problem? I will check it and fix. hasherezade-at-pm.me
I send the source code and build a PE file and fasm file type with wetransfer website, you can find it on your mail.
Thank you, I responded in the related issue: https://github.com/hasherezade/pe-bear-releases/issues/29
Amazing tool! Could the CLI-header/CLRRuntimeHeader be added to the DataDirectories node of the Section Header tab?
Thank you! Yes, it will be added soon. You can track the progress of the feature here: https://github.com/hasherezade/pe-bear-releases/issues/30
Pingback: Flare-On 7 - Challenge 2 | Chuong Dong
Thank you so much for continuing the development of this powerful tool! I love it!
Pingback: Awesome Malware Analysis – Massive Collection of Resources – Learn Practice & Share
Good program! She should have had a better disassembler.. incorrectly parses simple sections of code. And command-line options for opening the file by offset.
Can you share more details about what it parsed incorrectly? The disassembler is based on Capstone engine (https://www.capstone-engine.org/) which is a mature library, so it is quite surprising to hear that something is parsed wrongly. Please provide some examples that will help me reproduce this bug.
Pingback: Top 15 Essential Malware Analysis Tools - SentinelLabs
Pingback: Malwarebyte Crackme Writeup [Part 1/2] – Kataware Tech Blog
1 .The size of the overlay data is not accurate. this is bug
2. I wish I had a global shortcut to move between Disasm – General – Doshdr – Filehdr – Option Hdr – Section hdr – imports – Security – Debug
(Ctrl + left arrow or Ctrl + right arrow)
3. Hex editor’s block is column mode, It is very difficult to copy large blocks.
Pingback: Analyze DLL Export with PE Bear – Cyber Security | Penetration Test | Malware Analysis
Dear hasherezade! Thank you for this marvelous program. It helps me a lot in my researches.
Let me leave here some small bug report: PE-bear canβt handle tiny, but valid (working) PE files: 61 bytes, 97 bytes, 252 bytes and so on, while CFF Explorer handles this files correctly.
Here is a collection of valid (working) tiny PE files for testing:
https://github.com/corkami/pocs/tree/master/PE/bin
Hi! I am glad that you like PE-bear π
You are right, those tiniest PEs from Corkami collection are not handled well. Thank you for reporting the issue, I added it here: https://github.com/hasherezade/pe-bear-releases/issues/43 – so that you can keep track on when it will be resolved.
For now I am busy with other things, so this will have to wait a bit. I hope it is not a problem.
lol I found this precious tool when I extract the icons that trying to disguise as document files from the bunch of malware executables. It’s a so impressive tool that has neat functions and also the icon :-0. Nice work!
Pingback: Malware Static Analysis Toolkit - LikelyMalware Blog