What it is?
PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files.
NOTE: I am sorry, but PE-bear is no longer developed. I will not be adding any new features etc. However, due to the fact that there are still many people who use it, I decided to do bugfixes whenever necessary. In the future, I am planning to replace PE-bear with a new, improved tool of similar capabilities.
The PE-bear’s parser is open source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander). I am looking forward to hear any remarks!
…CIA uses it 😉
source: “Vault 7: CIA Hacking Tools Revealed”
I officially discontinued the project in April 2014 after releasing 0.3.7 (23.03.2014). However, as per user requests, in April 2018 I released a version 0.3.8 with bugfixes.
for Linux*: [64bit], (requires: libqt4-core, libqt4-gui)
*-the Linux build is experimental
Features and details
- handles PE32 and PE64
- views multiple files in parallel
- recognizes known packers (by signatures)
- fast disassembler – starting from any chosen RVA/File offset
- visualization of sections layout
- selective comparing of two chosen PE files
- adding new elements (sections, imports)
- and more…
Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.
Special thanks to Ange Albertini – for valuable advices and excellent set of corner-case samples
See the sections and visualization of their layout:
PE-bear comes also with a simple, interactive disassembler: