PE-bear is a multiplatform reversing (reverse engineering) software for PE files with friendly GUI.
Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Builds
Fresh test builds (ahead of the official release) can be downloaded from the AppVeyor build server. They are created on each commit to the main branch. You can download them by clicking on the build version, then choosing the tab Artifacts. WARNING: those builds may be unstable.
An archive of old releases is available here: https://github.com/hasherezade/pe-bear-releases
Feature and Details
- handles PE32 and PE64
- views multiple files in parallel
- recognizes known packers (by signatures)
- fast disassembler – starting from any chosen RVA/File offset
- visualization of sections layout
- selective comparing of two chosen PE files with reversing
- adding new elements (sections, imports)
How to build
Requires:
- git
- cmake
- Qt5 (optionally Qt4)
- bearparser (submodule of the current repository)
- capstone (submodule of the current repository)
- Clone
Use recursive clone to get the repo together with submodules:
git clone --recursive https://github.com/hasherezade/pe-bear.git
Building on Windows
Use CMake to generate a Visual Studio project. Open in Visual Studio and build.
Also See: Reverse Engineering Tools List
Building on Linux and MacOS
To build it on Linux or MacOS you can use the given scripts:
- build.sh – default, builds with Qt5
- build_qt5.sh – builds with Qt5
- build_qt4.sh – builds with Qt4
To generate the .app bundle on MacOS you can use:
- macos_wrap.sh
What you build in new version 0.6.5
- fixed crashing on opening of the DiffWindow after PE was resized
- fixed signatures matching ( Issue #18 )
- parse Debug Directory as an array of entries ( Issue #15 )
- fixed parsing PE files with atypical section alignment ( Issue #11)
- fixed modifying data in Bound Imports Directory
- fixed modifying export name
New Features Update
- updated Capstone (switched to the active branch next )
- added a wizard for adding imports ( Issue #16 )
- added undo for resize operations
- show all the matched signatures in the General Panel (not only one of them)
- load signatures from the current directory, as well as from User Data Directory (UDD)
- added filtering to signatures listing window
- allow to export disassembly of the section into a file ( Issue #14 )
- allow to dump sections, or export disassembly from all opened files at once
- show info about the atypical PE features as a tool-tip in a tree view
