Packages and Binaries:

libpe-dev

The libpe1t64 package provides a shared library which allows reading PE 32 and 64-bit files. Third party programs depend on this package to read internals of PE files.

This library is part of readpe.

This package provides the development files for libpe1.

Installed size: 177 KB
How to install: sudo apt install libpe-dev

libpe1t64

The libpe1t64 package provides a shared library which allows reading PE 32 and 64-bit files. Third party programs depend on this package to read internals of PE files.

This library is part of readpe.

Installed size: 128 KB
How to install: sudo apt install libpe1t64

readpe

readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable) binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE, DLL, OCX, etc), and analyze them in search of suspicious characteristics.

It can be used to get information from those executable files, such as headers, sections, resources and more. It also provides tools to disassemble PE files and determine their security mitigations. It is useful for application security research, digital forensics and incident response, and malware analysis.

It is similar to elftools, only designed for PE files. It has more features than other more specific PE tools, such as icoextract or ntldd.

This package provides the ofs2rva, pedis, pehash, peldd, pepack, peres, pescan, pesec, pestr, readpe and rva2ofs commands.

Installed size: 1.23 MB
How to install: sudo apt install readpe

ofs2rva

Converts a PE raw file offset to relative virtual address

root@kali:~# ofs2rva -h
Usage: ofs2rva <offset> FILE
Convert raw file offset to RVA

Example: ofs2rva 0x1b9b8 calc.exe

Options:
 -V, --version                          Show version.
 --help                                 Show this help.

pedis

Disassemble PE sections and functions

root@kali:~# pedis --help
Usage: pedis OPTIONS FILE
Disassemble PE sections and functions (by default, until found a RET or LEAVE instruction)

Example: pedis -r 0x4c4df putty.exe

Options:
 --att                                 Set AT&T assembly syntax (default: Intel).
 -e, --entrypoint                      Disassemble the entire entrypoint function.
 -f, --format <csv|json|xml|html|text> Change output format (default: text).
 -m, --mode <16|32|64>                 Disassembly mode (default: auto).
 -i <number>                           Number of instructions to disassemble.
 -n <number>                           Number of bytes to disassemble
 -o, --offset <offset>                 Disassemble at specified offset, either in decimal or hexadecimal format (prefixed with 0x).
 -r, --rva <rva>                       Disassemble at specified RVA, either in decimal or hexadecimal format (prefixed with 0x).
 -s, --section <section_name>          Disassemble en entire section given.
 -V, --version                         Show version.
 --help                                Show this help.

pehash

Calculate hashes of PE pieces

root@kali:~# pehash --help
Usage: pehash OPTIONS FILE
Calculate hashes of PE pieces

Example: pehash -s '.text' winzip.exe

Options:
 -f, --format <csv|json|xml|html|text> Change output format (default: text).
 -a, --all                             Hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash.
 -c, --content                         Hash only the file content (default).
 -h, --header <dos|coff|optional>      Hash only the header with the specified name.
 -s, --section <section_name>          Hash only the section with the specified name.
 --section-index <section_index>       Hash only the section at the specified index (1..n).
 -V, --version                         Show version.
 --help                                Show this help.

peldd

Shows library dependencies for a given PE file

root@kali:~# peldd --help
Usage: peldd FILE
Display PE library dependencies

Example: peldd winzip.exe

Options:
 -f, --format <csv|json|xml|html|text> Change output format (default: text).
 -V, --version                         Show version.
 --help                                Show help.

pepack

Check if a PE file is packed

root@kali:~# pepack --help
Usage: pepack FILE
Search for packers in PE files

Example: pepack putty.exe

Options:
 -d, --database <file>                  Use database file (default: ./userdb.txt).
 -f, --format <csv|json|xml|html|text>  Change output format (default: text).
 -V, --version                          Show version.
 --help                                 Show this help.

peres

Analyze and extract PE file resources

root@kali:~# peres -h
Usage: peres OPTIONS FILE
Show information about resource section and extract it

Example: peres -a putty.exe

Options:
 -a, --all                             Show all information, statistics and extract resources
 -f, --format <csv|json|xml|html|text> Change output format (default: text)
 -i, --info                            Show resources information
 -l, --list                            Show list view
 -s, --statistics                      Show resources statistics
 -x, --extract                         Extract resources
 -X, --named-extract                   Extract resources with path names
 -v, --file-version                    Show File Version from PE resource directory
 -V, --version                         Show version and exit
 --help                                Show this help and exit

pescan

Identify suspicious characteristics in PE files

root@kali:~# pescan --help
Usage: pescan OPTIONS FILE
Search for suspicious things in PE files

Example: pescan putty.exe

Options:
 -f, --format <csv|json|xml|html|text> Change output format (default: text).
 -v, --verbose                         Show more information about found items.
 -V, --version                         Show version.
 --help                                Show this help.

pesec

Check for protections in PE files

root@kali:~# pesec --help
Usage: pesec [OPTIONS] FILE
Check for security features in PE files

Example: pesec wordpad.exe

Options:
 -f, --format <csv|json|xml|html|text> Change output format (default: text)
 -c, --certoutform <text|pem>          Specifies the certificate output format (default: text).
 -o, --certout <filename>              Specifies the output filename to write certificates to (default: stdout).
 -V, --version                         Show version.
 --help                                Show this help.

pestr

Search strings in PE files

root@kali:~# pestr --help
Usage: pestr OPTIONS FILE
Search for strings in PE files

Example: pestr acrobat.exe

Options:
 -n, --min-length                       Set minimum string length (default: 4).
 -o, --offset                           Show string offset in file.
 -s, --section                          Show string section, if exists.
 -V, --version                          Show version.
 --help                                 Show this help.

readpe

Displays information about PE files

root@kali:~# readpe --help
Usage: readpe OPTIONS FILE
Show PE file headers

Example: readpe --header optional winzip.exe

Options:
 -A, --all                             Full output (default).
 -H, --all-headers                     Show all PE headers.
 -S, --all-sections                    Show PE section headers.
 -f, --format <csv|json|xml|html|text> Change output format (default: text).
 -d, --dirs                            Show data directories.
 -h, --header <dos|coff|optional>      Show specific header. It can be used multiple times.
 -i, --imports                         Show imported functions.
 -e, --exports                         Show exported functions.
 -V, --version                         Show version.
 --help                                Show this help.

rva2ofs

Converts a PE relative virtual address to raw file offset

root@kali:~# rva2ofs -h
Usage: rva2ofs <rva> FILE
Convert RVA to raw file offset

Example: rva2ofs 0x12db cards.dll

Options:
 -V, --version                          Show version.
 --help                                 Show this help.