Packages and Binaries:
libpe-dev
The libpe1t64 package provides a shared library which allows reading PE 32 and 64-bit files. Third party programs depend on this package to read internals of PE files.
This library is part of readpe.
This package provides the development files for libpe1.
Installed size: 173 KB
How to install: sudo apt install libpe-dev
Dependencies:
- libpe1t64
libpe1t64
The libpe1t64 package provides a shared library which allows reading PE 32 and 64-bit files. Third party programs depend on this package to read internals of PE files.
This library is part of readpe.
Installed size: 132 KB
How to install: sudo apt install libpe1t64
Dependencies:
- libc6
- libssl3t64
pev
pev is a tool to get information of PE32/PE32+ executables (EXE, DLL, OCX etc) like headers, sections, resources and more.
This is a transitional package. It can safely be removed.
Installed size: 21 KB
How to install: sudo apt install pev
Dependencies:
- readpe
readpe
readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable) binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE, DLL, OCX, etc), and analyze them in search of suspicious characteristics.
It can be used to get information from those executable files, such as headers, sections, resources and more. It also provides tools to disassemble PE files and determine their security mitigations. It is useful for application security research, digital forensics and incident response, and malware analysis.
It is similar to elftools, only designed for PE files. It has more features than other more specific PE tools, such as icoextract or ntldd.
This package provides the ofs2rva, pedis, pehash, peldd, pepack, peres, pescan, pesec, pestr, readpe and rva2ofs commands.
Installed size: 1.23 MB
How to install: sudo apt install readpe
Dependencies:
- libc6
- libpe1t64
- libssl3t64
ofs2rva
Converts a PE raw file offset to relative virtual address
root@kali:~# ofs2rva -h
Usage: ofs2rva <offset> FILE
Convert raw file offset to RVA
Example: ofs2rva 0x1b9b8 calc.exe
Options:
-V, --version Show version.
--help Show this help.
pedis
Disassemble PE sections and functions
root@kali:~# pedis --help
Usage: pedis OPTIONS FILE
Disassemble PE sections and functions (by default, until found a RET or LEAVE instruction)
Example: pedis -r 0x4c4df putty.exe
Options:
--att Set AT&T assembly syntax (default: Intel).
-e, --entrypoint Disassemble the entire entrypoint function.
-f, --format <xml|json|csv|html|text> Change output format (default: text).
-m, --mode <16|32|64> Disassembly mode (default: auto).
-i <number> Number of instructions to disassemble.
-n <number> Number of bytes to disassemble
-o, --offset <offset> Disassemble at specified offset, either in decimal or hexadecimal format (prefixed with 0x).
-r, --rva <rva> Disassemble at specified RVA, either in decimal or hexadecimal format (prefixed with 0x).
-s, --section <section_name> Disassemble en entire section given.
-V, --version Show version.
--help Show this help.
pehash
Calculate hashes of PE pieces
root@kali:~# pehash --help
Usage: pehash OPTIONS FILE
Calculate hashes of PE pieces
Example: pehash -s '.text' winzip.exe
Options:
-f, --format <xml|json|csv|html|text> Change output format (default: text).
-a, --all Hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash.
-c, --content Hash only the file content (default).
-h, --header <dos|coff|optional> Hash only the header with the specified name.
-s, --section <section_name> Hash only the section with the specified name.
--section-index <section_index> Hash only the section at the specified index (1..n).
-V, --version Show version.
--help Show this help.
peldd
Shows library dependencies for a given PE file
root@kali:~# peldd --help
Usage: peldd FILE
Display PE library dependencies
Example: peldd winzip.exe
Options:
-f, --format <xml|json|csv|html|text> Change output format (default: text).
-V, --version Show version.
--help Show help.
pepack
Check if a PE file is packed
root@kali:~# pepack --help
Usage: pepack FILE
Search for packers in PE files
Example: pepack putty.exe
Options:
-d, --database <file> Use database file (default: ./userdb.txt).
-f, --format <xml|json|csv|html|text> Change output format (default: text).
-V, --version Show version.
--help Show this help.
peres
Analyze and extract PE file resources
root@kali:~# peres -h
Usage: peres OPTIONS FILE
Show information about resource section and extract it
Example: peres -a putty.exe
Options:
-a, --all Show all information, statistics and extract resources
-f, --format <xml|json|csv|html|text> change output format (default: text)
-i, --info Show resources information
-l, --list Show list view
-s, --statistics Show resources statistics
-x, --extract Extract resources
-X, --named-extract Extract resources with path names
-v, --file-version Show File Version from PE resource directory
-V, --version Show version and exit
--help Show this help and exit
pescan
Identify suspicious characteristics in PE files
root@kali:~# pescan --help
Usage: pescan OPTIONS FILE
Search for suspicious things in PE files
Example: pescan putty.exe
Options:
-f, --format <xml|json|csv|html|text> Change output format (default: text).
-v, --verbose Show more information about found items.
-V, --version Show version.
--help Show this help.
pesec
Check for protections in PE files
root@kali:~# pesec --help
Usage: pesec [OPTIONS] FILE
Check for security features in PE files
Example: pesec wordpad.exe
Options:
-f, --format <xml|json|csv|html|text> Change output format (default: text)
-c, --certoutform <text|pem> Specifies the certificate output format (default: text).
-o, --certout <filename> Specifies the output filename to write certificates to (default: stdout).
-V, --version Show version.
--help Show this help.
pestr
Search strings in PE files
root@kali:~# pestr --help
Usage: pestr OPTIONS FILE
Search for strings in PE files
Example: pestr acrobat.exe
Options:
-n, --min-length Set minimum string length (default: 4).
-o, --offset Show string offset in file.
-s, --section Show string section, if exists.
-V, --version Show version.
--help Show this help.
readpe
Displays information about PE files
root@kali:~# readpe --help
Usage: readpe OPTIONS FILE
Show PE file headers
Example: readpe --header optional winzip.exe
Options:
-A, --all Full output (default).
-H, --all-headers Show all PE headers.
-S, --all-sections Show PE section headers.
-f, --format <xml|json|csv|html|text> Change output format (default: text).
-d, --dirs Show data directories.
-h, --header <dos|coff|optional> Show specific header. It can be used multiple times.
-i, --imports Show imported functions.
-e, --exports Show exported functions.
-V, --version Show version.
--help Show this help.
rva2ofs
Converts a PE relative virtual address to raw file offset
root@kali:~# rva2ofs -h
Usage: rva2ofs <rva> FILE
Convert RVA to raw file offset
Example: rva2ofs 0x12db cards.dll
Options:
-V, --version Show version.
--help Show this help.
Updated on: 2024-Nov-20