Packages and Binaries:

libpe-dev

The libpe1 package provides a shared library which allows reading PE 32 and 64-bit files. Third party programs depend on this package to read internals of PE files.

This library is part of readpe.

This package provides the development files for libpe1.

Installed size: 163 KB
How to install: sudo apt install libpe-dev

Dependencies:
  • libpe1

libpe1

The libpe1 package provides a shared library which allows reading PE 32 and 64-bit files. Third party programs depend on this package to read internals of PE files.

This library is part of readpe.

Installed size: 119 KB
How to install: sudo apt install libpe1

Dependencies:
  • libc6
  • libssl3

pev

pev is a tool to get information of PE32/PE32+ executables (EXE, DLL, OCX etc) like headers, sections, resources and more.

This is a transitional package. It can safely be removed.

Installed size: 20 KB
How to install: sudo apt install pev

Dependencies:
  • readpe

readpe

readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable) binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE, DLL, OCX, etc), and analyze them in search of suspicious characteristics.

It can be used to get information from those executable files, such as headers, sections, resources and more. It also provides tools to disassemble PE files and determine their security mitigations. It is useful for application security research, digital forensics and incident response, and malware analysis.

It is similar to elftools, only designed for PE files. It has more features than other more specific PE tools, such as icoextract or ntldd.

This package provides the ofs2rva, pedis, pehash, peldd, pepack, peres, pescan, pesec, pestr, readpe and rva2ofs commands.

Installed size: 1.23 MB
How to install: sudo apt install readpe

Dependencies:
  • libc6
  • libpe1
  • libssl3
ofs2rva

Converts a PE raw file offset to relative virtual address

root@kali:~# ofs2rva -h
Usage: ofs2rva <offset> FILE
Convert raw file offset to RVA

Example: ofs2rva 0x1b9b8 calc.exe

Options:
 -V, --version							 Show version.
 --help								 Show this help.

pedis

Disassemble PE sections and functions

root@kali:~# pedis --help
Usage: pedis OPTIONS FILE
Disassemble PE sections and functions (by default, until found a RET or LEAVE instruction)

Example: pedis -r 0x4c4df putty.exe

Options:
 --att									 Set AT&T assembly syntax (default: Intel).
 -e, --entrypoint						 Disassemble the entire entrypoint function.
 -f, --format <csv|xml|text|html|json>  Change output format (default: text).
 -m, --mode <16|32|64>					 Disassembly mode (default: auto).
 -i <number>							 Number of instructions to disassemble.
 -n <number>							 Number of bytes to disassemble
 -o, --offset <offset>					 Disassemble at specified offset, either in decimal or hexadecimal format (prefixed with 0x).
 -r, --rva <rva>						 Disassemble at specified RVA, either in decimal or hexadecimal format (prefixed with 0x).
 -s, --section <section_name>			 Disassemble en entire section given.
 -V, --version							 Show version.
 --help								 Show this help.

pehash

Calculate hashes of PE pieces

root@kali:~# pehash --help
Usage: pehash OPTIONS FILE
Calculate hashes of PE pieces

Example: pehash -s '.text' winzip.exe

Options:
 -f, --format <csv|xml|text|html|json> Change output format (default: text).
 -a, --all								Hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash.
 -c, --content							Hash only the file content (default).
 -h, --header <dos|coff|optional>		Hash only the header with the specified name.
 -s, --section <section_name>			Hash only the section with the specified name.
 --section-index <section_index>		Hash only the section at the specified index (1..n).
 -V, --version							Show version.
 --help								Show this help.

peldd

Shows library dependencies for a given PE file

root@kali:~# peldd --help
Usage: peldd FILE
Display PE library dependencies

Example: peldd winzip.exe

Options:
 -f, --format <csv|xml|text|html|json>  Change output format (default: text).
 -V, --version							 Show version.
 --help								 Show help.

pepack

Check if a PE file is packed

root@kali:~# pepack --help
Usage: pepack FILE
Search for packers in PE files

Example: pepack putty.exe

Options:
 -d, --database <file>					 Use database file (default: ./userdb.txt).
 -f, --format <csv|xml|text|html|json>  Change output format (default: text).
 -V, --version							 Show version.
 --help								 Show this help.

peres

Analyze and extract PE file resources

root@kali:~# peres -h
Usage: peres OPTIONS FILE
Show information about resource section and extract it

Example: peres -a putty.exe

Options:
 -a, --all								 Show all information, statistics and extract resources
 -f, --format <csv|xml|text|html|json>  change output format (default: text)
 -i, --info							 Show resources information
 -l, --list							 Show list view
 -s, --statistics						 Show resources statistics
 -x, --extract							 Extract resources
 -X, --named-extract					 Extract resources with path names
 -v, --file-version					 Show File Version from PE resource directory
 -V, --version							 Show version and exit
 --help								 Show this help and exit

pescan

Identify suspicious characteristics in PE files

root@kali:~# pescan --help
Usage: pescan OPTIONS FILE
Search for suspicious things in PE files

Example: pescan putty.exe

Options:
 -f, --format <csv|xml|text|html|json>  Change output format (default: text).
 -v, --verbose							 Show more information about found items.
 -V, --version							 Show version.
 --help								 Show this help.

pesec

Check for protections in PE files

root@kali:~# pesec --help
Usage: pesec [OPTIONS] FILE
Check for security features in PE files

Example: pesec wordpad.exe

Options:
 -f, --format <csv|xml|text|html|json>  Change output format (default: text)
 -c, --certoutform <text|pem>			 Specifies the certificate output format (default: text).
 -o, --certout <filename>				 Specifies the output filename to write certificates to (default: stdout).
 -V, --version							 Show version.
 --help								 Show this help.

pestr

Search strings in PE files

root@kali:~# pestr --help
Usage: pestr OPTIONS FILE
Search for strings in PE files

Example: pestr acrobat.exe

Options:
 -n, --min-length						 Set minimum string length (default: 4).
 -o, --offset							 Show string offset in file.
 -s, --section							 Show string section, if exists.
 -V, --version							 Show version.
 --help								 Show this help.

readpe

Displays information about PE files

root@kali:~# readpe --help
Usage: readpe OPTIONS FILE
Show PE file headers

Example: readpe --header optional winzip.exe

Options:
 -A, --all								 Full output (default).
 -H, --all-headers						 Show all PE headers.
 -S, --all-sections					 Show PE section headers.
 -f, --format <csv|xml|text|html|json>  Change output format (default: text).
 -d, --dirs							 Show data directories.
 -h, --header <dos|coff|optional>		 Show specific header. It can be used multiple times.
 -i, --imports							 Show imported functions.
 -e, --exports							 Show exported functions.
 -V, --version							 Show version.
 --help								 Show this help.

rva2ofs

Converts a PE relative virtual address to raw file offset

root@kali:~# rva2ofs -h
Usage: rva2ofs <rva> FILE
Convert RVA to raw file offset

Example: rva2ofs 0x12db cards.dll

Options:
 -V, --version							 Show version.
 --help								 Show this help.

Updated on: 2024-Feb-26