pev PE analysis toolkit


Reversing PE executable files require a special tools because the payload that may contain the malware in PE files is packed inside another executable file that can be a legitimate. This makes a standard static analyses tool wont be able to analyze the payload. the same to antiviruses some packed executable files may evade the security software as the malicious file is hidden inside a packer.

The dynamic analyses for these types of files and executing the PE file in sandbox may reveal what is the package intended to. Also it is possible to use pev a multiplatform PE analysis toolkit that includes tools to retrieve and parsing information about Windows PE files. some of the features of pev is:

  • Based in own library libpe
  • Support for PE32+ (64-bit) files
  • Formatted output in text and CSV (other formats in development)
  • pesec: detect presence of ASLR and DEP/NX bits
  • readpe: show PE headers, sections, imports and exports
  • pescan: detect TLS callback functions, DOS stub modification, suspicious sections and more
  • pedis: disassembly a PE file section or function with support for Intel and AT&T syntax
  • Include tools to convert RVA from file offset and vice-versa
  • pehash: calculate PE file hashes
  • pepack: detect if an executable is packed or not
  • pestr: search for hardcoded Unicode and ASCII strings simultaneously in PE files

You can download the tool on the following link: