PE-bear hasherezade
winget install --id=hasherezade.PE-bear -e PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
PE-bear is a multiplatform reversing tool designed for analyzing Portable Executable (PE) files. It provides malware analysts with a fast, flexible, and stable solution to examine PE files, including those that are malformed or corrupted.
Key Features:
- Multiplatform Support: Runs on Windows, Linux, and macOS, ensuring broad accessibility.
- User-Friendly GUI: Offers an intuitive interface for efficient navigation and analysis of PE file structures.
- Signature Database Integration: Incorporates signatures from PEid's UserDB, enhancing identification capabilities.
- Handling Malformed Files: Robust enough to analyze corrupted or incomplete PE files.
- Bearparser Engine: Leverages advanced parsing techniques to deliver detailed insights into PE file internals.
- Regular Updates: Keeps up-to-date with the latest developments in malware analysis and PE file formats.
Audience & Benefit: Ideal for malware analysts, security researchers, and incident responders who require a reliable tool to quickly assess PE files. PE-bear streamlines initial analysis by providing essential information about file structure, headers, sections, imports, and exports, enabling faster identification of malicious behavior or anomalies.
PE-bear can be installed via winget, ensuring easy setup across supported platforms.
README
PE-bear
PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Signatures for PE-bear:
- SIG.txt (updated: Oct 17, 2022) - contains signatures from PEid's UserDB - converted by a script provided by crashish
Builds
📦 ⚙️ Download the latest release.
Windows Packaging
Available also via:
Chocolatey
Scoop
- WinGet (
winget install pe-bear)
Test Builds
🧪 Fresh test builds (ahead of the official release) can be downloaded from the AppVeyor build server. They are created on each commit to the main branch. You can download them by clicking on the build version, then choosing the tab Artifacts. WARNING: those builds may be unstable.
> An archive of old releases is available here: https://github.com/hasherezade/pe-bear-releases
Available releases
The Linux build requires appropriate version of Qt to be installed.
The Windows build with vs13 suffix(built with Visual Studio 2013) has no external dependencies.
The Windows build with vs19 suffix (built with Visual Studio 2019) requires the redistributable package for Visual Studio 2015 - 2022.
The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP), and may be lacking some of the features.
How to build
Requires:
- git
- cmake
- Qt6 (optional: Qt5, Qt4)
- bearparser (submodule)
- capstone (submodule)
- sig_finder (submodule)
Clone
Use recursive clone to get the repo together with submodules:
git clone --recursive https://github.com/hasherezade/pe-bear.git
Building on Windows
Use CMake to generate a Visual Studio project. Open in Visual Studio and build.
Building on Linux and MacOS
To build it on Linux or MacOS you can use the given scripts:
- build.sh - default, builds with the latest Qt
- build_qt6.sh - builds with Qt6
- build_qt5.sh - builds with Qt5
- build_qt4.sh - builds with Qt4
To generate the .app bundle on MacOS you can use:
More info on 📖 Wiki.
If you like PE-bear, you can support it by buying the merch 🐻