pev is a multiplatform toolkit to work with PE (Portable Executable) binaries. Its main goal is to provide feature-rich tools for proper analyze binaries, specially the suspicious ones.
+ Based on own PE library, called libpe
+ Support for PE32 and PE32+ (64-bit) files
+ Formatted output in text and CSV (other formats in development)
+ pesec: check security features in PE files, extract certificates and more
+ readpe: parse PE headers, sections, imports and exports
+ pescan: detect TLS callback functions, DOS stub modification, suspicious sections and more
+ pedis: disassembly a PE file section or function with support for Intel and AT&T syntax
+ Include tools to convert RVA from file offset and vice-versa
+ pehash: calculate PE file hashes
+ pepack: detect if an executable is packed or not
+ pestr: search for hardcoded Unicode and ASCII strings simultaneously in PE files
+ peres: show and extract PE file resources
Changelog pev 0.80:
! Missing documentation for libpe.
! peres does not reconstruct icons and cursors extracted from resources section.
* Now the -V switch is used by all pev programs to show their version numbers.
* pehash: Now the hash of the whole file is shown by default (-c option).
* pestr: –net option removed (we may readd this in the future).
* udis86 updated to version 1.7.2.
+ Basic plugins support.
+ cpload: new tool for CPL file debugging (Windows only).
+ Fixed: pestr: unable to handle too big strings.
+ Fixed: valid XML and HTML output formats (Jan Seidl)
+ pehash: Import Hash (imphash) support for both Mandiant and pefile’s implementation.
+ peres: output the PE File Version with -v option.
+ Support for pev.conf configuration file.
– readpe can now read virtual import descriptors.
apt-get install libssl-dev
yum install openssl-devel
git clone --recursive https://github.com/merces/pev.git
How to build on OS X?
CFLAGS="-I/usr/local/opt/openssl/include/" LDFLAGS="-L/usr/local/opt/openssl/lib/" make