PEV

Description

PEV is a multiplatform toolkit to work with PE (Portable Executable) binaries. Its main goal is to provide feature-rich tools for proper analyze binaries, specially the suspicious ones.


 

TOOLS :-



 

OFS2RVA-PEV

ofs2rva <offset> FILE
PEV  Convert raw file offset to RVA

Options

 -v, --version                          show version and exit PEV 
 --help                                 show this help and exit PEV 

Example

cyborg@cyborg:~$ ofs2rva 0x1b9b3 calc.exe
0x1c9b3


PEDIS-PEV

pedis OPTIONS FILE
Disassemble PE sections and functions (by default, until found a RET or LEAVE instruction)

Options

 --att                                  set AT&T syntax
 -e, --entrypoint                       disassemble entrypoint
 -f, --format <text|csv|xml|html>       change output format (default: text)
 -m, --mode <16|32|64>                  disassembly mode (default: auto)
 -i, <number>                           number of instructions to be disassembled
 -n, <number>                           number of bytes to be disassembled
 -o, --offset <offset>                  disassemble at specified file offset
 -r, --rva <rva>                        disassemble at specified RVA
 -s, --section <section_name>           disassemble entire section given
 -v, --version                          show version and exit
 --help                                 show this help and exit

Example

cyborg@cyborg:~$ pedis -F 0x1b9b3 calc.exe
0101b9b3:                        15 44 13 00 01                  adc eax, 0x1001344
0101b9b8:                        80 3d 0a 43 05 01 00            cmp byte [0x105430a], 0x0
0101b9bf:                        8b f8                           mov edi, eax
0101b9c1:                        0f 85 a5 dd ff ff               jnz dword 0xffffffffffffddb9
0101b9c7:                        80 3d 09 43 05 01 00            cmp byte [0x1054309], 0x0
0101b9ce:                        b8 cd 03 00 00                  mov eax, 0x3cd
0101b9d3:                        0f 84 d8 a8 00 00               jz dword 0xa8fe
0101b9d9:                        8d 48 02                        lea ecx, [eax+0


PEPACK-PEV

pepack FILE
Search for packers in PE files

Options

 -d, --database <file>                  use database file (default: ./userdb.txt)
 -f, --format <text|csv|xml|html>       change output format (default: text)
 -v, --version                          show version and exit
 --help                                 show this help and exit

Example

cyborg@cyborg:~$ pepack calc.exe 
packer:                          none


PESCAN-PEV

pescan OPTIONS FILE
Search for suspicious things in PE files

Options

 -f, --format <text|csv|xml|html>       change output format (default: text)
 -v, --verbose                          show more info about items found
 --help                                 show this help and exit

Example

cyborg@cyborg:~$ pescan -o 0x1b9b3 calc.exe
entrypoint:                      normal - va: 0x12d6c - raw: 0x1216c
DOS stub:                        normal
TLS directory:                   not found
Sections:                        4


READPE-PEV

readpe OPTIONS FILE
Show PE file headers

Options

 -A, --all                              full output (default)
 -H, --all-headers                      print all PE headers
 -S, --all-sections                     print all PE sections headers
 -f, --format <text|csv|xml|html>       change output format (default: text)
 -d, --dirs                             show data directories
 -h, --header <dos|coff|optional>       show specific header
 -i, --imports                          show imported functions
 -e, --exports                          show exported functions
 -v, --version                          show version and exit
 --help                                 show this help and exit

Example

cyborg@cyborg:~$ readpe -H calc.exe 

DOS Header
Magic number:                    0x5a4d (MZ)
Bytes in last page:              144
Pages in file:                   3
Relocations:                     0
Size of header in paragraphs:    4
Minimum extra paragraphs:        0
Maximum extra paragraphs:        65535
Initial (relative) SS value:     0
Initial SP value:                0xb8
Initial IP value:                0
Initial (relative) CS value:     0
Address of relocation table:     0x40
Overlay number:                  0
OEM identifier:                  0
OEM information:                 0
PE header offset:                0xd8
COFF/File header
Machine:                         0x14c Intel 386 and compatible (32-bits)
Number of sections:              4
Date/time stamp:                 1290246045 (Sat - 20 Nov 2010 09:40:45 UTC)
Symbol Table offset:             0
Number of symbols:               0
Size of optional header:         0xe0
Characteristics:                 0x102
                                 executable image
                                 32-bit machine
Optional/Image header
Magic number:                    0x10b (PE32)
Linker major version:            9
Linker minor version:            0
Size of .text section:           0x52e00
Size of .data section:           0x6a600
Size of .bss section:            0
Entrypoint:                      0x12d6c
Address of .text section:        0x1000
Address of .data section:        0x52000
ImageBase:                       0x1000000
Alignment of sections:           0x1000
Alignment factor:                0x200
Major version of required OS:    6
Minor version of required OS:    1
Major version of image:          6
Minor version of image:          1
Major version of subsystem:      6
Minor version of subsystem:      1
Size of image:                   0xc0000
Size of headers:                 0x400
Checksum:                        0xcbd30
Subsystem required:              0x2 (Windows GUI)
DLL characteristics:             0x8140
Size of stack to reserve:        0x40000
Size of stack to commit:         0x2000
Size of heap space to reserve:   0x100000
Size of heap space to commit:    0x1000


RVA2OFS-PEV

rva2ofs <rva> FILE
Convert RVA to raw file offset

Options

 -v, --version                          show version and exit
 --help                                 show this help and exit

Example

cyborg@cyborg:~$ rva2ofs 0x32db cca.dll
0x26db
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?