readpe v0.8.3 releases: The Portable Executables (PE) file analysis toolkit

PE file analysis

readpe

readpe is a full-featured, open-source, multiplatform command-line toolkit to work with PE (Portable Executables) binaries.

Use

Getting headers and sections

readpe is the right tool for parsing PE files without inferring anything regarding its fields and values. Using readpe you can see all the basic PE file information. For example, in order to see the Optional Header, you could run:

$ readpe --header optional putty.exe

Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 7
Linker minor version: 10
Size of .text section: 0x5c000
Size of .data section: 0x27000
Size of .bss section: 0
Entrypoint: 0x54eb0
Address of .text section: 0x1000
Address of .data section: 0x5d000
ImageBase: 0x400000
Alignment of sections: 0x1000
Alignment factor: 0x1000
Major version of required OS: 4
Minor version of required OS: 0
Major version of image: 0
Minor version of image: 0
Major version of subsystem: 4
Minor version of subsystem: 0
Size of image: 0x84000
Size of headers: 0x1000
Checksum: 0
Subsystem required: 0x2 (IMAGE_SUBSYSTEM_WINDOWS_GUI)
DLL characteristics: 0
DLL characteristics names
Size of stack to reserve: 0x100000
Size of stack to commit: 0x1000
Size of heap space to reserve: 0x100000
Size of heap space to commit: 0x1000

 

Looking at function directories

readpe can show you the PE data directories with -d option, like this:

$ readpe -d putty.exe

Data directories
Directory
IMAGE_DIRECTORY_ENTRY_IMPORT: 0x78378 (240 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_RESOURCE: 0x80000 (15248 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG: 0x78318 (72 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_IAT: 0x5d000 (1292 bytes)

 

If the executable has an import directory you may want to see a list of imported functions with -i / –imports option:

$ readpe -i putty.exe

Imported functions
Library
Name: ADVAPI32.dll
Functions
Function
Name: RegCloseKey
Function
Name: RegQueryValueExA
Function
Name: RegOpenKeyA
Function
Name: GetUserNameA
Function
Name: EqualSid
Function
Name: CopySid
Library
Name: COMCTL32.dll
Functions
Function
Ordinal: 14
Function
Ordinal: 15
Function
Ordinal: 17
Function
Ordinal: 13
Library
Name: comdlg32.dll
Functions
Function
Name: ChooseColorA
Function
Name: ChooseFontA

 

You can see the exported functions as well by using readpe -e / –exports option.

Changelog v0.8.3

  • Fix 8 character long section names being cut off #196
  • Various improvements for readpe (thank you again @pali ) #200
  • Removed all exit() calls from libpe #202
  • Fix printing section names that are 8 bytes long (regression fix; thank you @gerow ) #203
  • Add Linux install info to readme (thank you @gemesa ) #204
  • Remove _FORTIFY_SOURCE definitions (gemesa) #206
  • Fix and improve tests (gemesa again) #208

Install & Tutorial

Demo

Source: https://github.com/mentebinaria/