Reverse Engineeringpewindowsexecutablemalwareforensicsanalysis

readpe

readpe is a toolkit to analyze Microsoft Windows PE binary files, parsing and comparing PE32/PE32+ executables like EXE, DLL, OCX. It provides multiple command-line tools to inspect headers, sections, resources, dependencies, packers, and suspicious characteristics.

Description

readpe is designed for application security research, digital forensics, incident response, and malware analysis. It offers comprehensive tools to parse PE files, extract information such as headers, sections, resources, imports, exports, and security mitigations. Similar to elftools but for PE files, it surpasses specific tools like icoextract or ntldd in features.

The package includes commands like ofs2rva, pedis, pehash, peldd, pepack, peres, pescan, pesec, pestr, readpe, and rva2ofs. These enable detailed examination of PE internals, detection of packers, disassembly of sections, hashing of components, and identification of anomalies.

It supports various output formats and is built on libpe1t64 library for reading PE 32 and 64-bit files.

How It Works

readpe leverages the libpe1t64 library to parse PE file structures, including DOS, COFF, optional headers, sections, data directories, imports, exports, and resources. Tools dissect specific parts: converting offsets/RVAs, disassembling code with Intel/AT&T syntax, hashing sections/headers/content using md5/sha1/sha256/ssdeep/imphash, scanning for packers via database, extracting resources, searching strings, checking mitigations/certificates, and flagging suspicious traits.

Installation

bash

sudo apt install readpe

Flags

-A, --allFull output (default) for readpe.

-H, --all-headersShow all PE headers for readpe.

-S, --all-sectionsShow PE section headers for readpe.

-d, --dirsShow data directories for readpe.

-h, --header <dos|coff|optional>Show specific header for readpe. It can be used multiple times.

-i, --importsShow imported functions for readpe.

-e, --exportsShow exported functions for readpe.

--attSet AT&T assembly syntax (default: Intel) for pedis.

-e, --entrypointDisassemble the entire entrypoint function for pedis.

-f, --format <text|csv|json|html|xml>Change output format (default: text) for multiple tools.

-a, --allHash file, sections and headers with md5, sha1, sha256, ssdeep and imphash for pehash.

-v, --verboseShow more information about found items for pescan.

Examples

Convert raw file offset to RVA.

ofs2rva 0x1b9b8 calc.exe

Disassemble PE sections and functions at specified RVA.

pedis -r 0x4c4df putty.exe

Calculate hashes of specific PE section.

pehash -s '.text' winzip.exe

Display PE library dependencies.

peldd winzip.exe

Search for packers in PE files.

pepack putty.exe

Show all information about resource section and extract resources.

peres -a putty.exe

Search for suspicious things in PE files.

pescan putty.exe

Check for security features in PE files.

pesec wordpad.exe

Search for strings in PE files.

pestr acrobat.exe

Show specific PE file header.

readpe --header optional winzip.exe

Convert RVA to raw file offset.

rva2ofs 0x12db cards.dll

Updated 2026-04-16kali.org ↗