Reverse Engineeringpewindowsexecutabledumpresourcesheaderssections

ruby-pedump

ruby-pedump is a pure Ruby tool for dumping headers, sections, and extracting resources from Win32 PE executable files like EXEs and DLLs. It provides flexible output formats and extraction options for analyzing PE structures.

Description

ruby-pedump is designed for reverse engineers and malware analysts working with Windows Portable Executable (PE) files. It enables dumping of PE headers, sections, and resources without requiring native Windows tools, making it ideal for Linux environments like Kali. The tool supports various output formats including binary, C-style, hex, JSON, and YAML, facilitating integration into analysis pipelines.

Use cases include malware reverse engineering, where analysts need to inspect PE structures, extract embedded resources like icons or manifests, or convert virtual addresses to file offsets. It also offers a web upload feature to generate interactive HTML reports with previews, useful for sharing findings.

The package is lightweight at 2.41 MB and depends on Ruby libraries like ruby-awesome-print and ruby-zhexdump. An interactive IRB console mode allows loading a PE file for dynamic exploration.

How It Works

The tool parses Win32 PE file structures using pure Ruby, accessing headers, sections, data directories, and resources via offsets, RVAs, or names. It supports extraction by identifiers like datadir:EXPORT, resource:ICON/#1, or section:.text. Output is formatted in user-specified styles, with --force enabling aggressive parsing that may raise exceptions. The --va2file option performs RVA to raw file offset conversion based on PE section alignments.

Installation

bash

sudo apt install ruby-pedump

Flags

--versionPrint version information and exit

-v, --verboseRun verbosely (can be used multiple times)

-q, --quietSilent any warnings

-F, --forceTry to dump by all means (can cause exceptions & heavy wounds)

-f, --format FORMATOutput format: bin,c,dump,hex,inspect,json,table,yaml (default: table)

--extract IDExtract a resource/section/data_dir. ID: datadir:EXPORT - datadir by type; ID: resource:0x98478 - resource by offset; ID: resource:ICON/#1 - resource by type & name; ID: section:.text - section by name; ID: section:rva/0x1000 - section by RVA; ID: section:raw/0x400 - section by RAW_PTR

--va2file VAConvert RVA to file offset

-W, --webUploads files to a https://pedump.me for a nice HTML tables with image previews, candies & stuff

-C, --consoleopens IRB console with specified file loaded

Examples

Display the full usage help with all available options

pedump-ruby -h

Dump PE file verbosely using default table format

pedump-ruby -v example.exe

Dump PE structures in JSON format

pedump-ruby -f json example.dll

Extract the export data directory

pedump-ruby --extract datadir:EXPORT example.exe

Extract the first icon resource

pedump-ruby --extract resource:ICON/#1 example.exe

Extract the .text section by name

pedump-ruby --extract section:.text example.exe

Convert RVA 0x1000 to file offset

pedump-ruby --va2file 0x1000 example.exe

Upload the PE file to pedump.me for HTML report

pedump-ruby -W example.exe

Updated 2026-04-16kali.org ↗