Reverse Engineeringpewindowsexecutabledumpresourcesheaderssections

ruby-pedump

ruby-pedump is a pure Ruby tool for dumping headers, sections, and extracting resources from Win32 PE executable files like EXEs and DLLs. It provides flexible output formats and extraction options for analyzing PE structures.

Description

ruby-pedump is designed for reverse engineers and malware analysts working with Windows Portable Executable (PE) files. It enables dumping of PE headers, sections, and resources without requiring native Windows tools, making it ideal for Linux environments like Kali. The tool supports various output formats including binary, C-style, hex, JSON, and YAML, facilitating integration into analysis pipelines.

Use cases include malware reverse engineering, where analysts need to inspect PE structures, extract embedded resources like icons or manifests, or convert virtual addresses to file offsets. It also offers a web upload feature to generate interactive HTML reports with previews, useful for sharing findings.

The package is lightweight at 2.41 MB and depends on Ruby libraries like ruby-awesome-print and ruby-zhexdump. An interactive IRB console mode allows loading a PE file for dynamic exploration.

How It Works

The tool parses Win32 PE file structures using pure Ruby, accessing headers, sections, data directories, and resources via offsets, RVAs, or names. It supports extraction by identifiers like datadir:EXPORT, resource:ICON/#1, or section:.text. Output is formatted in user-specified styles, with --force enabling aggressive parsing that may raise exceptions. The --va2file option performs RVA to raw file offset conversion based on PE section alignments.

Installation

bash
sudo apt install ruby-pedump

Flags

--versionPrint version information and exit
-v, --verboseRun verbosely (can be used multiple times)
-q, --quietSilent any warnings
-F, --forceTry to dump by all means (can cause exceptions & heavy wounds)
-f, --format FORMATOutput format: bin,c,dump,hex,inspect,json,table,yaml (default: table)
--extract IDExtract a resource/section/data_dir. ID: datadir:EXPORT - datadir by type; ID: resource:0x98478 - resource by offset; ID: resource:ICON/#1 - resource by type & name; ID: section:.text - section by name; ID: section:rva/0x1000 - section by RVA; ID: section:raw/0x400 - section by RAW_PTR
--va2file VAConvert RVA to file offset
-W, --webUploads files to a https://pedump.me for a nice HTML tables with image previews, candies & stuff
-C, --consoleopens IRB console with specified file loaded

Examples

Display the full usage help with all available options
pedump-ruby -h
Dump PE file verbosely using default table format
pedump-ruby -v example.exe
Dump PE structures in JSON format
pedump-ruby -f json example.dll
Extract the export data directory
pedump-ruby --extract datadir:EXPORT example.exe
Extract the first icon resource
pedump-ruby --extract resource:ICON/#1 example.exe
Extract the .text section by name
pedump-ruby --extract section:.text example.exe
Convert RVA 0x1000 to file offset
pedump-ruby --va2file 0x1000 example.exe
Upload the PE file to pedump.me for HTML report
pedump-ruby -W example.exe
Updated 2026-04-16kali.org ↗