Convert Figma logo to code with AI

blackberry logope_tree

Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro and Rekall to dump in-memory PE files and reconstruct imports.

1,301
171
1,301
9

Top Related Projects

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

IDA Pro utilities from FLARE team

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Program for determining types of files for Windows, Linux and MacOS.

1,850

pefile is a Python module to read and work with PE (Portable Executable) files

1,435

Proof of Concepts (PE, PDF...)

Quick Overview

PE Tree is an open-source Python module for viewing Portable Executable (PE) files in a tree-view using PyQt5. It provides a graphical user interface for analyzing the structure of PE files, making it easier for security researchers and malware analysts to examine Windows executables.

Pros

  • User-friendly graphical interface for PE file analysis
  • Integration with IDA Pro and Ghidra for enhanced functionality
  • Supports both 32-bit and 64-bit PE files
  • Customizable and extensible through plugins

Cons

  • Requires PyQt5, which can be challenging to set up on some systems
  • Limited to PE file format analysis, not suitable for other executable formats
  • May have performance issues with very large PE files
  • Documentation could be more comprehensive for advanced usage

Code Examples

  1. Loading a PE file:
from pe_tree import pe_tree

pe = pe_tree.PETree("path/to/file.exe")
pe.load()
  1. Accessing PE file sections:
for section in pe.sections:
    print(f"Section: {section.Name.decode()}, Size: {section.SizeOfRawData}")
  1. Retrieving imported functions:
for dll in pe.imports:
    for function in dll.imports:
        print(f"Imported: {dll.dll.decode()} - {function.name}")

Getting Started

  1. Install PE Tree:

    pip install pe_tree
    
  2. Run PE Tree GUI:

    from pe_tree import pe_tree_gui
    pe_tree_gui.run()
    
  3. To use PE Tree programmatically:

    from pe_tree import pe_tree
    pe = pe_tree.PETree("path/to/file.exe")
    pe.load()
    # Analyze PE file structure using pe object
    

Competitor Comparisons

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Pros of flare-floss

  • More comprehensive string extraction capabilities, including obfuscated strings
  • Actively maintained with regular updates and community contributions
  • Supports a wider range of file formats beyond PE files

Cons of flare-floss

  • Steeper learning curve for beginners
  • Requires more system resources for complex analysis tasks
  • Limited visualization options compared to pe_tree's GUI

Code Comparison

flare-floss:

strings = floss.main.main(
    sample_file_path,
    min_length=4,
    should_extract_static=True,
    should_extract_stack=True
)

pe_tree:

pe = pefile.PE(sample_file_path)
tree = pe_tree.parse_pe(pe)
strings = pe_tree.get_strings(tree)

Both tools offer string extraction capabilities, but flare-floss provides more advanced options for handling obfuscated strings. pe_tree focuses on PE file structure analysis with a user-friendly GUI, while flare-floss offers more comprehensive string extraction features across various file formats.

IDA Pro utilities from FLARE team

Pros of flare-ida

  • More comprehensive set of reverse engineering tools and scripts
  • Actively maintained with regular updates and contributions
  • Extensive documentation and user guides available

Cons of flare-ida

  • Steeper learning curve due to more complex features
  • Requires IDA Pro, which is a commercial disassembler

Code Comparison

pe_tree:

def parse_pe(self, pe, path):
    self.pe = pe
    self.path = path
    self.image_base = self.pe.OPTIONAL_HEADER.ImageBase
    self.parse_sections()
    self.parse_imports()

flare-ida:

def get_function_name(ea):
    name = idc.get_func_name(ea)
    if name:
        return name
    return "sub_{:X}".format(ea)

def rename_function(ea, new_name):
    idc.set_name(ea, new_name, idc.SN_CHECK)

Both repositories provide tools for analyzing PE files and reverse engineering, but flare-ida offers a more extensive set of features specifically tailored for use with IDA Pro. pe_tree focuses on PE file structure visualization, while flare-ida provides a broader range of reverse engineering capabilities. The code snippets demonstrate the different focus areas, with pe_tree handling PE parsing and flare-ida dealing with IDA Pro-specific function operations.

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Pros of pe-sieve

  • Lightweight and focused on detecting and dumping malicious PE modules
  • Offers both command-line and GUI versions for flexibility
  • Actively maintained with frequent updates and improvements

Cons of pe-sieve

  • More specialized tool, primarily for malware analysis
  • Less comprehensive visualization of PE structures
  • May require more technical expertise to interpret results

Code comparison

pe-sieve:

bool ProcessScanner::scanForHollows(HANDLE hProcess, ModuleData& modData, RemoteModuleData& remoteModData, t_scan_status &scan_status)
{
    if (modData.isEmpty() || remoteModData.isEmpty()) {
        return false;
    }
    // ... (scanning logic)
}

pe_tree:

def parse_pe(self, data, base_address=0):
    pe = pefile.PE(data=data)
    self.pe = pe
    self.base_address = base_address
    self.image_base = pe.OPTIONAL_HEADER.ImageBase
    # ... (parsing logic)

pe-sieve focuses on detecting hollowed processes, while pe_tree provides a more general PE parsing and visualization approach. pe-sieve is implemented in C++, offering potentially better performance, while pe_tree uses Python, which may be easier to extend and modify.

Program for determining types of files for Windows, Linux and MacOS.

Pros of Detect-It-Easy

  • More comprehensive file analysis capabilities, supporting a wider range of file formats
  • Advanced signature-based detection system for identifying compilers, packers, and protectors
  • User-friendly GUI with hex viewer and disassembler

Cons of Detect-It-Easy

  • Larger codebase and more complex setup compared to pe_tree
  • May have a steeper learning curve for new users
  • Less focused on specific PE file analysis compared to pe_tree

Code Comparison

pe_tree:

def parse_pe(self, pe, file_path):
    self.pe = pe
    self.file_path = file_path
    self.parse_dos_header()
    self.parse_nt_headers()
    self.parse_sections()

Detect-It-Easy:

bool SpecAbstract::isPEPlus(QIODevice *pDevice)
{
    bool bResult=false;
    
    XPE pe(pDevice,true);
    
    if(pe.isValid())
    {
        bResult=pe.isPEPlus();
    }
    
    return bResult;
}

Both projects focus on analyzing executable files, but Detect-It-Easy offers a more comprehensive approach with its signature-based detection system and support for multiple file formats. pe_tree, on the other hand, provides a more streamlined and focused analysis of PE files, which may be preferable for users specifically working with Windows executables.

1,850

pefile is a Python module to read and work with PE (Portable Executable) files

Pros of pefile

  • More established and widely used in the security community
  • Extensive documentation and examples available
  • Lightweight and focused solely on PE file parsing

Cons of pefile

  • Limited visualization capabilities
  • Lacks a graphical user interface
  • Requires more manual work to extract and analyze PE file information

Code Comparison

pe_tree:

from pe_tree import pe_tree
pe_tree.main(filename="sample.exe")

pefile:

import pefile
pe = pefile.PE("sample.exe")
print(pe.dump_info())

Summary

pefile is a well-established library for parsing PE files, offering a comprehensive set of features for extracting and analyzing PE file information. It's widely used in the security community and has extensive documentation. However, it lacks visualization capabilities and a graphical interface, which pe_tree provides.

pe_tree, on the other hand, offers a more user-friendly approach with its GUI and visualization features, making it easier for analysts to explore PE file structures. It builds upon pefile's functionality while adding extra layers of usability and visual representation.

The choice between the two depends on the specific needs of the user. For those requiring a lightweight, programmatic approach to PE file analysis, pefile might be the better choice. For users who prefer a more visual and interactive experience, pe_tree could be more suitable.

1,435

Proof of Concepts (PE, PDF...)

Pros of pocs

  • Broader scope, covering various file formats and systems beyond just PE files
  • Extensive collection of proof-of-concept examples for different vulnerabilities and edge cases
  • Valuable resource for security researchers and malware analysts

Cons of pocs

  • Less focused and specialized compared to pe_tree's specific PE file analysis
  • May require more effort to navigate and find relevant information for specific use cases
  • Lacks a dedicated graphical user interface for easy visualization

Code comparison

pe_tree:

class PETree(QTreeWidget):
    def __init__(self, parent=None):
        super(PETree, self).__init__(parent)
        self.setHeaderLabels(["Name", "Value"])

pocs:

def make_pe(bits=32):
    pe = {"DOS_HEADER": {"e_magic": "MZ"}, "NT_HEADERS": {"Signature": "PE"}}
    return pe

The pe_tree code snippet shows a GUI-focused approach for displaying PE file structures, while the pocs example demonstrates a more basic PE file creation function. pe_tree is designed for interactive analysis, whereas pocs provides building blocks for various file format manipulations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

PE Tree

PE Tree is a Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. It can also be used with IDA Pro, Ghidra, Volatility, Rekall and minidump to view and dump in-memory PE files, as well as perform import table reconstruction.

Table of contents

  1. Features
  2. Application
  3. IDAPython
  4. Rekall
  5. Volatility
  6. Ghidra
  7. Minidump
  8. Configuration
  9. Troubleshooting
  10. Contributing
  11. License

Features

  • Standalone application with plugins for:
    • IDA Pro
    • Ghidra
    • Volatility
    • Rekall
    • Minidumps
    • Carving
  • Supports Windows, Linux and Mac
  • Parsing PE files and memory images from:
    • File-system
    • ZIP archives (including password protected)
    • Windows memory dumps (raw, EWF, vmem etc.)
    • Live Windows memory (using rekall)
    • Windows Minidump
    • IDA Pro database
    • Ghidra database
    • Binary file carving
  • Rainbow PE map:
    • Provides a high-level overview of PE structures, size and file location
    • Allows for fast visual overview and comparison of PE samples
  • Displays the following PE headers in a tree-view:
    • MZ header
    • DOS stub
    • Rich headers
    • NT/File/Optional headers
    • Data directories
    • Sections
    • Imports
    • Exports
    • Debug information
    • Load config
    • TLS
    • Resources
    • Version information
    • Certificates
    • Overlay
  • Extract and save data from:
    • DOS stub
    • Sections
    • Resources
    • Certificates
    • Overlay
    • Export to CyberChef for further manipulation
  • Perform VirusTotal searches of:
    • File hashes
    • PDB path
    • Timestamps
    • Section hash/name
    • Import hash/name
    • Export name
    • Resource hash
    • Certificate serial
  • Dump loaded PE images from memory:
    • Fix up section pointers and sizes
    • Fix up PE headers:
      • Remove unnecessary data directory pointers
      • Recalculate PE checksum
      • Update entry-point
    • Reconstruct import address and directory tables (IAT/IDT) using several methods:
      1. Use existing IAT/IDT
      2. Rebuild IDT from existing IAT
      3. Rebuild IAT and IDT from disassembly (using IDA Pro, Ghidra or capstone)

Application

The PE Tree standalone application finds portable executables in files, folders and ZIP archives.

PE Tree standalone application

Requirements

  • Python 3.5+

Features

  • Scan files and folders for PE files
  • Extract PE files from ZIP archives (including password protected with infected)
  • Carve PE files from binary files
  • Double-click VA/RVA to disassemble with capstone
  • Hex-dump data

Installation

Using pip (recommended)

Install directly from GitHub using a fresh virtual environment and pip:

Windows
> virtualenv env
> env\Scripts\activate
> pip install --upgrade pip
> pip install git+https://github.com/blackberry/pe_tree.git
Mac/Linux
$ python3 -m venv env
$ source ./env/bin/activate
$ pip install --upgrade pip
$ pip install git+https://github.com/blackberry/pe_tree.git

For developers

Git clone the repository and setup for development:

Windows
> git clone https://github.com/blackberry/pe_tree.git
> cd pe_tree
> virtualenv env
> env\Scripts\activate
> pip install -e .
Mac/Linux
$ git clone https://github.com/blackberry/pe_tree.git
$ cd pe_tree
$ python3 -m venv env
$ source ./env/bin/activate
$ pip install -e .

Usage

Run PE Tree and scan for portable executables in files, folders and ZIP archives:

$ pe-tree -h
usage: pe-tree [-h] [filenames [filenames ...]]

PE-Tree

positional arguments:
  filenames   Path(s) to file/folder/zip

optional arguments:
  -h, --help  show this help message and exit

Run PE Tree and attempt to carve portable executable files from a binary file:

$ pe-tree-carve -h
usage: pe-tree-carve [-h] filename

PE-Tree (Carve)

positional arguments:
  filename    Path to file to carve

optional arguments:
  -h, --help  show this help message and exit

Dark-mode

Dark-mode can be enabled by installing QDarkStyle:

$ pip install qdarkstyle

IDAPython

The PE Tree IDAPython plugin finds portable executables in IDA databases.

PE Tree IDAPython plugin

Requirements

  • IDA Pro 7.0+ with Python 2.7
  • IDA Pro 7.4+ with Python 2.7 or 3.5+

Features

  • Easy navigation of PE file structures
  • Double-click on a memory address in PE Tree to view in IDA-view or hex-view
  • Search an IDB for in-memory PE images and;
    • Reconstruct imports (IAT + IDT)
    • Dump reconstructed PE files
    • Automatically comment PE file structures in IDB
    • Automatically label IAT offsets in IDB

Installation

To install and run as an IDAPython plugin you can either use setuptools or install manually.

Using setuptools

  1. Download pe_tree and install for the global Python interpreter used by IDA:

    $ git clone https://github.com/blackberry/pe_tree.git
    $ cd pe_tree
    $ python setup.py develop --ida
    
  2. Copy pe_tree_ida.py to your IDA plugins folder

Install manually

  1. Download pe_tree and install requirements for the global Python interpreter used by IDA:

    $ git clone https://github.com/blackberry/pe_tree.git
    $ cd pe_tree
    $ pip install -r requirements.txt
    
  2. Copy pe_tree_ida.py and the contents of ./pe_tree/ to your IDA plugins folder

For developers

To forgo installing as a plugin, and simply run as a script under IDA, first install the pe_tree package requirements for the global Python installation:

$ pip install -r requirements.txt

Then run pe_tree_ida.py under IDA:

File -> Script file... -> pe_tree_ida.py -> Open

IDA plugins folder

OSPlugins folder
Windows%ProgramFiles%\IDA Pro 7.X\plugins
Linux/opt/ida-7.X/plugins
Mac~/.idapro/plugins

Usage

  1. Launch IDA Pro and disassemble a PE file (always select Manual Load and Load Resources for best results!)

  2. Load the PE Tree plugin:

    Edit -> Plugins -> PE Tree

Example

Dumping in-memory PE files

Below are the basic steps to dump a packed PE file (for example MPRESS or UPX) and reconstruct imports (assuming the image base/entry-point is fairly standard):

  1. Launch IDA Pro and disassemble an MPRESS or UPX packed PE file (select Manual Load and Load Resources)

  2. Select a debugger (Windows or Bochs) and run until OEP (usually 0x00401000, but not always!)

  3. At this point you could take a memory snapshot (saving all segments) and save the IDB for later

  4. Ensure IDA has found all code:

    Options -> General -> Analysis -> Reanalyze program

  5. Open the PE Tree IDAPython plugin, right-click in the right-hand pane and select:

    Add PE -> Search IDB

    This will scan the IDB for MZ/PE headers and display any modules it finds.

  6. Right-click on HEADER-0x00400000 (or appropriate module name) and select Dump...

  7. Specify the AddressOfEntryPoint (typically 0x1000, but again, not always!)

  8. Ensure Rebuild IDT/IAT is selected

  9. Dump!

A new executable will be created using the unpacked section data obtained from memory/IDB, whilst a new section named .pe_tree and containing the rebuilt IAT, hint name table and IDT will be appended to the PE file (much like an .idata section). If the entry-point memory segment has been marked writable during execution (via VirtualProtect for example) then the entry-point section's characteristics will also be marked writable. Finally, the BASERELOC, BOUND_IMPORT and SECURITY data directories are marked null, and the OPTIONAL_HEADER checksum is recalculated (if specified).

Using the above approach it is possible to dump many in-memory PE files that have either been unpacked, injected, reflectively loaded or hollowed etc.

Rekall

The PE Tree Rekall plugin finds portable executables in Windows memory dumps.

PE Tree Rekall plugin

Requirements

  • Python 3+

Features

  • Operates against a Windows memory dump or a live system
  • View, dump and reconstruct PE modules from;
    • Active processes and DLLs
    • Loaded kernel-mode drivers

Installation

  1. Install Rekall from GitHub.
  2. Install PE Tree standalone application (see Installation) under the same virtual environment.

Usage

Run Rekall and view active processes, DLLs and drivers on a live system:

$ rekall --live Memory
[1] Live (Memory) 00:00:00> run -i pe_tree_rekall.py

Alternatively, run Rekall/PE Tree against an existing memory dump:

$rekall -f memory.vmem
[1] memory.vmem 00:00:00> run -i pe_tree_rekall.py

Volatility

The PE Tree Volatility plugin finds portable executables in Windows memory dumps.

PE Tree Volatility plugin

Requirements

  • Python 3.5+

Features

  • Operates against a Windows memory dump
  • View, dump and reconstruct PE modules from;
    • Active processes and DLLs
    • Loaded kernel-mode drivers

Installation

  1. Install Volatility3 from GitHub.
  2. Install PE Tree standalone application (see Installation) under the same virtual environment.

Usage

$ pe-tree-vol -h
usage: pe-tree-vol [-h] filename

PE-Tree (Volatility)

positional arguments:
  filename    Path to memory dump

optional arguments:
  -h, --help  show this help message and exit

Ghidra

The PE Tree Ghidra plugin finds portable executables in Ghidra databases.

PE Tree Ghidra plugin

Requirements

  • Python 3.5+
  • Ghidra Bridge

Features

  • Easy navigation of PE file structures
  • Double-click on a memory address in PE Tree to view in Ghidra disassembly/hex-view
  • Reconstruct imports (IAT + IDT)
  • Dump reconstructed PE files

Installation

  1. Install PE Tree (see Installation)
  2. Install Ghidra Bridge

Usage

  1. Start the Ghidra Bridge server
  2. Run the PE Tree Ghidra plugin
$ pe-tree-ghidra -h
usage: pe-tree-ghidra [-h] [--server SERVER] [--port PORT]

PE-Tree (Ghidra)

optional arguments:
  -h, --help       show this help message and exit
  --server SERVER  Ghidra bridge server IP (default: 127.0.0.1)
  --port PORT      Ghidra bridge server port (default: 4768)

Minidump

The PE Tree Minidump plugin finds portable executables in Windows Minidumps.

PE Tree Minidump plugin

Requirements

Features

  • View, dump and reconstruct PE modules from a Windows Minidump (.dmp) file

Installation

  1. Install PE Tree (see Installation)
  2. Install minidump (pip install minidump)

Usage

$ pe-tree-minidump -h
usage: pe-tree-minidump [-h] filename

PE-Tree (Minidump)

positional arguments:
  filename    Path to .dmp file

optional arguments:
  -h, --help  show this help message and exit

Configuration

Overview

The configuration is stored in an INI file and defaults to the following values:

[config]
debug = False
fonts = Consolas,Monospace,Courier
passwords = ,infected
virustotal_url = https://www.virustotal.com/gui/search
cyberchef_url = https://gchq.github.io/CyberChef

Options

SectionOptionTypeDescription
configdebugbooleanPrint pefile.dump() to output
configfontsstringComma-separated list of font names for UI
configpasswordsstringComma-separated list of ZIP file passwords
configvirustotal_urlstringVirusTotal search URL
configcyberchef_urlstringCyberChef URL

Location

TypeOSPath
ApplicationWindows%TEMP%\pe_tree.ini
ApplicationLinux/Mac/tmp/pe_tree.ini
IDAPythonWindows%APPDATA%\HexRays\IDA Pro\pe_tree.ini
IDAPythonLinux/Mac~/.idapro/pe_tree.ini
RekallWindows%TEMP%\pe_tree_rekall.ini
RekallLinux/Mac/tmp/pe_tree_rekall.ini
VolatilityWindows%TEMP%\pe_tree_volatility.ini
VolatilityLinux/Mac/tmp/pe_tree_volatility.ini
GhidraWindows%TEMP%\pe_tree_ghidra.ini
GhidraLinux/Mac/tmp/pe_tree_ghidra.ini
MinidumpWindows%TEMP%\pe_tree_minidump.ini
MinidumpLinux/Mac/tmp/pe_tree_minidump.ini
CarveWindows%TEMP%\pe_tree_carve.ini
CarveLinux/Mac/tmp/pe_tree_carve.ini

3rd party data sharing

The following information will be shared with 3rd party web-applications (depending on configuration) under the following conditions:

VirusTotal

If the VirusTotal URL is specified in the configuration then metadata such as file hashes, timestamps, etc will be sent to VirusTotal for processing when the user clicks on highlighted links or selects "VirusTotal search" from the right-click context menu.

CyberChef

If the CyberChef URL is present in the configuration then any file data will be base64 encoded and sent to CyberChef for processing when the user selects "CyberChef" from the right-click context menu.

Troubleshooting

AttributeError: module 'pip' has no attribute 'main'

or

PyQt5 fails to install under Linux

Try to upgrade pip to version 20.0+:

$ pip install --upgrade pip

ModuleNotFoundError: No module named 'PyQt5.sip'

Try uninstalling and reinstalling PyQt5 as follows:

pip uninstall PyQt5
pip uninstall PyQt5-sip
pip install PyQt5 PyQt5-sip

Missing imports after dumping

Ensure IDA has found and disassembled all code:

Options -> General -> Analysis -> Reanalyze program

After this is completed try to dump/rebuild imports again.

Contributing

Please feel free to contribute! Issues and pull requests are most welcome.

Developer documentation

To build documentation from source using Sphinx:

$ pip install sphinx
$ sphinx-apidoc -o ./doc/source/ .
$ sphinx-build -b html ./doc/source ./doc/build -E

To view the documentation open ./doc/build/index.html in a web-browser.

Authors

Tom Bonner - tombonner - @thomas_bonner

License

PE Tree is distributed under the Apache License. See LICENSE for more information.