PE-bear (by hasherezade) is a free, multi-platform PE (Portable Executable) analysis tool with a friendly GUI. It parses and displays every part of a Windows executable — DOS/NT headers, section table, data directories, imports/exports, resources, and the rich header — and is deliberately robust against malformed PE files that break other parsers, which is exactly what malware often ships. It also compares binaries side by side, making it a staple for quick malware triage and unpacking verification.
Installation
| Platform | How |
|---|
| Windows / Linux | Download a build from the GitHub Releases page |
| From source | Build with Qt + the bearparser submodule |
| Portable | No install needed; run the extracted binary |
| Verify | Launch PE-bear; drag a PE in |
Loading Files
| Action | How |
|---|
| Open a PE | File → Open, or drag .exe/.dll/.sys in |
| Multiple files | Load several; each gets a tab |
| Reload | Re-parse after external changes |
| Save | Save modifications back to disk |
What You Can Inspect
| Panel | Shows |
|---|
| DOS Header | MZ header, e_lfanew offset |
| Rich Header | Compiler/toolchain fingerprint (great for attribution) |
| NT Headers | File header + optional header (entry point, subsystem) |
| Section Headers | Names, virtual/raw sizes, characteristics, entropy |
| Imports | DLLs and functions the binary calls |
| Exports | Functions the binary exposes |
| Resources | Icons, manifests, embedded data |
| Data Directories | Import/export/reloc/TLS/etc. tables |
Reading Sections (Triage Signals)
| Signal | Suggests |
|---|
| High entropy section | Packed/encrypted (e.g. .text ~7.9+) |
| Unusual section names | UPX0, .vmp0, random names → packer |
| Writable + executable section | Self-modifying / unpacking stub |
| Tiny imports table | Imports resolved at runtime (packed) |
| Odd entry point section | Entry not in .text → suspicious |
Comparing Binaries
PE-bear can show two files side by side — invaluable for before/after unpacking or comparing malware variants.
| Use | How |
|---|
| Packed vs unpacked | Compare headers/sections/imports |
| Variant analysis | Diff two samples of a family |
| Verify a dump | Compare a memory dump to the original |
Editing
| Capability | Note |
|---|
| Edit header fields | Fix or tamper with header values |
| Edit sections | Adjust section characteristics |
| Add/convert | Some structural edits for repair |
| Save As | Write the modified PE |
Common Workflows
# Triage an unknown Windows sample
1. Drag the sample into PE-bear
2. Check section entropy → high = likely packed
3. Look at imports → tiny/odd = runtime resolution (packed)
4. Read the Rich Header for toolchain/attribution hints
5. Inspect resources for embedded payloads
# Verify an unpacked dump
- Compare the dumped PE against the original in side-by-side view
- Confirm the IAT and entry point look sane
| Aspect | PE-bear | CFF Explorer | Detect It Easy | PEStudio |
|---|
| Focus | PE structure + diff | PE editing | Packer/format ID | Threat indicators |
| Malformed PEs | Very robust | Moderate | Robust | Moderate |
| Compare files | Yes | No | Limited | No |
| Best for | Triage + structural analysis | Editing | Identifying packers | IOC-style triage |
Pairs well with Detect It Easy for packer identification and PE-sieve for in-memory implant detection.
Resources