Skip to content

PE-bear - PE File Reversing Tool Cheatsheet

PE-bear - PE File Reversing Tool Cheatsheet

PE-bear (by hasherezade) is a free, multi-platform PE (Portable Executable) analysis tool with a friendly GUI. It parses and displays every part of a Windows executable — DOS/NT headers, section table, data directories, imports/exports, resources, and the rich header — and is deliberately robust against malformed PE files that break other parsers, which is exactly what malware often ships. It also compares binaries side by side, making it a staple for quick malware triage and unpacking verification.

Installation

PlatformHow
Windows / LinuxDownload a build from the GitHub Releases page
From sourceBuild with Qt + the bearparser submodule
PortableNo install needed; run the extracted binary
VerifyLaunch PE-bear; drag a PE in

Loading Files

ActionHow
Open a PEFile → Open, or drag .exe/.dll/.sys in
Multiple filesLoad several; each gets a tab
ReloadRe-parse after external changes
SaveSave modifications back to disk

What You Can Inspect

PanelShows
DOS HeaderMZ header, e_lfanew offset
Rich HeaderCompiler/toolchain fingerprint (great for attribution)
NT HeadersFile header + optional header (entry point, subsystem)
Section HeadersNames, virtual/raw sizes, characteristics, entropy
ImportsDLLs and functions the binary calls
ExportsFunctions the binary exposes
ResourcesIcons, manifests, embedded data
Data DirectoriesImport/export/reloc/TLS/etc. tables

Reading Sections (Triage Signals)

SignalSuggests
High entropy sectionPacked/encrypted (e.g. .text ~7.9+)
Unusual section namesUPX0, .vmp0, random names → packer
Writable + executable sectionSelf-modifying / unpacking stub
Tiny imports tableImports resolved at runtime (packed)
Odd entry point sectionEntry not in .text → suspicious

Comparing Binaries

PE-bear can show two files side by side — invaluable for before/after unpacking or comparing malware variants.

UseHow
Packed vs unpackedCompare headers/sections/imports
Variant analysisDiff two samples of a family
Verify a dumpCompare a memory dump to the original

Editing

CapabilityNote
Edit header fieldsFix or tamper with header values
Edit sectionsAdjust section characteristics
Add/convertSome structural edits for repair
Save AsWrite the modified PE

Common Workflows

# Triage an unknown Windows sample
1. Drag the sample into PE-bear
2. Check section entropy → high = likely packed
3. Look at imports → tiny/odd = runtime resolution (packed)
4. Read the Rich Header for toolchain/attribution hints
5. Inspect resources for embedded payloads

# Verify an unpacked dump
- Compare the dumped PE against the original in side-by-side view
- Confirm the IAT and entry point look sane

PE-bear vs Other PE Tools

AspectPE-bearCFF ExplorerDetect It EasyPEStudio
FocusPE structure + diffPE editingPacker/format IDThreat indicators
Malformed PEsVery robustModerateRobustModerate
Compare filesYesNoLimitedNo
Best forTriage + structural analysisEditingIdentifying packersIOC-style triage

Pairs well with Detect It Easy for packer identification and PE-sieve for in-memory implant detection.

Resources