readpe (pev)
Overview
Abschnitt betitelt „Overview“readpe (part of the pev toolkit) is a comprehensive portable executable (PE) file analyzer that runs on Linux, macOS, and Windows. It provides detailed inspection of Windows binary files including headers, sections, imports, exports, resources, and digital signatures. Essential for malware analysis, reverse engineering, and vulnerability assessment.
Installation
Abschnitt betitelt „Installation“Linux (Debian/Ubuntu)
Abschnitt betitelt „Linux (Debian/Ubuntu)“sudo apt-get update
sudo apt-get install pevbrew install pevFrom Source
Abschnitt betitelt „From Source“git clone https://github.com/merces/pev.git
cd pev
make
sudo make installVerify Installation
Abschnitt betitelt „Verify Installation“readpe --version
pev --version
readpe -hBasic Syntax
Abschnitt betitelt „Basic Syntax“readpe [options] <file>
readpe -h # Help
readpe -v # Version
readpe --all <file> # All informationEssential Commands
Abschnitt betitelt „Essential Commands“| Command | Purpose |
|---|---|
readpe file.exe | Display basic PE information |
readpe --all file.exe | Show all available information |
readpe -H file.exe | Display PE headers only |
readpe -S file.exe | List all sections |
readpe -i file.exe | Show imported functions |
readpe -e file.exe | Show exported functions |
readpe -r file.exe | Display resources section |
readpe -d file.exe | Show data directories |
readpe --resources file.exe | Extract and analyze resources |
readpe --version file.exe | Display version information |
Header Analysis
Abschnitt betitelt „Header Analysis“Display DOS Header
Abschnitt betitelt „Display DOS Header“readpe -H file.exe | head -20Check PE Signature
Abschnitt betitelt „Check PE Signature“readpe file.exe | grep -i "signature\|subsystem\|machine"View Optional Header
Abschnitt betitelt „View Optional Header“readpe -H file.exe | grep -A 30 "Optional Header"Machine Type Detection
Abschnitt betitelt „Machine Type Detection“readpe file.exe | grep -i "machine type"
# Output: i386 (x86), x86-64, ARM, etc.Section Analysis
Abschnitt betitelt „Section Analysis“List All Sections
Abschnitt betitelt „List All Sections“readpe -S file.exeView Section Details
Abschnitt betitelt „View Section Details“readpe file.exe | grep -A 100 "Sections"Find Suspicious Sections
Abschnitt betitelt „Find Suspicious Sections“readpe -S file.exe | grep -E "\.reloc|\.rsrc|\.text"Section Entropy Analysis
Abschnitt betitelt „Section Entropy Analysis“readpe file.exe | grep -i "entropy"Import/Export Analysis
Abschnitt betitelt „Import/Export Analysis“List Imported DLLs
Abschnitt betitelt „List Imported DLLs“readpe -i file.exe
readpe file.exe | grep "DLL"View Imported Functions
Abschnitt betitelt „View Imported Functions“readpe -i file.exe | head -50Find Specific Imports
Abschnitt betitelt „Find Specific Imports“readpe -i file.exe | grep -i "createprocess\|shellexecute\|winexec"List Exported Functions
Abschnitt betitelt „List Exported Functions“readpe -e file.exe
readpe -e file.exe | wc -lExport Table Analysis
Abschnitt betitelt „Export Table Analysis“readpe file.exe | grep -A 50 "Export Table"Resource Analysis
Abschnitt betitelt „Resource Analysis“Extract Resources
Abschnitt betitelt „Extract Resources“readpe -r file.exeList Resource Types
Abschnitt betitelt „List Resource Types“readpe --resources file.exeFind Embedded Strings
Abschnitt betitelt „Find Embedded Strings“strings file.exe | head -50
readpe -r file.exe | grep -i "string\|icon\|dialog"Resource Details
Abschnitt betitelt „Resource Details“readpe file.exe | grep -A 20 "Resources"Signature Verification
Abschnitt betitelt „Signature Verification“Check Digital Signature
Abschnitt betitelt „Check Digital Signature“readpe file.exe | grep -i "signature\|cert\|sign"Verify Authenticode
Abschnitt betitelt „Verify Authenticode“readpe --version file.exe
readpe file.exe | grep -i "version info"Extract Certificate Information
Abschnitt betitelt „Extract Certificate Information“readpe file.exe | grep -E "Company|Product|File Version|Legal"Scanning Multiple Files
Abschnitt betitelt „Scanning Multiple Files“Analyze Directory of PEs
Abschnitt betitelt „Analyze Directory of PEs“for file in *.exe; do echo "=== $file ==="; readpe "$file"; doneFind All PE Files
Abschnitt betitelt „Find All PE Files“find . -type f \( -name "*.exe" -o -name "*.dll" -o -name "*.sys" \)Batch Header Check
Abschnitt betitelt „Batch Header Check“for file in *.exe; do readpe -H "$file" | head -5; doneGenerate Report
Abschnitt betitelt „Generate Report“for file in *.exe; do
echo "File: $file" >> report.txt
readpe --all "$file" >> report.txt
echo "---" >> report.txt
doneMalware Analysis Workflows
Abschnitt betitelt „Malware Analysis Workflows“Quick Malware Triage
Abschnitt betitelt „Quick Malware Triage“readpe file.exe | grep -E "Machine|Subsystem|Entry Point|Size"
readpe -i file.exe | grep -iE "createprocess|shellexecute|winexec|loadlibrary"
readpe -S file.exe | grep -E "\.text|\.data|\.reloc|entropy"Suspicious Import Detection
Abschnitt betitelt „Suspicious Import Detection“readpe -i malware.exe | grep -iE "createremotethread|virtualalloc|writeprocessmemory|createprocess|createservice|regsetvalue"Section Entropy Baseline
Abschnitt betitelt „Section Entropy Baseline“# High entropy (.text < 7.0, .data < 7.5 normal; > 7.8 suspicious)
readpe file.exe | grep -i "entropy"Suspicious Resource Detection
Abschnitt betitelt „Suspicious Resource Detection“readpe -r file.exe | grep -iE "dropped|embedded|payload"
strings file.exe | grep -iE "cmd.exe|powershell|regsvcs|rundll32"Advanced Analysis
Abschnitt betitelt „Advanced Analysis“Compare Multiple Binaries
Abschnitt betitelt „Compare Multiple Binaries“readpe file1.exe > analysis1.txt
readpe file2.exe > analysis2.txt
diff analysis1.txt analysis2.txtParse Output for Processing
Abschnitt betitelt „Parse Output for Processing“readpe --all file.exe | grep -E "^Section:|^Machine|^SubSystem"JSON Output (if supported)
Abschnitt betitelt „JSON Output (if supported)“readpe --json file.exe > output.jsonEntropy Analysis Script
Abschnitt betitelt „Entropy Analysis Script“#!/bin/bash
for file in *.exe; do
echo "$file:"
readpe "$file" | grep -i "entropy" || echo "No entropy data"
doneCommon Analysis Patterns
Abschnitt betitelt „Common Analysis Patterns“Detect Packed Executables
Abschnitt betitelt „Detect Packed Executables“# Packed files often have high entropy, small .text, large .data
readpe file.exe | grep -E "entropy|Section:" | head -20Find Code Caves
Abschnitt betitelt „Find Code Caves“# Look for sections with unusual characteristics
readpe -S file.exe | awk '{print $1, $5, $6}'Identify Compiler/Tools
Abschnitt betitelt „Identify Compiler/Tools“readpe --version file.exe | grep -i "product\|company\|file version"
strings file.exe | grep -iE "microsoft|borland|watcom|visual"Check Architecture
Abschnitt betitelt „Check Architecture“readpe file.exe | grep -i "machine type"
# i386 = 32-bit, x86-64 = 64-bitInterpreting Results
Abschnitt betitelt „Interpreting Results“DOS Header Fields
Abschnitt betitelt „DOS Header Fields“- e_lfanew: Offset to PE header (typically 0x40 or 0x80)
- Magic: 0x5A4D (MZ in ASCII) indicates valid DOS header
PE Header Fields
Abschnitt betitelt „PE Header Fields“- Machine: Processor architecture (i386, x86-64, ARM)
- NumberOfSections: Count of sections in binary
- TimeDateStamp: Compilation timestamp (may be spoofed)
- EntryPoint: Where execution begins
Section Characteristics
Abschnitt betitelt „Section Characteristics“- .text: Executable code section
- .data: Initialized data
- .rsrc: Resources (icons, dialogs, strings)
- .reloc: Base relocations (for ASLR)
Output Integration
Abschnitt betitelt „Output Integration“Save Full Analysis
Abschnitt betitelt „Save Full Analysis“readpe --all file.exe > malware_analysis.txtExtract Specific Data
Abschnitt betitelt „Extract Specific Data“readpe file.exe | grep "Imported DLL" > imports.txt
readpe file.exe | grep "Exported Function" > exports.txtCombine with Other Tools
Abschnitt betitelt „Combine with Other Tools“readpe file.exe | head -50
strings file.exe | tail -50
file file.exeTroubleshooting
Abschnitt betitelt „Troubleshooting“File Not Recognized
Abschnitt betitelt „File Not Recognized“file file.exe
# Check if actually a PE file
readpe file.exeCorrupted PE Header
Abschnitt betitelt „Corrupted PE Header“# readpe will report header errors
readpe file.exe 2>&1 | grep -i "error\|invalid"Missing Dependencies
Abschnitt betitelt „Missing Dependencies“# Ensure pev is properly installed
which readpe
readpe --versionBest Practices
Abschnitt betitelt „Best Practices“- Always verify file type before analysis - Use
filecommand first - Cross-reference with multiple tools - Compare readpe output with objdump, strings
- Document suspicious patterns - Note high entropy, unusual imports, resource anomalies
- Check digital signatures - Validate authenticode certificates for legitimacy
- Baseline normal binaries - Compare malware against clean system DLLs
- Monitor import patterns - Focus on process injection, registry modification APIs
- Automate recurring tasks - Script batch analysis for threat hunting
- Preserve evidence - Keep original file copies during analysis
Real-World Scenarios
Abschnitt betitelt „Real-World Scenarios“Identify Ransomware Variants
Abschnitt betitelt „Identify Ransomware Variants“readpe ransomware.exe | grep -iE "company|product|file version"
readpe -i ransomware.exe | grep -iE "cryptencrypt|crypthash|regsetvalue"Detect Persistence Mechanisms
Abschnitt betitelt „Detect Persistence Mechanisms“readpe malware.exe | grep -iE "regcreatekeyex|regsetvalueex|createservice"Analyze Supply Chain Attacks
Abschnitt betitelt „Analyze Supply Chain Attacks“readpe legitimate_signed.exe | grep -i "signature\|version\|company"
readpe -i legitimate_signed.exe | wc -l # Compare import countAdditional Resources
Abschnitt betitelt „Additional Resources“- PE Format Documentation: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
- Pev GitHub: https://github.com/merces/pev
- PE Analysis Guides: https://0xrick.github.io/malware-analysis/