コンテンツにスキップ
1337skills 1337skills - チートシート

readpe (pev)

Overview

readpe (part of the pev toolkit) is a comprehensive portable executable (PE) file analyzer that runs on Linux, macOS, and Windows. It provides detailed inspection of Windows binary files including headers, sections, imports, exports, resources, and digital signatures. Essential for malware analysis, reverse engineering, and vulnerability assessment.

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install pev

macOS

brew install pev

From Source

git clone https://github.com/merces/pev.git
cd pev
make
sudo make install

Verify Installation

readpe --version
pev --version
readpe -h

Basic Syntax

readpe [options] <file>
readpe -h          # Help
readpe -v          # Version
readpe --all <file> # All information

Essential Commands

CommandPurpose
readpe file.exeDisplay basic PE information
readpe --all file.exeShow all available information
readpe -H file.exeDisplay PE headers only
readpe -S file.exeList all sections
readpe -i file.exeShow imported functions
readpe -e file.exeShow exported functions
readpe -r file.exeDisplay resources section
readpe -d file.exeShow data directories
readpe --resources file.exeExtract and analyze resources
readpe --version file.exeDisplay version information

Header Analysis

Display DOS Header

readpe -H file.exe | head -20

Check PE Signature

readpe file.exe | grep -i "signature\|subsystem\|machine"

View Optional Header

readpe -H file.exe | grep -A 30 "Optional Header"

Machine Type Detection

readpe file.exe | grep -i "machine type"
# Output: i386 (x86), x86-64, ARM, etc.

Section Analysis

List All Sections

readpe -S file.exe

View Section Details

readpe file.exe | grep -A 100 "Sections"

Find Suspicious Sections

readpe -S file.exe | grep -E "\.reloc|\.rsrc|\.text"

Section Entropy Analysis

readpe file.exe | grep -i "entropy"

Import/Export Analysis

List Imported DLLs

readpe -i file.exe
readpe file.exe | grep "DLL"

View Imported Functions

readpe -i file.exe | head -50

Find Specific Imports

readpe -i file.exe | grep -i "createprocess\|shellexecute\|winexec"

List Exported Functions

readpe -e file.exe
readpe -e file.exe | wc -l

Export Table Analysis

readpe file.exe | grep -A 50 "Export Table"

Resource Analysis

Extract Resources

readpe -r file.exe

List Resource Types

readpe --resources file.exe

Find Embedded Strings

strings file.exe | head -50
readpe -r file.exe | grep -i "string\|icon\|dialog"

Resource Details

readpe file.exe | grep -A 20 "Resources"

Signature Verification

Check Digital Signature

readpe file.exe | grep -i "signature\|cert\|sign"

Verify Authenticode

readpe --version file.exe
readpe file.exe | grep -i "version info"

Extract Certificate Information

readpe file.exe | grep -E "Company|Product|File Version|Legal"

Scanning Multiple Files

Analyze Directory of PEs

for file in *.exe; do echo "=== $file ==="; readpe "$file"; done

Find All PE Files

find . -type f \( -name "*.exe" -o -name "*.dll" -o -name "*.sys" \)

Batch Header Check

for file in *.exe; do readpe -H "$file" | head -5; done

Generate Report

for file in *.exe; do 
  echo "File: $file" >> report.txt
  readpe --all "$file" >> report.txt
  echo "---" >> report.txt
done

Malware Analysis Workflows

Quick Malware Triage

readpe file.exe | grep -E "Machine|Subsystem|Entry Point|Size"
readpe -i file.exe | grep -iE "createprocess|shellexecute|winexec|loadlibrary"
readpe -S file.exe | grep -E "\.text|\.data|\.reloc|entropy"

Suspicious Import Detection

readpe -i malware.exe | grep -iE "createremotethread|virtualalloc|writeprocessmemory|createprocess|createservice|regsetvalue"

Section Entropy Baseline

# High entropy (.text < 7.0, .data < 7.5 normal; > 7.8 suspicious)
readpe file.exe | grep -i "entropy"

Suspicious Resource Detection

readpe -r file.exe | grep -iE "dropped|embedded|payload"
strings file.exe | grep -iE "cmd.exe|powershell|regsvcs|rundll32"

Advanced Analysis

Compare Multiple Binaries

readpe file1.exe > analysis1.txt
readpe file2.exe > analysis2.txt
diff analysis1.txt analysis2.txt

Parse Output for Processing

readpe --all file.exe | grep -E "^Section:|^Machine|^SubSystem"

JSON Output (if supported)

readpe --json file.exe > output.json

Entropy Analysis Script

#!/bin/bash
for file in *.exe; do
  echo "$file:"
  readpe "$file" | grep -i "entropy" || echo "No entropy data"
done

Common Analysis Patterns

Detect Packed Executables

# Packed files often have high entropy, small .text, large .data
readpe file.exe | grep -E "entropy|Section:" | head -20

Find Code Caves

# Look for sections with unusual characteristics
readpe -S file.exe | awk '{print $1, $5, $6}'

Identify Compiler/Tools

readpe --version file.exe | grep -i "product\|company\|file version"
strings file.exe | grep -iE "microsoft|borland|watcom|visual"

Check Architecture

readpe file.exe | grep -i "machine type"
# i386 = 32-bit, x86-64 = 64-bit

Interpreting Results

DOS Header Fields

  • e_lfanew: Offset to PE header (typically 0x40 or 0x80)
  • Magic: 0x5A4D (MZ in ASCII) indicates valid DOS header

PE Header Fields

  • Machine: Processor architecture (i386, x86-64, ARM)
  • NumberOfSections: Count of sections in binary
  • TimeDateStamp: Compilation timestamp (may be spoofed)
  • EntryPoint: Where execution begins

Section Characteristics

  • .text: Executable code section
  • .data: Initialized data
  • .rsrc: Resources (icons, dialogs, strings)
  • .reloc: Base relocations (for ASLR)

Output Integration

Save Full Analysis

readpe --all file.exe > malware_analysis.txt

Extract Specific Data

readpe file.exe | grep "Imported DLL" > imports.txt
readpe file.exe | grep "Exported Function" > exports.txt

Combine with Other Tools

readpe file.exe | head -50
strings file.exe | tail -50
file file.exe

Troubleshooting

File Not Recognized

file file.exe
# Check if actually a PE file
readpe file.exe

Corrupted PE Header

# readpe will report header errors
readpe file.exe 2>&1 | grep -i "error\|invalid"

Missing Dependencies

# Ensure pev is properly installed
which readpe
readpe --version

Best Practices

  1. Always verify file type before analysis - Use file command first
  2. Cross-reference with multiple tools - Compare readpe output with objdump, strings
  3. Document suspicious patterns - Note high entropy, unusual imports, resource anomalies
  4. Check digital signatures - Validate authenticode certificates for legitimacy
  5. Baseline normal binaries - Compare malware against clean system DLLs
  6. Monitor import patterns - Focus on process injection, registry modification APIs
  7. Automate recurring tasks - Script batch analysis for threat hunting
  8. Preserve evidence - Keep original file copies during analysis

Real-World Scenarios

Identify Ransomware Variants

readpe ransomware.exe | grep -iE "company|product|file version"
readpe -i ransomware.exe | grep -iE "cryptencrypt|crypthash|regsetvalue"

Detect Persistence Mechanisms

readpe malware.exe | grep -iE "regcreatekeyex|regsetvalueex|createservice"

Analyze Supply Chain Attacks

readpe legitimate_signed.exe | grep -i "signature\|version\|company"
readpe -i legitimate_signed.exe | wc -l  # Compare import count

Additional Resources