PE Tree: Free open source tool for reverse-engineering PE files

PE Tree, a malware reverse-engineering, open source tool developed by the BlackBerry Research and Intelligence team, has been made available for free to the cybersecurity community.

About PE Tree

PE Tree allows malware analysts to view Portable Executable (PE) files in a tree-view using pefile – a multi-platform Python module that parses and works with PE files – and PyQt5, a module that can be used to create graphical user interfaces.

“PE Tree is developed in Python and supports the Windows, Linux and Mac operating systems. It can be installed and run as either a standalone application or an IDAPython plugin,” Tom Bonner, a threat researcher at BlackBerry, explained.

The Python-based tool parses PE files and maps them into a tree view, them provides a summery of various headers. Suspicious findings are highlighted, and analysts can deepen their research by doing a VirusTotal search, export portions of the PE file to CyberChef for further processing, finding and dumping PE files from an IDA database and reconstruct imports, etc.

“Reverse engineering of malware is an extremely time- and labor-intensive process, which can involve hours of disassembling and sometimes deconstructing a software program,” BlackBerry stated.

“The BlackBerry Research and Intelligence team initially developed this open source tool for internal use and is now making it available to the malware reverse engineering community.”

What’s next?

It’s not unusual for cybersecurity and IT firms (as well as government agencies) to open source security tools they used internally.

Bonner noted that this free tool for reverse-engineering is under active development and new features will be added frequently.

“The next major release will focus on rekall support, offering the ability to view and dump processes from either a memory dump or live system,” he shared. The Rekall Framework is collection of tools used for extracting and analyzing of digital artifacts computer systems.

“As cybercriminals up their game, the cybersecurity community needs new tools in their arsenal to defend and protect organizations and people,” said Eric Milam, Vice President of Research Operations, BlackBerry.

“We’ve created this solution to help the cybersecurity community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.”