Latest release 0.5.0 (17 August 2020) – switched to Qt5

What it is?

PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files.

The PE-bear’s parser is open source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander). I am looking forward to hear any remarks!

NOTE:

I officially discontinued the project in April 2014 after releasing 0.3.7 (23.03.2014). However, as per user requests, in April 2018 I released a version 0.3.8 with bugfixes. That release has been downloaded 15,918 times – that exceeded my expectations. Due to the fact that this project still has a group of active users and gets positive reviews, I decided to reopen development.



Fun Fact

…CIA uses it 😉



source: “Vault 7: CIA Hacking Tools Revealed”

(https://wikileaks.org/ciav7p1/cms/page_20250761.html)

Download

Read more about this release here.

Available here: [PE-bear 0.5.0 32bit] [PE-bear 0.5.0 64bit], *requires: Microsoft Visual C++ 2010 Redistributable Package, available here: [Redist 32bit] [Redist 64bit]

for Linux*: [64bit], (requires: Qt_5.12)

*-the Linux build is experimental

Signatures (updated 22.01.2014):

SIG.txt (it contains signatures from PEid’s UserDB – converted by a script provided by crashish)

Features and details

handles PE32 and PE64

views multiple files in parallel

recognizes known packers (by signatures)

fast disassembler – starting from any chosen RVA/File offset

visualization of sections layout

selective comparing of two chosen PE files

adding new elements (sections, imports)

and more…

Any suggestions/bug reports are welcome. I am waiting for your e-mails and comments.

Special thanks to Ange Albertini – for valuable advices and excellent set of corner-case samples



Screenshots

See the sections and visualization of their layout:

PE-bear comes also with a simple, interactive disassembler: