GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Te-k → Pecli

Te-k / Pecli

Licence: mit
CLI tool to analyze PE files

Labels

reverse-engineeringmalwaremalware-analysisyara

Projects that are alternatives of or similar to Pecli

Freki
🐺 Malware analysis platform
Stars: ✭ 285 (+519.57%)
Mutual labels:  malware, malware-analysis, yara, reverse-engineering
Pepper
An open source script to perform malware static analysis on Portable Executable
Stars: ✭ 250 (+443.48%)
Mutual labels:  malware, malware-analysis, yara
Antidebugging
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
Stars: ✭ 161 (+250%)
Mutual labels:  malware, malware-analysis, reverse-engineering
yara
Malice Yara Plugin
Stars: ✭ 27 (-41.3%)
Mutual labels:  malware, malware-analysis, yara
Multiscanner
Modular file scanning/analysis framework
Stars: ✭ 494 (+973.91%)
Mutual labels:  malware, malware-analysis, yara
Pafish
Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
Stars: ✭ 2,026 (+4304.35%)
Mutual labels:  malware, reverse-engineering, malware-analysis
Yargen
yarGen is a generator for YARA rules
Stars: ✭ 795 (+1628.26%)
Mutual labels:  malware, malware-analysis, yara
Malware Analysis Scripts
Collection of scripts for different malware analysis tasks
Stars: ✭ 61 (+32.61%)
Mutual labels:  malware, malware-analysis, reverse-engineering
Pwndbg
Exploit Development and Reverse Engineering with GDB Made Easy
Stars: ✭ 4,178 (+8982.61%)
Mutual labels:  malware, malware-analysis, reverse-engineering
Simpleator
Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".
Stars: ✭ 260 (+465.22%)
Mutual labels:  malware, malware-analysis, reverse-engineering
binlex
A Binary Genetic Traits Lexer Framework
Stars: ✭ 303 (+558.7%)
Mutual labels:  malware, malware-analysis, yara
Drakvuf Sandbox
DRAKVUF Sandbox - automated hypervisor-level malware analysis system
Stars: ✭ 384 (+734.78%)
Mutual labels:  malware, malware-analysis, reverse-engineering
freki
🐺 Malware analysis platform
Stars: ✭ 327 (+610.87%)
Mutual labels:  malware, malware-analysis, yara
Simplify
Android virtual machine and deobfuscator
Stars: ✭ 3,865 (+8302.17%)
Mutual labels:  malware, malware-analysis, reverse-engineering
Dex Oracle
A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis
Stars: ✭ 398 (+765.22%)
Mutual labels:  malware, malware-analysis, reverse-engineering
Lazy importer
library for importing functions from dlls in a hidden, reverse engineer unfriendly way
Stars: ✭ 544 (+1082.61%)
Mutual labels:  malware, reverse-engineering
Malware Samples
A collection of malware samples and relevant dissection information, most probably referenced from http://blog.inquest.net
Stars: ✭ 565 (+1128.26%)
Mutual labels:  malware, malware-analysis
Makin
makin - reveal anti-debugging and anti-VM tricks [This project is not maintained anymore]
Stars: ✭ 645 (+1302.17%)
Mutual labels:  malware-analysis, reverse-engineering
Apklab
Android Reverse-Engineering Workbench for VS Code
Stars: ✭ 470 (+921.74%)
Mutual labels:  malware-analysis, reverse-engineering
Anti Emulator
Android Anti-Emulator
Stars: ✭ 587 (+1176.09%)
Mutual labels:  malware, reverse-engineering
View All Similar Projects ➔

PEcli

Tool to analyze PE files in python 3. Current features :

  • Show information about the file (import, exports, resources)
  • Search for interesting information in the file (abnormal resources, peid...)
  • Dump sections or resources
  • Check size
  • Search for a string in the file

PyPI PyPI - Downloads PyPI - License GitHub issues

Installation

You can install it from pypi : pip install pecli

Or directly from the code :

git clone https://github.com/Te-k/pecli.git
cd pecli
pip install .

How to

PEcli works with plugins, like pecli PLUGIN FILE

usage: pecli [-h] {check,checksize,crypto,dump,info,richpe,search,shell,sig,strings,vt} ...

positional arguments:
  {check,checksize,crypto,dump,info,richpe,search,shell,sig,strings,vt}
                        Plugins
    check               Check for stuff in the file
    checksize           Check size of the PE file
    crypto              Identifies cryptographic values
    dump                Dump resource or section of the file
    info                Extract info from the PE file
    richpe              Decode Rich PE Header
    search              Search for a string in a PE file
    shell               Launch ipython shell to analyze the PE file
    sig                 Handle PE Signature
    strings             Extract strings from the PE file
    vt                  Check PE information in VirusTotal

Example :

$ pecli info explorer.exe
Metadata
================================================================================
MD5:           418045a93cd87a352098ab7dabe1b53e
SHA1:          98b9ad668e0727be888b861f49aac0f72725e634
SHA256:        81419093ccb985da284931fa3df41c4cfe25350db1c366792903411819371664
Imphash:       c3eb9567e9430e65e703dca7bb8343fa
Size:          1036800 bytes
Type:          PE32 executable (GUI) Intel 80386, for MS Windows
Compile Time:  2008-04-13 19:17:04 (UTC - 0x48025C30)
Entry point:   0x101a55f (section .text)
Debug Information: explorer.pdb

Sections
================================================================================
Name       VirtSize  VirtAddr  RawSize   RawAddr   Entropy  md5
.text      0x44c09   0x1000    0x400     0x44e00   6.3838   8c58c76b600f5aee7f7c7242454b9a1f
.data      0x1db4    0x46000   0x45200   0x1800    1.2992   983f35021232560eaaa99fcbc1b7d359
.rsrc      0xb2f64   0x48000   0x46a00   0xb3000   6.6381   f7df812e2e64b1514d61a9681fbe71da
.reloc     0x374c    0xfb000   0xf9a00   0x3800    6.7817   ec335057489badbf6d8142b57175fd91


Imports
================================================================================
ADVAPI32.dll
	0x1001000 RegSetValueW
	0x1001004 RegEnumKeyExW
	0x1001008 GetUserNameW
[SNIP]

Resources:
================================================================================
Id           Name    Size      Lang           Sublang           Type           MD5
2-143-1031   None    2040 B    LANG_GERMAN    SUBLANG_GERMAN    data           f0e8e299c637633db0a5af11042adb04
2-145-1031   None    35322 B   LANG_GERMAN    SUBLANG_GERMAN    data           1e5bfaf34503ce750b3cc13058a3f88b
2-146-1031   None    12826 B   LANG_GERMAN    SUBLANG_GERMAN    data           061daf6ef2047f33947d5655f1c8aaa4
[SNIP]

$ pecli check playlib.exe
Running checks on playlib.exe:
[+] Abnormal section names: .enigma1 .enigma2
[+] Suspicious section's entropy: .enigma1 - 7.931
[+] Known malicious sections
	-.enigma1: Enigma Virtual Box protector
	-.enigma2: Enigma Virtual Box protector
[+] 200 extra bytes in the file
[+] TLS Callback: 0x446bb0
[+] PE header in sections .enigma2
[+] Known suspicious import hash: Enigma VirtualBox

License

This tool is published under MIT License

Similar tools

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].