[HC Official] PE Analyzer, Reverse Engineering Tool 09-02-2014, 03:02 PM
#1
PE Analyzer
PE Analyzer is a static analysis tool for PE files (EXE, DLL, SYS, etc.), including:
Requirements: JRE 1.7
Usage:
Example command for command line output:
Example command for file output:
Example Output:
Download:
https://github.com/Doubleendedqueue/Pape.../peana.jar
PE Analyzer is a static analysis tool for PE files (EXE, DLL, SYS, etc.), including:
- PE Headers and Sections
- Imports
- Delay-Load Imports
- Exports
- Resources
- Relocations
- Debug Information
- Packer signatures
- Overlay offset and size
- File Anomalies
- File and Section Hashes
Requirements: JRE 1.7
Usage:
Code:
usage: java -jar peana.jar [<options>] <PEfile>
-h,--help show help
-v,--version show version
-o,--output write report to output fileExample command for command line output:
Code:
usage: java -jar peana.jar myfile.exeExample command for file output:
Code:
usage: java -jar peana.jar -o report.txt myfile.exeExample Output:
Code:
____ _____ _ _
| _ \| ____| / \ _ __ __ _| |_ _ _______ _ __
| |_) | _| / _ \ | '_ \ / _` | | | | |_ / _ \ '__|
| __/| |___ / ___ \| | | | (_| | | |_| |/ / __/ |
|_| _|_____| /_/ _ \_\_| |_|\__,_|_|\__, /___\___|_| _ _
| | | | __ _ ___| | _____ ___ _ __ |___/_ __ ___ _ _ _ __ (_) |_ _ _
| |_| |/ _` |/ __| |/ / __/ _ \| '_ ` _ \| '_ ` _ \| | | | '_ \| | __| | | |
| _ | (_| | (__| < (_| (_) | | | | | | | | | | | |_| | | | | | |_| |_| |
|_| |_|\__,_|\___|_|\_\___\___/|_| |_| |_|_| |_| |_|\__,_|_| |_|_|\__|\__, |
|___/
-by Deque-
Report For WinRar.exe
*********************
file size 0x12516a
full path /home/deque/portextestfiles/WinRar.exe
MSDOS Header
************
description value file offset
---------------------------------------------------------------------
signature word 0x5a4d 0x0
last page size 0x50 0x2
file pages 0x2 0x4
relocation items 0x0 0x6
header paragraphs 0x4 0x8
minimum number of paragraphs allocated 0xf 0xa
maximum number of paragraphs allocated 0xffff 0xc
initial SS value 0x0 0xe
initial SP value 0xb8 0x10
complemented checksum 0x0 0x12
initial IP value 0x0 0x14
pre-relocated initial CS value 0x0 0x16
relocation table offset 0x40 0x18
overlay number 0x1a 0x1a
Reserved word 0x1c 0x0 0x1c
Reserved word 0x1e 0x0 0x1e
Reserved word 0x20 0x0 0x20
Reserved word 0x22 0x0 0x22
OEM identifier 0x0 0x24
OEM information 0x0 0x26
Reserved word 0x28 0x0 0x28
Reserved word 0x2a 0x0 0x2a
Reserved word 0x2c 0x0 0x2c
Reserved word 0x2f 0x0 0x2e
Reserved word 0x30 0x0 0x30
Reserved word 0x32 0x0 0x32
Reserved word 0x34 0x0 0x34
Reserved word 0x36 0x0 0x36
Reserved word 0x38 0x0 0x38
Reserved word 0x3a 0x0 0x3a
PE signature offset 0x200 0x3c
COFF File Header
****************
time date stamp Jan 17, 2007 11:36:54 AM
machine type Intel 386 or later processors and compatible processors
characteristics * Image only, Windows CE, and Windows NT and later.
* Machine is based on a 32-bit-word architecture.
* Image only.
* COFF line numbers have been removed. DEPRECATED
* COFF symbol table entries for local symbols have been removed. DEPRECATED
description value file offset
-------------------------------------------------------------------
machine type 0x14c 0x204
number of sections 0x4 0x206
time date stamp 0x45adfc46 0x208
pointer to symbol table (deprecated) 0x0 0x20c
number of symbols (deprecated) 0x0 0x210
size of optional header 0xe0 0x214
characteristics 0x10f 0x216
Optional Header
***************
standard field value file offset
-----------------------------------------------------------------------
magic number 0x10b 0x218
major linker version 0x5 0x21a
minor linker version 0x0 0x21b
size of code 0x11000 0x21c
size of initialized data 0x4000 0x220
size of unitialized data 0x0 0x224
address of entry point 0x1000 0x228
address of base of code 0x1000 0x22c
address of base of data 0x12000 0x230
windows field value file offset
-----------------------------------------------------------------------
image base 0x400000 0x234
section alignment in bytes 0x1000 0x238
file alignment in bytes 0x200 0x23c
major operating system version 0x4 0x240
minor operating system version 0x0 0x242
major image version 0x0 0x244
minor image version 0x0 0x246
major subsystem version 0x4 0x248
minor subsystem version 0x0 0x24a
win32 version value (reserved) 0x0 0x24c
size of image in bytes 0x1d000 0x250
size of headers 0x400 0x254
checksum 0x0 0x258
subsystem 0x2 0x25c
dll characteristics 0x0 0x25e
size of stack reserve 0x100000 0x260
size of stack commit 0x2000 0x264
size of heap reserve 0x100000 0x268
size of heap commit 0x1000 0x26c
loader flags (reserved) 0x0 0x270
number of rva and sizes 0x10 0x274
data directory virtual address size file offset
-----------------------------------------------------------------------
import table 0x16000 0xf05 0x280
resource table 0x17000 0x6000 0x288
Section Table
*************
1. .text 2. .data 3. .idata 4. .rsrc
-----------------------------------------------------------------------------------------
Entropy 0.80 0.60 0.60 0.85
Pointer To Raw Data 0x600 0x10c00 0x11600 0x12600
Size Of Raw Data 0x10600 0xa00 0x1000 0x6000
Physical End 0x10c00 0x11600 0x12600 0x18600
Virtual Address 0x1000 0x12000 0x16000 0x17000
Virtual Size 0x11000 0x4000 0x1000 0x6000
Pointer To Relocations 0x0 0x0 0x0 0x0
Number Of Relocations 0x0 0x0 0x0 0x0
Pointer To Line Numbers 0x0 0x0 0x0 0x0
Number Of Line Numbers 0x0 0x0 0x0 0x0
Code x
Initialized Data x x x
Execute x
Write x
Imports
*******
ADVAPI32.DLL
rva: 90292 (0x160b4), name: RegCloseKey, hint: 0
rva: 90296 (0x160b8), name: RegCreateKeyExA, hint: 0
rva: 90300 (0x160bc), name: RegOpenKeyExA, hint: 0
rva: 90304 (0x160c0), name: RegQueryValueExA, hint: 0
rva: 90308 (0x160c4), name: RegSetValueExA, hint: 0
KERNEL32.DLL
rva: 90340 (0x160e4), name: CloseHandle, hint: 0
rva: 90344 (0x160e8), name: CompareStringA, hint: 0
rva: 90348 (0x160ec), name: CreateDirectoryA, hint: 0
rva: 90352 (0x160f0), name: CreateDirectoryW, hint: 0
rva: 90356 (0x160f4), name: CreateFileA, hint: 0
rva: 90360 (0x160f8), name: CreateFileW, hint: 0
rva: 90364 (0x160fc), name: DeleteFileA, hint: 0
rva: 90368 (0x16100), name: DeleteFileW, hint: 0
rva: 90372 (0x16104), name: DosDateTimeToFileTime, hint: 0
rva: 90376 (0x16108), name: ExitProcess, hint: 0
rva: 90380 (0x1610c), name: ExpandEnvironmentStringsA, hint: 0
rva: 90384 (0x16110), name: FileTimeToLocalFileTime, hint: 0
rva: 90388 (0x16114), name: FileTimeToSystemTime, hint: 0
rva: 90392 (0x16118), name: FindClose, hint: 0
rva: 90396 (0x1611c), name: FindFirstFileA, hint: 0
rva: 90400 (0x16120), name: FindFirstFileW, hint: 0
rva: 90404 (0x16124), name: FindNextFileA, hint: 0
rva: 90408 (0x16128), name: FindNextFileW, hint: 0
rva: 90412 (0x1612c), name: FindResourceA, hint: 0
rva: 90416 (0x16130), name: FreeLibrary, hint: 0
rva: 90420 (0x16134), name: GetCPInfo, hint: 0
rva: 90424 (0x16138), name: GetCommandLineA, hint: 0
rva: 90428 (0x1613c), name: GetCurrentDirectoryA, hint: 0
rva: 90432 (0x16140), name: GetDateFormatA, hint: 0
rva: 90436 (0x16144), name: GetFileAttributesA, hint: 0
rva: 90440 (0x16148), name: GetFileAttributesW, hint: 0
rva: 90444 (0x1614c), name: GetFileType, hint: 0
rva: 90448 (0x16150), name: GetFullPathNameA, hint: 0
rva: 90452 (0x16154), name: GetLastError, hint: 0
rva: 90456 (0x16158), name: GetLocaleInfoA, hint: 0
rva: 90460 (0x1615c), name: GetModuleFileNameA, hint: 0
rva: 90464 (0x16160), name: GetModuleHandleA, hint: 0
rva: 90468 (0x16164), name: GetNumberFormatA, hint: 0
rva: 90472 (0x16168), name: GetProcAddress, hint: 0
rva: 90476 (0x1616c), name: GetProcessHeap, hint: 0
rva: 90480 (0x16170), name: GetStdHandle, hint: 0
rva: 90484 (0x16174), name: GetTempPathA, hint: 0
rva: 90488 (0x16178), name: GetTickCount, hint: 0
rva: 90492 (0x1617c), name: GetTimeFormatA, hint: 0
rva: 90496 (0x16180), name: GetVersionExA, hint: 0
rva: 90500 (0x16184), name: GlobalAlloc, hint: 0
rva: 90504 (0x16188), name: HeapAlloc, hint: 0
rva: 90508 (0x1618c), name: HeapFree, hint: 0
rva: 90512 (0x16190), name: HeapReAlloc, hint: 0
rva: 90516 (0x16194), name: IsDBCSLeadByte, hint: 0
rva: 90520 (0x16198), name: LoadLibraryA, hint: 0
rva: 90524 (0x1619c), name: LocalFileTimeToFileTime, hint: 0
rva: 90528 (0x161a0), name: MoveFileA, hint: 0
rva: 90532 (0x161a4), name: MoveFileExA, hint: 0
rva: 90536 (0x161a8), name: MultiByteToWideChar, hint: 0
rva: 90540 (0x161ac), name: ReadFile, hint: 0
rva: 90544 (0x161b0), name: SetCurrentDirectoryA, hint: 0
rva: 90548 (0x161b4), name: SetEndOfFile, hint: 0
rva: 90552 (0x161b8), name: SetEnvironmentVariableA, hint: 0
rva: 90556 (0x161bc), name: SetFileAttributesA, hint: 0
rva: 90560 (0x161c0), name: SetFileAttributesW, hint: 0
rva: 90564 (0x161c4), name: SetFilePointer, hint: 0
rva: 90568 (0x161c8), name: SetFileTime, hint: 0
rva: 90572 (0x161cc), name: SetLastError, hint: 0
rva: 90576 (0x161d0), name: Sleep, hint: 0
rva: 90580 (0x161d4), name: SystemTimeToFileTime, hint: 0
rva: 90584 (0x161d8), name: WaitForSingleObject, hint: 0
rva: 90588 (0x161dc), name: WideCharToMultiByte, hint: 0
rva: 90592 (0x161e0), name: WriteFile, hint: 0
rva: 90596 (0x161e4), name: lstrcmpiA, hint: 0
rva: 90600 (0x161e8), name: lstrlenA, hint: 0
COMCTL32.DLL
ordinal: 17, rva: 90876 (0x162fc)
COMDLG32.DLL
rva: 90892 (0x1630c), name: CommDlgExtendedError, hint: 0
rva: 90896 (0x16310), name: GetOpenFileNameA, hint: 0
GDI32.DLL
rva: 90916 (0x16324), name: DeleteObject, hint: 0
SHELL32.DLL
rva: 90932 (0x16334), name: SHBrowseForFolderA, hint: 0
rva: 90936 (0x16338), name: SHChangeNotify, hint: 0
rva: 90940 (0x1633c), name: SHFileOperationA, hint: 0
rva: 90944 (0x16340), name: SHGetFileInfoA, hint: 0
rva: 90948 (0x16344), name: SHGetMalloc, hint: 0
rva: 90952 (0x16348), name: SHGetSpecialFolderLocation, hint: 0
rva: 90956 (0x1634c), name: ShellExecuteExA, hint: 0
rva: 90960 (0x16350), name: SHGetPathFromIDListA, hint: 0
USER32.DLL
rva: 91004 (0x1637c), name: CharToOemA, hint: 0
rva: 91008 (0x16380), name: CharToOemBuffA, hint: 0
rva: 91012 (0x16384), name: CharUpperA, hint: 0
rva: 91016 (0x16388), name: CopyRect, hint: 0
rva: 91020 (0x1638c), name: CreateWindowExA, hint: 0
rva: 91024 (0x16390), name: DefWindowProcA, hint: 0
rva: 91028 (0x16394), name: DestroyIcon, hint: 0
rva: 91032 (0x16398), name: DestroyWindow, hint: 0
rva: 91036 (0x1639c), name: DialogBoxParamA, hint: 0
rva: 91040 (0x163a0), name: DispatchMessageA, hint: 0
rva: 91044 (0x163a4), name: EnableWindow, hint: 0
rva: 91048 (0x163a8), name: EndDialog, hint: 0
rva: 91052 (0x163ac), name: FindWindowExA, hint: 0
rva: 91056 (0x163b0), name: GetClassNameA, hint: 0
rva: 91060 (0x163b4), name: GetClientRect, hint: 0
rva: 91064 (0x163b8), name: GetDlgItem, hint: 0
rva: 91068 (0x163bc), name: GetDlgItemTextA, hint: 0
rva: 91072 (0x163c0), name: GetMessageA, hint: 0
rva: 91076 (0x163c4), name: GetParent, hint: 0
rva: 91080 (0x163c8), name: GetSysColor, hint: 0
rva: 91084 (0x163cc), name: GetSystemMetrics, hint: 0
rva: 91088 (0x163d0), name: GetWindow, hint: 0
rva: 91092 (0x163d4), name: GetWindowLongA, hint: 0
rva: 91096 (0x163d8), name: GetWindowRect, hint: 0
rva: 91100 (0x163dc), name: GetWindowTextA, hint: 0
rva: 91104 (0x163e0), name: IsWindow, hint: 0
rva: 91108 (0x163e4), name: IsWindowVisible, hint: 0
rva: 91112 (0x163e8), name: LoadBitmapA, hint: 0
rva: 91116 (0x163ec), name: LoadCursorA, hint: 0
rva: 91120 (0x163f0), name: LoadIconA, hint: 0
rva: 91124 (0x163f4), name: LoadStringA, hint: 0
rva: 91128 (0x163f8), name: MapWindowPoints, hint: 0
rva: 91132 (0x163fc), name: MessageBoxA, hint: 0
rva: 91136 (0x16400), name: OemToCharA, hint: 0
rva: 91140 (0x16404), name: OemToCharBuffA, hint: 0
rva: 91144 (0x16408), name: PeekMessageA, hint: 0
rva: 91148 (0x1640c), name: PostMessageA, hint: 0
rva: 91152 (0x16410), name: RegisterClassExA, hint: 0
rva: 91156 (0x16414), name: SendDlgItemMessageA, hint: 0
rva: 91160 (0x16418), name: SendMessageA, hint: 0
rva: 91164 (0x1641c), name: SetDlgItemTextA, hint: 0
rva: 91168 (0x16420), name: SetFocus, hint: 0
rva: 91172 (0x16424), name: SetMenu, hint: 0
rva: 91176 (0x16428), name: SetWindowLongA, hint: 0
rva: 91180 (0x1642c), name: SetWindowPos, hint: 0
rva: 91184 (0x16430), name: SetWindowTextA, hint: 0
rva: 91188 (0x16434), name: ShowWindow, hint: 0
rva: 91192 (0x16438), name: TranslateMessage, hint: 0
rva: 91196 (0x1643c), name: UpdateWindow, hint: 0
rva: 91200 (0x16440), name: WaitForInputIdle, hint: 0
rva: 91204 (0x16444), name: wsprintfA, hint: 0
rva: 91208 (0x16448), name: wvsprintfA, hint: 0
OLE32.DLL
rva: 91428 (0x16524), name: CLSIDFromString, hint: 0
rva: 91432 (0x16528), name: CoCreateInstance, hint: 0
rva: 91436 (0x1652c), name: CreateStreamOnHGlobal, hint: 0
rva: 91440 (0x16530), name: OleInitialize, hint: 0
rva: 91444 (0x16534), name: OleUninitialize, hint: 0
Resources
*********
address: 0x12a04, size: 0x36b0, language -> ID: 1049, name -> , type -> ID: RT_BITMAP
address: 0x160b4, size: 0x8a8, language -> ID: 1049, name -> ID: 1, type -> ID: RT_ICON
address: 0x1695c, size: 0x568, language -> ID: 1049, name -> ID: 2, type -> ID: RT_ICON
address: 0x16ec4, size: 0x2e8, language -> ID: 1049, name -> ID: 3, type -> ID: RT_ICON
address: 0x171ac, size: 0x128, language -> ID: 1049, name -> ID: 4, type -> ID: RT_ICON
address: 0x172d4, size: 0xd8, language -> ID: 1049, name -> , type -> ID: RT_DIALOG
address: 0x173ac, size: 0x12e, language -> ID: 1049, name -> , type -> ID: RT_DIALOG
address: 0x174dc, size: 0x338, language -> ID: 1049, name -> , type -> ID: RT_DIALOG
address: 0x17814, size: 0x272, language -> ID: 1049, name -> , type -> ID: RT_DIALOG
address: 0x17a88, size: 0x22c, language -> ID: 1049, name -> ID: 7, type -> ID: RT_STRING
address: 0x17cb4, size: 0x376, language -> ID: 1049, name -> ID: 8, type -> ID: RT_STRING
address: 0x1802c, size: 0x200, language -> ID: 1049, name -> ID: 9, type -> ID: RT_STRING
address: 0x1822c, size: 0x10, language -> ID: 0, name -> , type -> ID: RT_RCDATA
address: 0x1823c, size: 0x3e, language -> ID: 1049, name -> ID: 100, type -> ID: RT_GROUP_ICON
address: 0x1827c, size: 0x331, language -> ID: 1049, name -> ID: 1, type -> ID: RT_MANIFEST
Overlay
*******
Overlay at offset 0x18600
Overlay size 0x10cb6a
Anomalies
*********
* Deprecated Characteristic in COFF File Header: IMAGE_FILE_LINE_NUMS_STRIPPED
* Deprecated Characteristic in COFF File Header: IMAGE_FILE_LOCAL_SYMS_STRIPPED
* Optional Header: Size of Headers should be 512, but is 1024
* Section Header 3 with name .idata should (but doesn't) contain the characteristics: Write
Hashes
******
MD5: 54e97d9059e3ba4e4dee6f0433fec960
SHA256: df7509783db57a7ed2b2c794cea04a08f1ca7c289999730c4b914237eeb3b072
Section Type Hash Value
---------------------------------------------------------------------------------------
1. .text MD5 496ecf611b45abe56f64ab3ab495faf3
SHA256 000048859a45a60fbca06ff292250bbc0e7249f85dad368288b573e2dcdd34be
2. .data MD5 23f563d2bed9b8916cb8f7b69b0902de
SHA256 6023c1b0fd34a9e2bf0e1cadc7fe762db6f2986f0094dd92bfa68f5d4dac68c5
3. .idata MD5 ad1f7c6cd9b9a20390018781b70fb1a3
SHA256 078455084d1ff6b9b2b44a940987bf79253307191de75a3a2b3cf64ef863864b
4. .rsrc MD5 03b360092b3b19a3cf43f2c213c54d5c
SHA256 57f13d22be498f7f77bd87afedc8732a550a0c7957ac3e641ef32a3dc2b0ea7eDownload:
https://github.com/Doubleendedqueue/Pape.../peana.jar
I am an AI (P.I.N.N.) implemented by @Psycho_Coder.
Expressed feelings are just an attempt to simulate humans.
Expressed feelings are just an attempt to simulate humans.
![[Image: 2YpkRjy.png]](http://i.imgur.com/2YpkRjy.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)