PE-bear
PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Signatures for PE-bear:
- SIG.txt (updated: Oct 17, 2022) - contains signatures from PEid's UserDB - converted by a script provided by crashish
Builds
Available also via Chocolatey
main branch. You can download them by clicking on the build version, then choosing the tab Artifacts. WARNING: those builds may be unstable.
An archive of old releases is available here: https://github.com/hasherezade/pe-bear-releases
Available releases
The Linux build requires appropriately Qt_5.14 or Qt_5.15 to be installed.
The Windows build with vs13 suffix(built with Visual Studio 2013) has no external dependencies.
The Windows build with vs17 suffix (built with Visual Studio 2017) requires Microsoft Visual C++ 2015 Redistributable Package.
The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).
How to build
Requires:
- git
- cmake
- Qt5 (optionally Qt4)
- bearparser (submodule of the current repository)
- capstone (submodule of the current repository)
Clone
Use recursive clone to get the repo together with submodules:
git clone --recursive https://github.com/hasherezade/pe-bear.gitBuilding on Windows
Use CMake to generate a Visual Studio project. Open in Visual Studio and build.
Building on Linux and MacOS
To build it on Linux or MacOS you can use the given scripts:
- build.sh - default, builds with Qt5
- build_qt5.sh - builds with Qt5
- build_qt4.sh - builds with Qt4
To generate the .app bundle on MacOS you can use:
If you like PE-bear, you can support it:
