give a error while trying to open cyrillic filename

I tried to compile my source code into object code, and I'm following this tutorial to read the sections in the object file, but it seems that the object file generated by gcc on the windows platform will end up with the PE format (?)

which makes me unable to parse it: readelf: Error: Not an ELF file - it has the wrong magic bytes at the start

then I tried to install the pe-bear tool instead of readelf but the error not supported filetype seems to be not working properly?

please enlighten me.

I want to analyze a dll's importer dependency, only see it calls which dll,but cannot find whether the dll is existed or not.
Hope add tree view to the imported dll and show a icon whether it is existed in my Windows.
thank you.

The Mac release doesn't work and when I open it there is a just a blank screen like this :-

and when I try to build it it gives this error :-

Trying to build PE-bear...
QMake version 3.1 Using Qt version 5.15.8 in /opt/homebrew/Cellar/qt@5/5.15.8_2/lib
[+] Qt5 found!
[+] CMake found!
cmake version 3.25.1 CMake suite maintained and supported by Kitware (kitware.com/cmake).
mkdir: build_qt5: File exists
[+] build directory created
CMake Error at CMakeLists.txt:65 (add_subdirectory):
The source directory

/Users/aviralsrivastava/pe-bear/capstone

does not contain a CMakeLists.txt file.

CMake Error at CMakeLists.txt:68 (add_subdirectory):
add_subdirectory given source "bearparser/parser" which is not an existing
directory.

-- capstone_includes='/Users/aviralsrivastava/pe-bear/capstone/include'
-- capstone_lib='$<TARGET_FILE:capstone>'
-- sigfind_dir='/Users/aviralsrivastava/pe-bear/sig_finder'
-- sigfind_lib='$<TARGET_FILE:sig_finder>'
-- parser_dir='/Users/aviralsrivastava/pe-bear/bearparser/parser'
-- parser_lib='$<TARGET_FILE:bearparser>'
-- disasm_dir='/Users/aviralsrivastava/pe-bear/disasm'
-- disasm_lib='/Users/aviralsrivastava/pe-bear/disasm'
-- Configuring incomplete, errors occurred!
See also "/Users/aviralsrivastava/pe-bear/build_qt5/CMakeFiles/CMakeOutput.log".
See also "/Users/aviralsrivastava/pe-bear/build_qt5/CMakeFiles/CMakeError.log".
make: Makefile: No such file or directory
make: *** No rule to make target `Makefile'. Stop.
make: *** No targets specified and no makefile found. Stop.

I tried with build.sh and build_qt5 but it gives same error.

browsing in Exceptions tab is super slow on big exe (60 MB - it takes seconds to scroll up or down, sometimes GUI even freezes)

BTW, I dont know how many records are in Exception table
could you think about adding count number in the GUI?

thanks

Test Case:
FlareSay.zip

The file has oversized DOS stub, and the PE header is appended at the end, yet it is a valid PE. PE-bear incorrectly recognizes it as a DOS MZ.

Always reads 16 data directories, even when NumberOfRvaAndSizes is lower (SizeOfOptionalHeader is adjusted accordingly)

From the PE documentation:

Note that the number of directories is not fixed. Before looking for a specific directory, check the NumberOfRvaAndSizes field in the optional header.

Here's a simple executable showing the problem: test.exe (I had to add .txt to upload it here)

This file has two data directories. The rest are being interpreted from the section header, which starts at 0xD8 (notice how Resource Directory also thinks it's located at 0xD8).

Thanks for reading - this is a really nice tool!

Hello,

Often times I need to open PE files with PeBear where the file name does not end in a .exe or .DLL extension, e.g. the file name may just be a file hash/.bin/.virus etc.

Currently trying to open these in PEBear generates an error that it cannot open the file. The file needs to be renamed to have a .exe or .DLL extension in order for it to be opened.

It would be great to have the ability to open PE files where the file extension in the file name need not be .exe/.dll

Thanks for the amazing tool!
It'll be nice to have support for viewing hex and disassembly of shellcode files.

It'll be also a lot useful if one could set a "parsing point" manually into the shellcode, let's say, if we have a shellcode wich has an embedded PE in it, it'll be nice to set the "parsing pont" of the PE manually on the MZ header to be found manually, then obtain a classic valid PE-bear view of the embedded PE, keeping the unparsed previous shellcode part above, for example under a tag "invalid PE data".

Thanks again for PE-bear!!

When I load a PE file, in the NT Header -> File Header, in the place where I should see TimeDateStamp, I see "ReproChecksum" in it's place and the value doesn't make sense.

Any idea why? And how to show the actual compilation date?

Test case:

• 65535sects.zip

From:

• https://github.com/corkami/pocs/tree/1b001515bb2439084886333402b3be6f3c92e9f4/PE/bin

Originally posted by @isimsizolan in #14

I checked the issue history and found that this bug has been fixed, but it seems that it has not been completely fixed. The length of metadata should be determined according to GuardFlags

./CMakeLists.txt:

CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.

./bearparser/parser/CMakeLists.txt

CMake Deprecation Warning at bearparser/parser/CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.

./disasm/CMakeLists.txt:

CMake Deprecation Warning at disasm/CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.

./pe-bear/CMakeLists.txt:

CMake Deprecation Warning at pe-bear/CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.

./sig_finder/CMakeLists.txt:

CMake Deprecation Warning at sig_finder/CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.

Please set the correct minimal CMake versions in all CMakeLists.txt files.

Hi, and first of all thank you for this awesome tool! I switched over from CFF Explorer with the release of PE-bear 0.5.0 and I'm not looking back. :)

I'd just like to suggest a minor GUI enhancement: make some tables sortable, particularly the GuardCFFunctionTable and Exported Functions tables. These tables may contain upwards of 2k entries for e.g. ntdll.dll, and are presented in Offset order.
It would make looking things up inside those tables that much easier if they could be sorted by any of their other columns.

PE-bear can’t handle tiny, but valid (working) PE files: 61 bytes, 97 bytes, 252 bytes and so on, while CFF Explorer handles this files correctly.

Here is a collection of valid (working) tiny PE files for testing:
https://github.com/corkami/pocs/tree/master/PE/bin

reported by PE-bear Tester via blog

I have tried to add a new library to import table of a 64 bit dll, but it adds only two red rows that can not be edited as the screenshot that can be viewed at: https://terabox.com/s/1AceZNzi9rpUFOpCEP4Dq9g

Opening nt 3.1 pe32 files results in the following warning,

And the import/export tabs are missing.
This happens with all the nt 3.1 executables and dlls in the SYSTEM32 folder (that I've tested), including NOTEPAD.EXE.
These executables are able to be ran on the latest version of Windows (they are the same executable type) and the imports/exports appear in programs like ida.

PE-bear version: v0.6.7.3

The IMAGE_RESOURCE_DIRECTORY TimeDateStamp of a Borland C++ compiled DLL is not decoded as MS DOS Timedatestamp. The IMAGE_FILE_HEADER TimeDateStamp is decoded correctly, 0x42db5dac (2005/07/18 07:43:40), but the IMAGE_RESOURCE_DIRECTORY TimeDateStamp value 0x32f26d74 is decoded as 1997/01/31 22:08:52 instead of 2005/07/18 13:43:40.
As far as I know Visual Studio never sets the IMAGE_RESOURCE_DIRECTORY TimeDateStamp so I suggest either always decode that value as MS DOS Timestamp or show both decodings, Epoch and MS DOS.
File: unrar.dll (SHA1: 1195ee4a5e1c19daf13ded219ba874e903f49a48)
https://www.virustotal.com/gui/file/f0055ca904b9641f889c81ca72a485c92305363dfef12edc569cf2ca0e4bb0d0/details

pe bear seems to interpret the debug directory as a single entry, when in reality its a array who's size is determined by the size in the optional header debug data directory
this is part of the spec as mentioned here https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#debug-directory-image-only\
> Image files contain an optional debug directory that indicates what form of debug information is present and where it is. This directory consists of an array of debug directory entries whose location and size are indicated in the image optional header.

the blue bytes represent the codeview directory which is usually the first and is parsed, the binary from the example has 2 additional entries it misses here marked red.

this is rather not critical but just a small oversight, would be nice as an enhancement tho

I am trying to download this great tool but I got this error, how I can solve it?
CMake Error at CMakeLists.txt:65 (add_subdirectory):
The source directory

/home/kawkab/pe-bear/capstone

does not contain a CMakeLists.txt file.

CMake Error at CMakeLists.txt:68 (add_subdirectory):
add_subdirectory given source "bearparser/parser" which is not an existing
directory.

Example (from unpacking by Athracene):

Both files have been packed with UPX.

Signature that should match:

UPX_old
48
60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 83 CD FF
EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB
75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00

If this is the only signature loaded, both are detected properly. But in case if there are other signatures, only one is detected.

The reason is, there is another signature that overshadows the matching one.

Once the character that is not a wildcard is matched (here at position 3: 60 BE 00 _A0_), the signature with the wildcard is completely dropped.
This is an invalid behavior, and the signature with the wildcards should be still kept for the comparisons.

Encountered some errors while compiling, documenting the solution

Visual studio 2013

QT

qt-opensource-windows-x86-msvc2013-5.8.0

Cmake:

• qt-opensource-windows-x86-msvc2013-5.8.0
  

Qt5Core_DIR C:\Qt\Qt5.8.0\5.8\msvc2013\lib\cmake\Qt5Core
Qt5Widgets_DIR C:\Qt\Qt5.8.0\5.8\msvc2013\lib\cmake\Qt5Widgets
Qt5Gui_DIR C:/Qt/Qt5.8.0/5.8/msvc2013/lib/cmake/Qt5Gui

ALL build Debug version

Visual studio 2022

qt-opensource-windows-x86-5.12.12

Note: msvc2017_64 msvc version information = Cmake Optional

There are no errors.

reported by Matthew (x86matthew):

The issue relates to the checksum field within the NT Optional Header. I have recently been generating some custom binaries and noticed that PE-Bear was reporting the checksum being incorrect (highlighted in red). Microsoft's MapFileAndCheckSum function confirmed that my original checksum was correct, so I did some investigating.

My results showed that PE-Bear was validating the checksum incorrectly when the total file size was not a multiple of 2. I have uploaded a simple set of minimal PE files to reproduce the issue at the following URL:

http://www.x86matthew.com/other/PeBearChecksum.zip

Checksum_0_Byte_Overlay.exe -> Basic PE file with 1024 total bytes, PE-Bear validates checksum correctly (0xAB91)

Checksum_1_Byte_Overlay.exe -> Basic PE file with 1025 total bytes, PE-Bear says checksum is invalid despite being correct (correct checksum: 0xAC0A)

Checksum_2_Byte_Overlay.exe -> Basic PE file with 1026 total bytes, PE-Bear validates checksum correctly (0x240C)

I believe the problem originates within the following function:

https://github.com/hasherezade/bearparser/blob/c059bcb25c6e9137cd1a4f1a97ae53f1a0a250b8/parser/pe/PEFile.cpp#L50

The code appears to be dividing the file size by 2 and discarding the additional byte if it exists. Of course, PE file sizes are usually multiples of 2 already so this will rarely be an issue in the real world.

I tried to rename names, but table is broken after any changes (if name bigger then default)

When displaying section data, PE-Bear uses IMAGE_SECTION_HEADER.PointerToRawData to find the section data in the file. In reality, when Windows loads the file, if the section file offset is not aligned to IMAGE_OPTIONAL_HEADER.FileAlignment, it will be rounded up to the next aligned address and loaded there. A malicious binary can use this inconsistency to display incorrect section data.

Btw, CFF Explorer falls for this too. IDA Pro displays a warning that it has detected a section that is not aligned and refuses to handle the section header.

Screenshot demonstrating the difference in section contents between section data in PE-Bear and what is actually loaded in memory (x64dbg):

EXE for reproduction: packed.zip

Hey
Many thanks for opensourcing your great stuff!
Would like to ask about putting some minimalistic steps for the community regarding how to build the tool on different OSes like

• Windows
• Linux
• Mac

and what are the prerequsites (if any), etc

Thank you in advance

Hello!
At present, the software only supports English interface. Can you use the language pack to customize the interface language of the program? If this is considered, I can provide help in simplified Chinese translation.

Would be great if PE-Bear would display a list of all the strings and allow filtering them (both ANSI and Unicode), as an example (screen taken from die):

Version used:

Looks like it is super memory hungry while loading this PE
it can't stop and eats all the RAM...
eg:

PE:
pe-hangs.zip

I'm trying to edit any value, I know it's wrong, but I'm having trouble editing the value because of this error. If you show this error to the user in a different way, showing a messagebox in this way restricts the action the user is trying to do.