Let's back up a bit, what is a exe?
.Exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows. The Portable Executable (PE) format is a file format for executables (exe), object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems.
How is exe created?
Compilers take C/C++/C#/Python code and compile it into the PE format, which is not very human friendly to read.
How is exe created?
Compilers take C/C++/C#/Python code and compile it into the PE format, which is not very human friendly to read.
Why infect it?
A computer virus is software usually hidden within another seemingly innocuous program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action (such as destroying data). An example of this is a PE infection, a technique, usually used to spread malware, that inserts extra data or executable code into PE files.
The PE Format Specification
Portable Executable (PE) format is a specification describes the structure of executable (exe) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively.
Source : http://dandylife.net/blog/archives/date/2015/02/page/2
An Exe opened in a Hex Editor
How to reverse engineer exe?
Some recent PE Reverse Engineering Tools of note;
Some recent PE Reverse Engineering Tools of note;
- PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files. The PE-bear’s parser is open source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander). For windows requires Microsoft Visual C++ 2010 Redistributable Package.
- BlackBerry, PE Tree's https://github.com/blackberry/pe_tree , but requires Python to run.
.NET-Focused Reverse Engineering Tools (Update 2025)
| Tool | Description |
|---|---|
| ILSpy | Open-source .NET assembly browser and decompiler for C# and VB.NET |
| dnSpy | .NET debugger and assembly editor; supports editing and saving changes |
| dnSpyEx | Actively maintained fork of dnSpy with modern UI and plugin support |
| dotPeek | Free .NET decompiler by JetBrains (not open-source, but widely used) |
General EXE Reverse Engineering Tools for Windows
| Tool | Description |
|---|---|
| x64dbg | Powerful Windows debugger for 32-bit and 64-bit binaries |
| Ghidra | NSA-developed suite with decompiler and scripting support |
| Cutter | GUI frontend for Rizin (Radare2 fork); integrates Ghidra decompiler |
| Radare2 | Command-line reverse engineering framework with binary analysis tools |
| PE-bear | Lightweight PE file analyzer with hex editor and structure viewer |
| HIEW | Hex editor and disassembler for PE files (free version available) |
Specialized Tools
| Tool | Focus Area |
|---|---|
| Detect It Easy (DIE) | PE file analyzer with signature-based detection of packers and compilers |
| ReVEnge Studio | Malware analysis and reverse engineering suite (Windows-only) |
| RetDec | Open-source decompiler for machine code to C-like pseudocode |
No comments:
Post a Comment