BlackBerry’s PE Tree Tool for Malware Reverse Engineers

0

PE Tree Tool is a new open-source tool developed by the BlackBerry Research and Intelligence team for viewing Portable Executable (PE) files in a tree-view using PEfile and PyQt5. Basically it’s aimed at the reverse engineering community, PE Tree also integrates with HexRays’ IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction. PE Tree is developed in Python and supports the Windows, Linux and Mac operating systems. It can be installed and run as either a standalone applications.


Features:

• Standalone application, IDAPython plugin and Rekall plugin.
• Supports Windows/Linux/Mac.
• Rainbow PE ratio map:
◘ High-level overview of PE structures, size and file location.
◘ Allows for fast visual comparison of PE sample.

• Displays the following PE headers in a tree view:
◘ MZ header
◘ DOS stub
◘ Rich headers
◘ NT/File/Optional headers
◘ Data directories
◘ Sections
◘ Imports
◘ Exports
◘ Debug information
◘ Load config
◘ TLS
◘ Resources
◘ Version information
◘ Certificates
◘ Overlay

• Extract and save data from:
◘ DOS stub
◘ Sections
◘ Resources
◘ Certificates
◘ Overlay

• Send data to CyberChef
• VirusTotal search of:
◘ File hashes
◘ PDB path
◘ Timestamps
◘ Section hash/name
◘ Import hash/name
◘ Export name
◘ Resource hash
◘ Certificate serial

• Standalone applications:
◘ Double-click VA/RVA to disassemble with capstone
◘ Hex-dump data

• IDAPython plugin:
◘ Easy navigation of PE file structures
◘ Double-click VA/RVA to view in IDA-view/hex-view
◘ Search IDB for in-memory PE files;
◘ Reconstruct imports (IAT + IDT)
◘ Dump reconstructed PE files
◘ Automatically comment PE file structures in IDB
◘ Automatically label IAT offsets in IDB

• Rekall plugin:
◘ Operates against memory dump or live system
◘ View, dump and rebuild PE files from;
◘ Active processes and modules
◘ Loaded kernel-mode drivers

1. Standalone Application:

Standalone Application

Requirements:

Python 3+

Installation:

Install directly from GitHub using a fresh virtual environment and pip:

For Windows:

virtualenv env
env\Scripts\activate
pip install –upgrade pip
pip install git+https://github.com/blackberry/pe_tree.git

For Mac/Linux:

$ python3 -m venv env
$ source ./env/bin/activate
$ pip install –upgrade pip
$ pip install git+https://github.com/blackberry/pe_tree.git

For developers: Git clone the repository and setup for development.

For Windows:

git clone https://github.com/blackberry/pe_tree.git
cd pe_tree
virtualenv env
env\Scripts\activate
pip install -e .

For Mac/Linux:

$ git clone https://github.com/blackberry/pe_tree.git
$ cd pe_tree
$ python3 -m venv env
$ source ./env/bin/activate
$ pip install -e .

Usage:

Run PE Tree and use the GUI to select a file to view: $ pe-tree
Run PE Tree and view the specified file/folder: $ pe-tree <path>
Dark-mode can be enabled by installing QDarkStyle: $ pip install qdarkstyle

2. IDAPython Plugin:

IDAPython plugin

Requirements:

  • • IDA Pro 7.0+ with Python 2.7
  • • IDA Pro 7.4+ with Python 2.7 or 3.x

Installation:

To install and run as an IDAPython plugin you can either use setup-tools or install manually. Download pe_tree and install requirements for the global Python interpreter used by IDA: Here I had installed manually.

$ git clone https://github.com/blackberry/pe_tree.git
$ cd pe_tree
$ pip install -r requirements.txt

Copy pe_tree_ida.py and the contents of ./pe_tree/ to your IDA plugins folder.

IDA plugins folders:

OSPlugins folder
Windows%ProgramFiles%\IDA Pro 7.X\plugins
Linux/opt/ida-7.X/plugins
Mac~/.idapro/plugins

Usage:

• Run IDA and disassemble a PE file (select Manual Load and Load Resources for best results!).
• Click Edit -> Plugins -> PE Tree.

3. Rekall:

Rekall

Requirements:

Python 3+

Installation:

• Install Rekall from GitHub.
• Install PE Tree standalone application (see Installation) under the same virtual environment.

Usage:

Run Rekall and dump active processes, DLLs and drivers on a live system:

$ rekall –live Memory
[1] Live (Memory) 00:00:00> run -i pe_tree_rekall.py

Alternatively, run Rekall/PE Tree against an existing memory dump:

$rekall -f memory.vmem
[1] memory.vmem 00:00:00> run -i pe_tree_rekall.py

Credits: Tom Bonner


Previous articleCache Poisoning – Detection and Response
Next articleTrickbot IOC list -2021
A passionate security researcher in Malware and Penetration Testing.

LEAVE A REPLY

Please enter your comment!
Please enter your name here