BlackBerry’s PE Tree Tool for Malware Reverse Engineers


PE Tree Tool is a new open-source tool developed by the BlackBerry Research and Intelligence team for viewing Portable Executable (PE) files in a tree-view using PEfile and PyQt5. Basically it’s aimed at the reverse engineering community, PE Tree also integrates with HexRays’ IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction. PE Tree is developed in Python and supports the Windows, Linux and Mac operating systems. It can be installed and run as either a standalone applications.


• Standalone application, IDAPython plugin and Rekall plugin.
• Supports Windows/Linux/Mac.
• Rainbow PE ratio map:
◘ High-level overview of PE structures, size and file location.
◘ Allows for fast visual comparison of PE sample.

• Displays the following PE headers in a tree view:
◘ MZ header
◘ DOS stub
◘ Rich headers
◘ NT/File/Optional headers
◘ Data directories
◘ Sections
◘ Imports
◘ Exports
◘ Debug information
◘ Load config
◘ Resources
◘ Version information
◘ Certificates
◘ Overlay

• Extract and save data from:
◘ DOS stub
◘ Sections
◘ Resources
◘ Certificates
◘ Overlay

• Send data to CyberChef
• VirusTotal search of:
◘ File hashes
◘ PDB path
◘ Timestamps
◘ Section hash/name
◘ Import hash/name
◘ Export name
◘ Resource hash
◘ Certificate serial

• Standalone applications:
◘ Double-click VA/RVA to disassemble with capstone
◘ Hex-dump data

• IDAPython plugin:
◘ Easy navigation of PE file structures
◘ Double-click VA/RVA to view in IDA-view/hex-view
◘ Search IDB for in-memory PE files;
◘ Reconstruct imports (IAT + IDT)
◘ Dump reconstructed PE files
◘ Automatically comment PE file structures in IDB
◘ Automatically label IAT offsets in IDB

• Rekall plugin:
◘ Operates against memory dump or live system
◘ View, dump and rebuild PE files from;
◘ Active processes and modules
◘ Loaded kernel-mode drivers

1. Standalone Application:

Standalone Application


Python 3+


Install directly from GitHub using a fresh virtual environment and pip:

For Windows:

virtualenv env
pip install –upgrade pip
pip install git+

For Mac/Linux:

$ python3 -m venv env
$ source ./env/bin/activate
$ pip install –upgrade pip
$ pip install git+

For developers: Git clone the repository and setup for development.

For Windows:

git clone
cd pe_tree
virtualenv env
pip install -e .

For Mac/Linux:

$ git clone
$ cd pe_tree
$ python3 -m venv env
$ source ./env/bin/activate
$ pip install -e .


Run PE Tree and use the GUI to select a file to view: $ pe-tree
Run PE Tree and view the specified file/folder: $ pe-tree <path>
Dark-mode can be enabled by installing QDarkStyle: $ pip install qdarkstyle

2. IDAPython Plugin:

IDAPython plugin


  • • IDA Pro 7.0+ with Python 2.7
  • • IDA Pro 7.4+ with Python 2.7 or 3.x


To install and run as an IDAPython plugin you can either use setup-tools or install manually. Download pe_tree and install requirements for the global Python interpreter used by IDA: Here I had installed manually.

$ git clone
$ cd pe_tree
$ pip install -r requirements.txt

Copy and the contents of ./pe_tree/ to your IDA plugins folder.

IDA plugins folders:

OSPlugins folder
Windows%ProgramFiles%\IDA Pro 7.X\plugins


• Run IDA and disassemble a PE file (select Manual Load and Load Resources for best results!).
• Click Edit -> Plugins -> PE Tree.

3. Rekall:



Python 3+


• Install Rekall from GitHub.
• Install PE Tree standalone application (see Installation) under the same virtual environment.


Run Rekall and dump active processes, DLLs and drivers on a live system:

$ rekall –live Memory
[1] Live (Memory) 00:00:00> run -i

Alternatively, run Rekall/PE Tree against an existing memory dump:

$rekall -f memory.vmem
[1] memory.vmem 00:00:00> run -i

Credits: Tom Bonner

Previous articleCache Poisoning – Detection and Response
Next articleTrickbot IOC list -2021
A passionate security researcher in Malware and Penetration Testing.


Please enter your comment!
Please enter your name here