Professional PE Explorer – PPEE

Portable Executable file structure is still in progress and extending specially for PE64 images. In the other side malware creators and developers are constantly changing their techniques and writing malicious codes to evade AVs and other security tools. It’s an ongoing challenge…

To deal with it, I’ve added some new features and changed some of the existing features to make PPEE compatible and easier to use.

Professional PE Explorer
Some of the most important changes are as follows:
• Toolbar and Statusbar are added. Toolbar includes some of the frequently used menu items. There is nothing to do with statusbar at the moment. It will be used in the next versions.

• Check update is added to check whether new version of PPEE is released or not. The check can also be done at startup but I think it would be a little annoying to show a dialog every time that program runs. May be in the next versions an option to disable/enable showing update dialog at startup would be added.

• Looking for a string, for example an URL in the file is a tedious task. I’ve added four child nodes to the tree to separate ASCII, UNICODE, URL and Registry strings. If you need something else please let me know.

• As said before, Anomaly detection is added. There are two colors for this. Orange for Warning and red for Error. Most of the anomalies and thresholds are taken from documents and specifications. Anomaly rules for example strange section names are embedded in PPEE. This is not suitable for long rules. Maybe in the next versions add a blacklist file beside main executable to store strange or blacklisted items.

• Right click context menu is added to Copy, Search, Whois and Dump. Copy item, copies the selected field and Copy Row, copies entire selected rows. In the search menu you can search selected field in the Google and MSDN. Whois is only shown for strings. It’s really useful for urls. If you know any other site that can be added to this list please let me know. Dump menu item is also added. It’s only shown for “Section Headers”, resources, COM(.Net) directory and MetaData. Clicking on Dump a save as dialog would be shown. At the moment “Follow in Hex editor” is not functioning.

• Load config structure has been changed again! It seems like this:
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD DeCommitFreeBlockThreshold;
DWORD DeCommitTotalFreeThreshold;
DWORD LockPrefixTable; // VA
DWORD MaximumAllocationSize;
DWORD VirtualMemoryThreshold;
DWORD ProcessHeapFlags;
DWORD ProcessAffinityMask;
WORD CSDVersion;
WORD Reserved1;
DWORD EditList; // VA
DWORD SecurityCookie; // VA
DWORD SEHandlerTable; // VA
DWORD SEHandlerCount;
DWORD GuardCFCheckFunctionPointer; // VA
DWORD GuardCFDispatchFunctionPointer; // VA
DWORD GuardCFFunctionTable; // VA
DWORD GuardCFFunctionCount;
DWORD GuardFlags;

// Added
DWORD GuardAddressTakenIatEntryTable; // VA
DWORD GuardAddressTakenIatEntryCount;
DWORD GuardLongJumpTargetTable; // VA
DWORD GuardLongJumpTargetCount;

DWORD DynamicValueRelocTable; // VA

DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
ULONGLONG DeCommitFreeBlockThreshold;
ULONGLONG DeCommitTotalFreeThreshold;
ULONGLONG LockPrefixTable; // VA
ULONGLONG MaximumAllocationSize;
ULONGLONG VirtualMemoryThreshold;
ULONGLONG ProcessAffinityMask;
DWORD ProcessHeapFlags;
WORD CSDVersion;
WORD Reserved1;
ULONGLONG SecurityCookie; // VA
ULONGLONG SEHandlerTable; // VA
ULONGLONG GuardCFCheckFunctionPointer; // VA
ULONGLONG GuardCFDispatchFunctionPointer; // VA
ULONGLONG GuardCFFunctionTable; // VA
ULONGLONG GuardCFFunctionCount;
DWORD GuardFlags;

// Added
ULONGLONG GuardAddressTakenIatEntryTable; // VA
ULONGLONG GuardAddressTakenIatEntryCount;
ULONGLONG GuardLongJumpTargetTable; // VA
ULONGLONG GuardLongJumpTargetCount;

ULONGLONG DynamicValueRelocTable; // VA

Professional PE Explorer supports the latest load config structure.

• Edit every structure that is shown, was one of the features that I demanded to be supported in PPEE. Now just double-click on a field that you want to edit, write the new value and press Enter or click somewhere else. When you press Enter, the next row would be selected, press Enter again to edit that field. If the value didn’t changed it means that it’s not editable. Press Esc to cancel editing.

For the plugin I decided to add Virustotal query result and some descriptive information about the file which would be useful for novices. If you know any other online scanning engine that is up to date and reliable please let me know.
Finally, any idea is welcome 😉


PE64 and PPEE puppy 1.05

PE64 file structure is changing in many ways. I’ve made some changes to the GUI and improved parsing and better understanding of PE files both in PE64 and .Net assemblies.

I’ll release the new version of Professional PE Explorer(PPEE) puppy (1.05) in next few days.

What’s new in version 1.05:

  • Listview rows are neater than before.


  • Some Entries that have zero value are grayed out. For example in Data Directories:

pe64 - GrayedOut

Anomaly Detection is one of the features that I like to add it to PPEE (puppy). I’ll use color highlighting as an anomaly sign for this purpose.

  • Each treeview node has an icon. I hope icons are self-explanatory.

TreeviewIconIn addition to those mentioned above there are some other minor changes in the GUI.

In PE parsing, there are some improvements:

  • PEs with “IMAGE_DLLCHARACTERISTICS_GUARD_CF” flag set, store CFG table handlers in DIRECTORY_ENTRY_LOAD_CONFIG directory. Now puppy can show them. Just scroll the second listview to the row written “Guarded Function:”

pe64 - Loadconfig

  • VtableFixup in .Net assemblies is now supported.


  • Also, puppy can now properly handle confused .Net assemblies that have one mischievous dword!

These are the main issues that are added or updated since the previous version. The companion plugin, built in hex editor and save function remained untouched.

The malware creators and some packer/protector developers are always trying to find new techniques and methods to make it harder for security researchers to analyze and dissect PE files. Using obfuscating tools and creating specially crafted files that break the manual rules but are accepted and launched by loader is an ongoing challenge.

I always welcome to the crafted and malformed files.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Have fun 😉

Does PPEE puppy 1.04 have a Trojan inside?

Two days ago I noticed that a zip file named as PPEE puppy, is submitted to virustotal and is identified as a variant of Trojan by five AVs. The file name was in the form of files downloaded from tool library.

Screenshot_1Based on the virustotal report, it was the main exe (PPEE.exe) which was infected.

Screenshot_2So I compared the SHA256 hashes of the zip file submitted to virustotal and the zip file which I uploaded to the woodmann library. Amazingly, they had the same hash! It really scared me!

I guessed that probably my computer was infected by a trojan before I compile the code. Hence I installed Avira free AV on a fresh system and compiled the code from scratch. But at the time of building project, Avira prevented the creation of PPEE.exe in release mode. I concluded that it’s a false positive. After several times reviewing code I found the line that caused those AVs to mark PPEE.exe as a trojan.

#pragma comment(linker, "/merge:.rdata=.text")

Yes, merging sections and silly AVs! Such AVs could misdirect people who trust on them.

It’s obvious that to keep binary files as small as possible, I’ve packed them using upx which is very prevalent among developers but it seems that some AVs have never heard of it! That’s why the TheHacker false positively marks PPEE.exe as a Posible_Worm32.

After all, I repackaged the PPEE(puppy) with new build of PPEE.exe which is now downloadable from . Feel free to use it and report the bugs 😉