PE64 and PPEE puppy 1.05

PE64 file structure is changing in many ways. I’ve made some changes to the GUI and improved parsing and better understanding of PE files both in PE64 and .Net assemblies.

I’ll release the new version of Professional PE Explorer(PPEE) puppy (1.05) in next few days.

What’s new in version 1.05:

  • Listview rows are neater than before.

NeaterListview

  • Some Entries that have zero value are grayed out. For example in Data Directories:

pe64 - GrayedOut

Anomaly Detection is one of the features that I like to add it to PPEE (puppy). I’ll use color highlighting as an anomaly sign for this purpose.

  • Each treeview node has an icon. I hope icons are self-explanatory.

TreeviewIconIn addition to those mentioned above there are some other minor changes in the GUI.

In PE parsing, there are some improvements:

  • PEs with “IMAGE_DLLCHARACTERISTICS_GUARD_CF” flag set, store CFG table handlers in DIRECTORY_ENTRY_LOAD_CONFIG directory. Now puppy can show them. Just scroll the second listview to the row written “Guarded Function:”

pe64 - Loadconfig

  • VtableFixup in .Net assemblies is now supported.

Vtable

  • Also, puppy can now properly handle confused .Net assemblies that have one mischievous dword!

These are the main issues that are added or updated since the previous version. The companion plugin, built in hex editor and save function remained untouched.

The malware creators and some packer/protector developers are always trying to find new techniques and methods to make it harder for security researchers to analyze and dissect PE files. Using obfuscating tools and creating specially crafted files that break the manual rules but are accepted and launched by loader is an ongoing challenge.

I always welcome to the crafted and malformed files.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Have fun 😉