PPEE - Professional PE Explorer

PPEE (puppy) is a Professional PE file Explorer for
reversers, malware researchers and those who want to statically inspect PE files in more details

Puppy is free and tries to be small, fast, nimble and
friendly as your puppy!

Features

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details. All directories in a PE file including Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR (.Net) are supported.

Very fast malware static analysis tool
Both PE32 and PE64 support
Examine Yara rules against opened file
Virustotal and OPSWAT's Metadefender query report
Statically analyze windows native and .Net executables
Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
Parse Rich Header
Parse Safe SEH, Control Flow Guard Functions, Enclave Configuration and Volatile information in load config directory
Edit almost every data structure
Easily dump sections, resources and .Net assembly directories
Entropy and MD5 calculation of the sections and resource items
Entropy, SSDEEP, TLSH, CRC32, ImpHash, MD5, SHA1, SHA256 and Authentihash calculation of the files
View strings including URL, Registry, Suspicious, ... embedded in files
Resolve ordinal to name in imported APIs
Demangle (undecorate) mangled import/export APIs
Detect common resource types
Extract artifacts remained in PE file
Anomaly detection
Right-click for Copy, Search in web, Whois and dump
Easily access recent opened files
Built in hex editor
Explorer context menu integration
Descriptive information for data structures
Refresh, Save and Save as menu commands
Open file by drag and drop
List view columns can sort data in an appropriate way
Open file from command line
Checksum validation
Plugin enabled

Descriptive information

PE32 Optional Header

Grayed out Entries

High Entropy Malformed Section

Export Directory

PE32+ Import Directory

Easily dump resource items

High Entropy Locale Resource

Invalid digital signature

Artifacts remained in Debug directory

Thread Local Storage Data

SEH-CFG Handlers

Bound Imports Directory

Delay Loaded Imports

Crafted .Net Assembly Metadata Header

.Net VTable Fixups

Malicious strings used in binary

Virustotal and OPSWAT query

Unmanaged functions used in assembly

Application manifest

Test YARA rules against file

Registry strings in file

Filter strings specified as suspicious

Strings recognized as URL

About puppy

There are lots of tools out there for statically analyzing malicious binaries, but they are ordinary tools for ordinary files.
Puppy is a lightweight yet strong tool for static investigation of suspicious files. Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file.

The whole zip file hash:
MD5: EB97A7D3CCA480D363D5F0071E1A745F
SHA1: C25539771CDB3BAB0F4E9E76209F51BB823EBB70
SHA256: B82A1CD2753BD7986AA260ABC5DBFDEA1C9AB1DE89FBDC929EA456C17E71CE1A
Size: 1.84 MiB
Current version: 1.13.1 (2023-11-10)

Contact

For any comments, bugreports or feature request please e-mail me: [email protected]