New software from BlackHat makes reverse-engineering malware faster and easier for software engineers.
Reverse-engineering of malware is an extremely time- and labour-intensive process, which can involve hours of disassembling and sometimes deconstructing a software programme. The BlackBerry Research and Intelligence team initially developed this open-source tool for internal use, and is now making it available to the malware reverse-engineering community.
PE Tree is developed in Python and supports Windows, Linux and Mac operating systems. It can be installed and run as either a standalone application. Aimed at the reverse engineering community, PE Tree also integrates with HexRays’ IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction.
Image credit: Tom Bonner, Distinguished Threat Researcher, BlackBerry
“The cyber-security threat landscape continues to evolve and cyber-attacks are getting more sophisticated with potential to cause greater damage,” said Eric Milam, Vice President of Research Operations, BlackBerry. “As cyber-criminals up their game, the cyber-security community needs new tools in their arsenal to defend and protect organisations and people. We’ve created this solution to help the cyber-security community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.”
PE Tree enables reverse-engineers to view Portable Executable (PE) files in a tree-view, using pefile and PyQt5, thereby lowering the bar for dumping and reconstructing malware from memory while providing an open-source PE viewer code-base that the community can build upon. The tool also integrates with Hex-Rays’ IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction – which are critical in the fight to identify and stop various strains of malware.
To learn more and to access the PE Tree source code, please visit the BlackBerry GitHub account.
To read more, please visit the blog post here.
by Tom Bonner, Distinguished Threat Researcher, BlackBerry