BlackBerry launches open-source tool to help reverse engineer malware

After being open-sourced on GitHub since last week, BlackBerry made it official yesterday by releasing its new Python-based app to help reverse engineer pesky malware.

Named PE Tree, the app for Linux, Mac, and Windows can reverse-engineer and analyze the internal structure of Portable Executable (PE) files, according to BlackBerry. PE files are popular with malware authors who hide malicious payloads inside them.

“The cybersecurity threat landscape continues to evolve and cyberattacks are getting more sophisticated with potential to cause greater damage,” said Eric Milam, vice-president of research operations, BlackBerry, in a press release.

PE files are parsed using Ero Carrera’s pefile module before being mapped into a tree-view, providing a summary of above headers. Source: BlackBerry

Businesses today have to contend with more diverse malware sprouting like weeds, and it’s not just the Emotets and TrickBots of the world, but Ryuk and Sodinokibi, both of which caused significant disruptions globally in 2019. Meanwhile, malware like SecurityRun, according to a report from Malwarebytes, can achieve high distribution almost “exclusively against business victims.”

That same report also says there was an average of 11 threats per Mac endpoints in 2019, nearly double the average of 5.8 threats per endpoint on Windows.

The open-source tool’s list of features include:

  • Standalone application and IDAPython plugin
  • Supports Windows/Linux/Mac
  • Rainbow PE ratio map:
    • High-level overview of PE structures, size and file location
    • Allows for fast visual comparison of PE samples
  • Displays the following PE headers in a tree view:
    • MZ header
    • DOS stub
    • Rich headers
    • NT/File/Optional headers
    • Data directories
    • Sections
    • Imports
    • Exports
    • Debug information
    • Load config
    • TLS
    • Resources
    • Version information
    • Certificates
    • Overlay
  • Extract and save data from:
    • DOS stub
    • Sections
    • Resources
    • Certificates
    • Overlay
  • Send data to CyberChef
  • VirusTotal search of:
    • File hashes
    • PDB path
    • Timestamps
    • Section hash/name
    • Import hash/name
    • Export name
    • Resource hash
    • Certificate serial
  • Standalone application;
    • Double-click VA/RVA to disassemble with capstone
    • Hex-dump data
  • IDAPython plugin:
    • Easy navigation of PE file structures
    • Double-click VA/RVA to view in IDA-view/hex-view
    • Search IDB for in-memory PE files;
      • Reconstruct imports (IAT + IDT)
      • Dump reconstructed PE files
      • Automatically comment PE file structures in IDB
      • Automatically label IAT offsets in IDB

PE tree isn’t the only tool of its kind: a similar app developed by malware analyst Aleksandra “Hasherezade” Doniec, who also works for Malwarebytes, can be found here.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Alex Coop
Alex Coop
Former Editorial Director for IT World Canada and its sister publications.

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now