BlackBerry launches open-source tool to help reverse engineer malware

Alex Coop

4 years ago

After being open-sourced on GitHub since last week, BlackBerry made it official yesterday by releasing its new Python-based app to help reverse engineer pesky malware.

Named PE Tree, the app for Linux, Mac, and Windows can reverse-engineer and analyze the internal structure of Portable Executable (PE) files, according to BlackBerry. PE files are popular with malware authors who hide malicious payloads inside them.

“The cybersecurity threat landscape continues to evolve and cyberattacks are getting more sophisticated with potential to cause greater damage,” said Eric Milam, vice-president of research operations, BlackBerry, in a press release.

PE files are parsed using Ero Carrera’s pefile module before being mapped into a tree-view, providing a summary of above headers. Source: BlackBerry

Businesses today have to contend with more diverse malware sprouting like weeds, and it’s not just the Emotets and TrickBots of the world, but Ryuk and Sodinokibi, both of which caused significant disruptions globally in 2019. Meanwhile, malware like SecurityRun, according to a report from Malwarebytes, can achieve high distribution almost “exclusively against business victims.”

That same report also says there was an average of 11 threats per Mac endpoints in 2019, nearly double the average of 5.8 threats per endpoint on Windows.

The open-source tool’s list of features include:

Standalone application and IDAPython plugin
Supports Windows/Linux/Mac
Rainbow PE ratio map:
- High-level overview of PE structures, size and file location
- Allows for fast visual comparison of PE samples
Displays the following PE headers in a tree view:
- MZ header
- DOS stub
- Rich headers
- NT/File/Optional headers
- Data directories
- Sections
- Imports
- Exports
- Debug information
- Load config
- TLS
- Resources
- Version information
- Certificates
- Overlay
Extract and save data from:
- DOS stub
- Sections
- Resources
- Certificates
- Overlay
Send data to CyberChef
VirusTotal search of:
- File hashes
- PDB path
- Timestamps
- Section hash/name
- Import hash/name
- Export name
- Resource hash
- Certificate serial
Standalone application;
- Double-click VA/RVA to disassemble with capstone
- Hex-dump data
IDAPython plugin:
- Easy navigation of PE file structures
- Double-click VA/RVA to view in IDA-view/hex-view
- Search IDB for in-memory PE files;
  - Reconstruct imports (IAT + IDT)
  - Dump reconstructed PE files
  - Automatically comment PE file structures in IDB
  - Automatically label IAT offsets in IDB

PE tree isn’t the only tool of its kind: a similar app developed by malware analyst Aleksandra “Hasherezade” Doniec, who also works for Malwarebytes, can be found here.