TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.

pe_view combines a collection of PE manipulation code that was written over the years. Following the theme of many of my tools, this tool does not rely on the use of the Windows API to parse the PE structure, so it can be compiled and run on other platforms. Currently there are compiled versions for Windows and Linux.

While there are a number of freely available PE tools online (many of which are more capable then pe_view and offer editing features), I ended up writing my own version of a PE viewer some years ago primarily to understand the PE format in more depth and to have something that was Windows agnostic.

pe_view can extract executable components from all versions of Windows executables (not just the ones with a PE format). This includes the old DOS and NE formats that would run in some in the older versions of Windows. Unfortunately, pe_view has not been updated to handle the .NET internals.

The disassembler handles only the Intel x86 instruction set and not the amd64 instruction set. There are most likely other boundary conditions that may not parse properly, especially for those PE files that use some sort of obfuscation technique for anti-reverse engineering. As those are found, the tool is updated with a fix to handle the boundary condition.

pe_view makes use of the FOX-toolkit. FOX is a C++ based Toolkit for developing GUI applications that can easily port across various platforms by compiling the source for the appropriate OS. FOX is distributed under the GNU Lesser General Public License (LGPL), with a FOX Library License addendum.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.

Since pe_view was designed to be a GUI based tool, one can just double click on pe_view and select [File -> Open] menu combination to operate on a target portable executable (PE) file. Once a PE file is loaded, besides reviewing all the internal components via the tree view that is displayed, one can:

• Dump the strings associated with the PE file. Strings are considered to be at least 5 consecutive printable characters.

      [View -> Ascii chars]
      [View -> Unicode chars]
      

• Search for a hex pattern or a string within the PE file

      [View -> Find]
      

• Dump the binary data from any location within the PE file as a hexadecimal view to the user.

      [View -> Dump Hex]
      

• Dump summary stats about a PE file as compared to other PE files on the system.

      [View -> Collection Compare].
      

• One can modify which files on the system to use as a comparison by loading a custom configuration file.

      [Option -> Load Config file]
      

• Dump some summary stats about the PE file:

      [View -> Packaging]
      

• Use a PEiD signature file to aid in PE identification

The second option to use pe_view is much more limited, but allows one to dump summary stats information via the command line. This is useful if processing many PE files triaging them into categories. To aid in this, pe_view can handle std input in file processing.

All command line options that don't use the GUI need the option -nogui as one of the arguments. Second, all output needs to be redirected to a file (windows version only), since the windows version does not output to the command prompt.

(a) Option without std input processing

    pe_view  -file <pefile> [-peid <peid file>] -out <results file>

(b) Option with std input processing

    // windows specific
    dir *.exe /b /s | pe_view -pipe [-peid <peid file>] -out <results file>
    
    // linux specific
    find /home -name *.exe -type f | pe_view -pipe [-peid <peid file>] -out <results file>
    ls /home/win32_samples/*.dll | pe_view -pipe [-peid <peid file>] -out <results file>

The help for which command line options are available can be seen via the following options:

    pe_view --help 
    pe_view /?
    pe_view -?

Summary info about how the PE file was packaged.

Starting with version 0.71, there is additional functionality that gives a summary of some of the PE statistics on how the PE file was compiled and/or packaged. Included with this analysis is the ability to use any PEiD signature file that is available online (see reference 5 below).

To load a PEiD signature file, one can do this by selecting the menu option

    [Option -> Load PE Signature]

To view the summary information about how the PE file was packaged, select

    [View -> Packaging]

There is also a command line option to load a PEiD signature file on pe_view startup, using the switch -peid <path/file>.

Reference 4 below has some links to locations where one can obtain a PEiD signature file or get more information about its format. Below are the rules for how pe_view parses PEiD signature files.

1. Signature file is a text document
2. Each line is parsed using the following rules.
   1. Each line is parsed using the following rules.
   2. General Rules.

      ';'
      '[' ']'
      'signature ='
      'ep_only ='
      '??'

   3. The name of the signature is encompassed in square brackets []. The opening square bracket should start at the beginning of the line.
      1. Each line is parsed separately
      2. If a line starts with a semi-colon ';', then the entire line is ignore and used for comments
      3. A blank line is ignored
   4. The signature is preceded by the keyword 'signature ='. The signature is represented by hexadecimal bytes where each byte is separated by spaces. Wildcard bytes are represented by '??'
   5. If the signature is meant to be scanned at the PE entrypoint, it will be designated as 'ep_only = true'; otherwise if the signature is to be searched throughout the file contents, it will be designated as 'ep_only = false;
   6. For this version of pe_view, only the signatures that are specified as 'ep_only = true' are used. Later versions of pe_view may incorporate entire PE scanning.
3. Below is an example of a signature:

   [Microsoft Visual C++ 8]
   signature = E8 ?? ?? 00 00 E9 ?? ?? FF FF
   ep_only = true
       

pe_view incorporates the standard extraction of both ASCII and Unicode strings. (ref. View menu). Strings are considered to be at least 5 consecutive printable characters.

One may also desire to look at how one PE file compares to a collection of PE files. For the simple case, pe_view takes some predefined PE files that are part of the running operating system and uses these to compare the PE file you are analyzing. To use this comparison option, select the 'File Compare' in the 'View' menu.

If one desires to customize which collection of PE files to compare against, one can specify an alternative list of PE files to be used as the collection. This can be done by first generating a text file containing the path\filename of each PE file on a separate line and reading that file into pe_view by using the "Option"->"Load Config".

See config file format in the section below for details on using this option.

The output during this type of compare will be one line per PE file, with the target PE file on the top.

The following syntax is used when displaying the results:

            date Ln ln Af As Os os Su su wv ss f  d  c  e  x  i  m  b  s  6  v  R  k  k#  co file [rsrc's by #]
Compile date -+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |   |   |      +-- rsrc's flagged
MajorLinkerVer --+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |   |   +-- filename
MinorLinkerVer -----+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |   +--- company <truncated>
FileAlignment ---------+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  +- num of kernel32 imports
  SectionAlignment -------+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  +-- has only kernel32 as import
   MajorOSVersion -----------+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  +-- rich signature present (normal)
      MinorOSVersion -----------+  |  |  |  |  |  |  |  |  |  |  |  |  |  |  +---- version info present (normal)
        MajorSubsysVersion --------+  |  |  |  |  |  |  |  |  |  |  |  |  +-- 64 bit binary [pe32+]
           MinorSubsysVersion --------+  |  |  |  |  |  |  |  |  |  |  +-- is digitally signed
             Win32VersionValue ----------+  |  |  |  |  |  |  |  |  +--- random blob in rsrc
                 Subsystem -----------------+  |  |  |  |  |  |  +-- PE file embedded in rsrc
         Dll Characteristics flags present ----+  |  |  |  |  +-- IAT present
                      debug directory present ----+  |  |  +-- execute and write combined w/i section
                      checksum present [+, -, x] ----+  +-- exported funcs [+, n, e, *]
                         + = present and ok                 + = looks ok
                         - = not present                    n = name mismatch
                         x = mismatch                       e = no exports
                                                            * = no exports w/ name mismatch (or no name)

pe_view also allows one to generate a histogram of any of the sections in the PE file. This can be accessed by highlighting the section or resource that one wants to compute a histogram for and selecting from the context aware menu (eg. right click) and select the 'Stats' item.

These files are text files that list the PE files to use as a collection to compare a target PE with. Currently there are 3 types of collection types: (a) executable, (b) dynamic link library and (c) driver. The parsing rules for these config files are as follows:

General Rules.

1. Each line is parsed separately
2. A line that starts with a double forward slash (eg //) is ignored and used for comments
3. A blank line is ignored

Lines listing pe files

1. Each PE file is listed on a separate line (with an associated path)
2. Each group of PE files (consecutive listing of PE files) should have a separate line defining the type of PE files identified in the group.
3. The types of PE file collections include one of the following: executables, dlls, or driver files. To help the parser tell which collection goes with what file, use the following declarations on a separate line:
   • [exe files]
   • [dll files]
   • [driver files]

The files listed (one file per line) after the above type declaration will be categorized with that collection.

Example config file

    // executables
    [exe files]
    systemroot\system32\cmd.exe
    systemroot\system32\calc.exe
    systemroot\system32\services.exe
    ...

    // dynamic link libraries
    [dll files]
    systemroot\system32\user32.dll
    systemroot\system32\gdi32.dll
    systemroot\system32\crypt32.dll
    systemroot\system32\msvcrt.dll
    ...

    // drivers
    [driver files]
    systemroot\system32\drivers\ntfs.sys
    systemroot\system32\drivers\ndis.sys
    systemroot\system32\ntoskrnl.exe
    systemroot\system32\hal.dll
    ...

Loading a user defined config file

To run a user defined config file, in the file Options menu, select 'Load Configfile', whereupon an open file dialog box will allow you to navigate to the config file you wish to load.

After the config file is loaded, it will be parsed and the files specified will be analyzed and the PE internals extracted. A summary of the extraction results will then be displayed. Then, any file that is loaded into the pe_view can be analyzed against this loaded configuration via the View menu -> 'Collection Compare'.

If a config file is not loaded by the user, pe_view will try to examine the target file against a predefined list of pe files.

Sometimes, it is useful to extract fragments from the PE file and examine the fragments with another tool. Resources in the PE file, for example, can contain other files, like: png, jpeg, zipped, or even another PE file. pe_view allows one to extract any portion of the PE file that the viewer displays.

For example, if one wants to extract a resource, one can select any resource in the resource table displayed and using the context aware menu (eg. right clicking on a highlighted resource) and select the 'Save' menu item.

After saving the desired fragment, one can use the appropriate viewer to view the extracted data.

   a. Parsing .NET internal structures
   b. Parsing resource entries
   c. Tool has not been compiled for Apple Silicon (ARM64) yet, just Intel based MacOS

For this tool to work, the X Window System libraries are required for both Linux and macOS (they are not required for Windows). These libraries use the X11 protocol and graphics primitives to render the graphical user interface components. These libraries are common on Unix-like OS's.

If one is unfamiliar with X Windows or the libraries associated with it, one can download an installer package from XQuartz.org, which is an open-source effort to develop a version of the X Windows System that runs on Linux and macOS.

After the X11 libraries are installed, one needs to ensure they are running prior to running this tool.

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication validates that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.

• 04/16/2025 - v1.27 - updated time library (affects all tools)
• 04/17/2024 - v1.26 - core c/c++ lib changes
• 04/03/2023 - v1.25 - updated code-base to natively run Windows ARM64 processor in addition to Intel 32 or 64 bit
• 10/18/2022 - v1.24 - c-runtime library updates affecting Windows legacy builds
• 08/26/2022 - v1.23 - fixed bug in commandline option (crashes if license is not present). updated core libs during various bug fixes
• 05/12/2022 - v1.22 - updated build for new compiler. various changes to core libs
• 12/07/2021 - v1.21 - updated core libs during various bug fixes
• 08/05/2021 - v1.20 - updated core libs for Linux and OSX updates
• 03/01/2021 - v1.19 - updated build for MacOS, fixed bugs in shared libraries. This tool has not been not been compiled for Apple Silicon (ARM64), just Intel64 based MacOS.
• 11/09/2020 - v1.18 - updated core libs
• 10/20/2020 - v1.17 - fixed bug with [EntityRefToken] parsing and other boundary conditions
• 10/09/2020 - v1.16 - fixed binary XML bugs. added parsing logic for the tokens [CharRefToken] and [EntityRefToken]
• 09/10/2020 - v1.15 - updated the binary XML library
• 01/04/2020 - v1.14 - bug fixes in evtx library
• 07/03/2019 - v1.13 - library updates
• 04/13/2019 - v1.12 - updated the time library which affects all tools
• 01/28/2019 - v1.11 - fixed bug when parsing malformed resource section
• 10/17/2018 - v1.10 - updated routines in string library that affect this tool
• 08/17/2018 - v1.09 - improved the crash resistance when passing in corrupted pe files
• 07/28/2018 - v1.08 - library updates across all tools
• 04/11/2018 - v1.07 - fixed spacing bug in output
• 02/11/2018 - v1.06 - Adjust debug PDB filename to handle unicode characters
• 08/22/2017 - v1.05 - Improved eventlog template extraction
• 03/21/2017 - v1.04 - fixed boundary condition to handle malform messagetable entries
• 02/20/2017 - v1.03 - updated various common libraries with bug fixes
• 11/22/2016 - v1.02 - fix minor bug in some linux builds w/ regard to progress bar
• 05/18/2016 - v1.01 - new build with updated libraries
• 03/12/2016 - v1.00 - updated auth lib for site licenses
• 01/28/2016 - v0.99 - cleaned up common lib modules
• 11/20/2015 - v0.98 - updated pe libs
• 09/09/2015 - v0.97 - expanded MUI resource information. added resource extraction as context menu.
• 07/09/2015 - v0.96 - fixed bug in handling long message table entries. added more info when selecting "packaging" from the menu [view], in regards to message table and/or eventlog template presence.
• 02/17/2015 - v0.95 - updated OS version info to Win10. added AppID computation to summary packaging stats
• 01/09/2015 - v0.94 - fixed bug in handling long paths
• 08/01/2014 - v0.93 - fixed bug in parsing version resource w/ non std ASCII characters
• 04/05/2014 - v0.92 - base libraries updated
• 01/21/2014 - v0.91 - integrated readme into GUI help
• 11/18/2013 - v0.90 - tweaked authentication options for demo license
• 10/09/2013 - v0.89 - included TLS table data parse. additional rating parameters used in how binary was packaged. added md5 and sha1 hash in summary package info.
• 08/22/2013 - v0.88 - routine library maintenance updates
• 07/05/2013 - v0.87 - Added drag-n-drop to Windows version of tool nad updated the authentication routine
• 03/15/2013 - v0.86 - updated fox library to latest stable version (1.6.47)
• 02/25/2013 - v0.85 - fixed bugs in GUI hotkeys for menu
• 11/03/2012 - v0.84 - maintenance update of core libraries w/ bug fixes
• 10/13/2012 - v0.83 - fixed overflow condition in resource parsing. added hash check to ensure binary integrity
• 04/05/2012 - v0.82 - added license authentication.
• 03/17/2012 - v0.81 - maintenance updates
• 10/20/2011 - v0.80 - additional resource [wevt_template] parsing incorporated. - added context menu (rtclk) on output pane to allow saving of formatted output to file.
• 09/17/2011 - v0.79 - additional resource [messagetable and mui types] parsing incorporated.
• 08/03/2011 - v0.78 - bug fix and added another resource test.
• 07/25/2011 - v0.77 - fixed bug introduced in v0.76 in parsing version info.
• 07/24/2011 - v0.76 - fix bug in parsing if corrupted file with MZ header. incorporated additional static PE file heuristics.
• 06/21/2011 - v0.75 - added other packing heuristics to the PE analysis and incorporated bug fixes
• 06/10/2011 - v0.74 - added ability to pipe in files from the command line and output summary stats.
• 06/04/2011 - v0.73 - added persistence to the last directory that was opened within a run. removed mac os-x from the mix, since linux and windows were the primary platforms.
• 05/29/2011 - v0.72 - updated to the Fox v1.6.43 library. Created a 64 bit version to the mix.
• 05/22/2011 - v0.71 - incorporated capability to include a PEiD signature file to help in PE identification. Also changed the platform toolset to allow pe_view to run in legacy NT Windows OS's
• 02/26/2011 - v0.7a - maintenance release
• 02/04/2011 - v0.7 - fixed bug in parsing Dialog resources
• 12/10/2010 - v0.6a - [v0.6] inadvertently introduce a bug on the timestamp output... fixed this. Also took out the disassembler option until a more robust one can be developed
• 12/05/2010 - v0.6 - bug fix on handling exports that were used as forwarders.
• 10/17/2010 - v0.5 - ported fixes over to linux and os-x versions.
• 10/05/2010 - v0.4c - bug fixes [16 bit dos legacy files].
• 09/11/2010 - v0.4b - bug fixes. plus added some addition logic for 16 bit legacy dos files.
• 08/10/2010 - v0.4 - added port to MAC OS-X 10.6, 64 bit
• 07/31/2010 - v0.3c - ported code to handle 32 or 64 bit OSes
• 07/25/2010 - v0.3b - added parsing for 16 bit DOS apps and NE apps. included bug fixes as well.
• 07/18/2010 - v0.3a - fixed notation flags between native and win32 executables. added 'bound imports' chunk to linear map view.
• 07/16/2010 - v0.3 - added linear mapping of file and bug fixes
• 07/11/2010 - v0.2c - added hex dump option to menu
• 07/06/2010 - v0.2b - fixed memory leak and some other boundary conditions
• 07/05/2010 - v0.2a - fixed bug in pe categorization as well and threaded the progress bar
• 06/27/2010 - v0.2 - initial version available for download

1. Microsoft Portable Executable and Common Object File Format Specification.
2. An In-Depth Look into the Win32 Portable Executable File Format. by Matt Pietrik, MSDN Magazine.
3. Wikipedia, the free encyclopedia. PE format
4. PEiD references: PEiD, PEiD Forum, Example userdb.txt
5. FOX-toolkit version 1.6.47.
6. X Window System Libraries by XQuartz.org.