BlackBerry has released a free, open-source tool called PE Tree that significantly reduces the time and effort needed to reverse engineer malware
Reverse malware engineering is an extremely time-consuming and labour-intensive process that can involve hours of disassembly and sometimes deconstruction of a software programme. The research and intelligence team at BlackBerry initially developed this open-source tool for internal use, and is now making it available to the reverse engineering community of malware.
“The cybersecurity threat landscape continues to evolve, and cyberattacks are getting more sophisticated with potential to cause greater damage,” said Eric Milam, vice-president of research operations, BlackBerry.
“As cybercriminals up their game, the cybersecurity community needs new tools in their arsenal to defend and protect organisations and people. We have created this solution to help the cybersecurity community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.”
The PE Tree allows reverse engineers to view Portable Executable (PE) files in a tree view using pefile and PyQt5, thereby lowering the bar for memory dumping and reconstruction of malware while providing a code-base open-source PE viewer that the community can build on.
The tool also integrates with Hex-Rays’ IDA Pro decompiler to allow easy navigation of PE structures, as well as the dumping of PE files in memory and the reconstruction of imports; critical in the fight to identify and stop various malware strains.
PE Tree was developed in Python and supports operating systems for Windows, Linux and Mac. It can be installed and run either as a standalone application or as a plugin for IDAPython, allowing users to examine any Windows executable file and see what its composition is.