{"id":17053190,"url":"https://github.com/te-k/pecli","last_synced_at":"2025-03-23T05:23:34.304Z","repository":{"id":57451590,"uuid":"112379019","full_name":"Te-k/pecli","owner":"Te-k","description":"CLI tool to analyze PE files","archived":false,"fork":false,"pushed_at":"2024-09-23T16:04:58.000Z","size":331,"stargazers_count":87,"open_issues_count":6,"forks_count":23,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-03T19:07:53.201Z","etag":null,"topics":["malware","malware-analysis","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Te-k.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-28T19:24:40.000Z","updated_at":"2025-02-25T11:15:20.000Z","dependencies_parsed_at":"2025-01-28T11:45:04.560Z","dependency_job_id":"aed294c9-3533-47c9-8674-b06315dc836f","html_url":"https://github.com/Te-k/pecli","commit_stats":null,"previous_names":["te-k/pe"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Te-k%2Fpecli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Te-k%2Fpecli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Te-k%2Fpecli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Te-k%2Fpecli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Te-k","download_url":"https://codeload.github.com/Te-k/pecli/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245058949,"owners_count":20554203,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","malware-analysis","reverse-engineering"],"created_at":"2024-10-14T10:11:37.383Z","updated_at":"2025-03-23T05:23:34.286Z","avatar_url":"https://github.com/Te-k.png","language":"YARA","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PEcli\n\nTool to analyze PE files in python 3. Current features :\n* Show information about the file (import, exports, resources)\n* Search for interesting information in the file (abnormal resources, peid...)\n* Dump sections or resources\n* Check size\n* Search for a string in the file\n\n[![PyPI](https://img.shields.io/pypi/v/pecli)](https://pypi.org/project/pecli/) [![PyPI - Downloads](https://img.shields.io/pypi/dm/pecli)](https://pypistats.org/packages/pecli) [![PyPI - License](https://img.shields.io/pypi/l/pecli)](LICENSE) [![GitHub issues](https://img.shields.io/github/issues/te-k/pecli)](https://github.com/Te-k/pecli/issues)\n\n## Installation\n\nYou can install it from [pypi](https://pypi.org/project/pecli/) : `pip install pecli`\n\nOr directly from the code :\n```\ngit clone https://github.com/Te-k/pecli.git\ncd pecli\npip install .\n```\n\n## How to\n\nPEcli works with plugins, like `pecli PLUGIN FILE`\n\n```\nusage: pecli [-h] {check,checksize,crypto,dump,info,richpe,search,shell,sig,strings,vt} ...\n\npositional arguments:\n  {check,checksize,crypto,dump,info,richpe,search,shell,sig,strings,vt}\n                        Plugins\n    check               Check for stuff in the file\n    checksize           Check size of the PE file\n    crypto              Identifies cryptographic values\n    dump                Dump resource or section of the file\n    info                Extract info from the PE file\n    richpe              Decode Rich PE Header\n    search              Search for a string in a PE file\n    shell               Launch ipython shell to analyze the PE file\n    sig                 Handle PE Signature\n    strings             Extract strings from the PE file\n    vt                  Check PE information in VirusTotal\n```\n\nExample :\n```\n$ pecli info explorer.exe\nMetadata\n================================================================================\nMD5:           418045a93cd87a352098ab7dabe1b53e\nSHA1:          98b9ad668e0727be888b861f49aac0f72725e634\nSHA256:        81419093ccb985da284931fa3df41c4cfe25350db1c366792903411819371664\nImphash:       c3eb9567e9430e65e703dca7bb8343fa\nSize:          1036800 bytes\nType:          PE32 executable (GUI) Intel 80386, for MS Windows\nCompile Time:  2008-04-13 19:17:04 (UTC - 0x48025C30)\nEntry point:   0x101a55f (section .text)\nDebug Information: explorer.pdb\n\nSections\n================================================================================\nName       VirtSize  VirtAddr  RawSize   RawAddr   Entropy  md5\n.text      0x44c09   0x1000    0x400     0x44e00   6.3838   8c58c76b600f5aee7f7c7242454b9a1f\n.data      0x1db4    0x46000   0x45200   0x1800    1.2992   983f35021232560eaaa99fcbc1b7d359\n.rsrc      0xb2f64   0x48000   0x46a00   0xb3000   6.6381   f7df812e2e64b1514d61a9681fbe71da\n.reloc     0x374c    0xfb000   0xf9a00   0x3800    6.7817   ec335057489badbf6d8142b57175fd91\n\n\nImports\n================================================================================\nADVAPI32.dll\n\t0x1001000 RegSetValueW\n\t0x1001004 RegEnumKeyExW\n\t0x1001008 GetUserNameW\n[SNIP]\n\nResources:\n================================================================================\nId           Name    Size      Lang           Sublang           Type           MD5\n2-143-1031   None    2040 B    LANG_GERMAN    SUBLANG_GERMAN    data           f0e8e299c637633db0a5af11042adb04\n2-145-1031   None    35322 B   LANG_GERMAN    SUBLANG_GERMAN    data           1e5bfaf34503ce750b3cc13058a3f88b\n2-146-1031   None    12826 B   LANG_GERMAN    SUBLANG_GERMAN    data           061daf6ef2047f33947d5655f1c8aaa4\n[SNIP]\n```\n\n```\n$ pecli check playlib.exe\nRunning checks on playlib.exe:\n[+] Abnormal section names: .enigma1 .enigma2\n[+] Suspicious section's entropy: .enigma1 - 7.931\n[+] Known malicious sections\n\t-.enigma1: Enigma Virtual Box protector\n\t-.enigma2: Enigma Virtual Box protector\n[+] 200 extra bytes in the file\n[+] TLS Callback: 0x446bb0\n[+] PE header in sections .enigma2\n[+] Known suspicious import hash: Enigma VirtualBox\n```\n\n## License\n\nThis tool is published under MIT License\n\n## Similar tools\n\n* [Viper](https://viper.li/)\n* [PEScanner](https://github.com/Te-k/analyst-scripts/blob/master/pe/pescanner.py) published by Michael Ligh for the [Malware Analyst's Cookbook](https://www.wiley.com/en-us/Malware+Analyst%27s+Cookbook+and+DVD%3A+Tools+and+Techniques+for+Fighting+Malicious+Code-p-9780470613030) (python2 only)\n* [Manalyze](https://github.com/JusticeRage/Manalyze) by Ivan Kwiatkowski\n* On Windows, [PeStudio](https://www.winitor.com/), [PEView](http://wjradburn.com/software/) and [Resource Hacker](http://www.angusj.com/resourcehacker/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fte-k%2Fpecli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fte-k%2Fpecli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fte-k%2Fpecli/lists"}