PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Signatures for PE-bear:
- SIG.txt (updated: Oct 17, 2022) - contains signatures from PEid's UserDB - converted by a script provided by crashish
📦 ⚙️ Download the latest release.
Available also via Chocolatey
Available also via Scoop
🧪 Fresh test builds (ahead of the official release) can be downloaded from the AppVeyor build server. They are created on each commit to the main
branch. You can download them by clicking on the build version, then choosing the tab Artifacts
. WARNING: those builds may be unstable.
An archive of old releases is available here: https://github.com/hasherezade/pe-bear-releases
The Linux build requires appropriate version of Qt to be installed.
The Windows build with vs13 suffix(built with Visual Studio 2013) has no external dependencies.
The Windows build with vs19 suffix (built with Visual Studio 2019) requires the redistributable package for Visual Studio 2015 - 2022.
The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP), and may be lacking some of the features.
- git
- cmake
- Qt6 (optional: Qt5, Qt4)
- bearparser (submodule)
- capstone (submodule)
- sig_finder (submodule)
Use recursive clone to get the repo together with submodules:
git clone --recursive https://github.com/hasherezade/pe-bear.git
Use CMake to generate a Visual Studio project. Open in Visual Studio and build.
To build it on Linux or MacOS you can use the given scripts:
- build.sh - default, builds with the latest Qt
- build_qt6.sh - builds with Qt6
- build_qt5.sh - builds with Qt5
- build_qt4.sh - builds with Qt4
To generate the .app
bundle on MacOS you can use:
If you like PE-bear, you can support it by buying the merch 🐻