BlackBerry launches open-source tool to help reverse engineer malware

After being open-sourced on GitHub since last week, BlackBerry made it official yesterday by releasing its new Python-based app to help reverse engineer pesky malware.

Named PE Tree, the app for Linux, Mac, and Windows can reverse-engineer and analyze the internal structure of Portable Executable (PE) files, according to BlackBerry. PE files are popular with malware authors who hide malicious payloads inside them.

“The cybersecurity threat landscape continues to evolve and cyberattacks are getting more sophisticated with potential to cause greater damage,” said Eric Milam, vice-president of research operations, BlackBerry, in a press release.

PE files are parsed using Ero Carrera’s pefile module before being mapped into a tree-view, providing a summary of above headers. Source: BlackBerry

Businesses today have to contend with more diverse malware sprouting like weeds, and it’s not just the Emotets and TrickBots of the world, but Ryuk and Sodinokibi, both of which caused significant disruptions globally in 2019. Meanwhile, malware like SecurityRun, according to a report from Malwarebytes, can achieve high distribution almost “exclusively against business victims.”

That same report also says there was an average of 11 threats per Mac endpoints in 2019, nearly double the average of 5.8 threats per endpoint on Windows.

The open-source tool’s list of features include:

  • Standalone application and IDAPython plugin
  • Supports Windows/Linux/Mac
  • Rainbow PE ratio map:
    • High-level overview of PE structures, size and file location
    • Allows for fast visual comparison of PE samples
  • Displays the following PE headers in a tree view:
    • MZ header
    • DOS stub
    • Rich headers
    • NT/File/Optional headers
    • Data directories
    • Sections
    • Imports
    • Exports
    • Debug information
    • Load config
    • TLS
    • Resources
    • Version information
    • Certificates
    • Overlay
  • Extract and save data from:
    • DOS stub
    • Sections
    • Resources
    • Certificates
    • Overlay
  • Send data to CyberChef
  • VirusTotal search of:
    • File hashes
    • PDB path
    • Timestamps
    • Section hash/name
    • Import hash/name
    • Export name
    • Resource hash
    • Certificate serial
  • Standalone application;
    • Double-click VA/RVA to disassemble with capstone
    • Hex-dump data
  • IDAPython plugin:
    • Easy navigation of PE file structures
    • Double-click VA/RVA to view in IDA-view/hex-view
    • Search IDB for in-memory PE files;
      • Reconstruct imports (IAT + IDT)
      • Dump reconstructed PE files
      • Automatically comment PE file structures in IDB
      • Automatically label IAT offsets in IDB

PE tree isn’t the only tool of its kind: a similar app developed by malware analyst Aleksandra “Hasherezade” Doniec, who also works for Malwarebytes, can be found here.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Alex Coop
Alex Coophttp://www.itwc.ca
Former Editorial Director for IT World Canada and its sister publications.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now