Didier Stevens

Friday 27 March 2020

Carving PE Files With pecheck.py

Filed under: My Software,Update — Didier Stevens @ 0:00

I added a feature to my tool pecheck.py to help extract embedded PE files from any host file: -l –locate.

pecheck.py expects a PE file as input, but if you use option -l P, it will read any file an look for embedded PE files by searching for a DOS header (MZ) followed by a PE header, that can then be parsed by pefile without errors.

Like in this example, where I created a PNG file with a 32-bit and a 64-bit DLL appended:

One PE file can then be selected for further analysis:

Or for extraction:

Here is a video with more details:

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.