Didier Stevens

Sunday 6 December 2020

Update: pecheck.py Version 0.7.12

Filed under: My Software,Update — Didier Stevens @ 13:28

This new version of my PE file analysis tool pecheck.py brings more info when locating PE files inside arbitrary files (option -l P).

2 columns are added to the list of located PE files: original filename (version information) and DLL name (export section).

This can be used, for example, to detect Cobalt Strike beacons inside process dumps. Like in the following example, where the DLL name is beacon.dll:

 

pecheck-v0_7_12.zip (https)
MD5: 0AF2A99DD5AF742C9B688466EE3087C5
SHA256: 10B3B6903AB52381F7C8687F8284270CE060983CA001B4FC5DD88174744B705F

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.