Open Source Tree

Today at BlackHat, we announced the availability of PE Tree – a new open-source tool developed by the BlackBerry Research and Intelligence team for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Aimed at the reverse engineering community, PE Tree also integrates with HexRays’ IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction.

Overview

PE Tree is developed in Python and supports the Windows®, Linux® and Mac® operating systems. It can be installed and run as either a standalone application:

Gramps is an example of stand-alone open source genealogy software. Webtrees is an example of a web-based open source genealogy software. Genealogy software is computer software used to record, organize, and publish genealogical data. At a minimum, genealogy software collects the date and place of an individual's birth, marriage,. The source code for EMFTA is released under the BSD license and is openly accessible on the SEI github repository. Tree and Table Representations EMFTA provides several different ways to visualize and represent a fault tree model, including a tree diagram and a table representation that is convenient for editing.

Sourcetree allows you to search for and clone remote repositories within its simple user interface. Sourcetree for Windows Enterprise Install, update, and manage Sourcetree at scale in your managed enterprise environment.

Figure 1. Standalone application

… or an IDAPython plugin:

Figure 2. IDAPython plugin

Open Source Tree

PE files are parsed using Ero Carrera’s pefile module before being mapped into a tree-view, providing a summary of the following headers:

  • MZ header
  • DOS stub
  • Rich headers
  • NT/File/Optional headers
  • Data directories
  • Sections
  • Imports
  • Exports
  • Debug information
  • Load config
  • TLS
  • Resources
  • Version information
  • Certificates
  • Overlay

Figure 3. Overview of rich headers

Hint! –If pefile detects any issues during parsing then hover over the warning icon for more details:

Figure 4. pefile warnings

Any highlighted links can be clicked to perform a search in VirusTotal, including:

  • File hashes
  • PDB path
  • Timestamps
  • Section hash/name
  • Import hash/name
  • Export name
  • Resource hash
  • Certificate serial

Hint! - The IMAGE_DIRECTORY_ENTRY_DEBUG and IMAGE_EXPORT_DESCRIPTOR timestamps are often set by the compiler but not “timestomped” by malware authors, which can prove useful for further pivot searches.

In addition, certain portions of the PE file can be saved or exported to CyberChef for further processing, such as:

  • DOS stub
  • Sections
  • Resources
  • Certificates
  • Overlay

Figure 5. Save or export certificate

The left-hand “rainbow view” offers a high-level overview of the PE file’s structure, as well as conveying the offset/size/ratio of each region. For example, here is a PE containing several resources and a large overlay appended to the file:

Figure 6. Rainbow map

Each region can be clicked to jump to in the tree-view, or right-clicked to save to file or export to CyberChef.

Hint! -The rainbow map can also be a useful visual aid when processing a directory of PE files, as it makes it easy to spot similar file compositions and determine possible relationships between samples.

IDAPython

Open Source Tree

HeyRays’ IDA Pro integration is via an IDAPython plugin, and allows for more advanced functionality, such as the ability to find and dump PE files from an IDA database (IDB) and reconstruct imports:

Figure 7. Search IDA database for PE files

When dumping in-memory PE files, PE Tree will add basic comments on file structures to the IDB, as well as rename offsets to IAT functions, making it easier to explore and analyse injected/unpacked PEs from within a single IDB.

Open Source Treemap

Hint! –PE Tree can also be used to dump PE files and reconstruct imports in a similar manner to OllyDumpEx/ImpRec. For example, unpacking MPRESS:

Figure 8. After performing “Search IDB” the above MPRESS packed PE file was found with an existing IAT (albeit not complete)

Figure 9. After dumping, the unpacked PE file contains a new (and complete) import address table

Sourcetree Open Terminal

If “Rebuild imports” is selected, then PE Tree will search the IDA disassembly for all possible IAT references and construct a new IAT, IDT and hint name table (recommended for unpacked or dynamically loaded PEs). Otherwise, if “Use existing imports” is specified, then PE Tree will attempt to reconstruct imports based on the IAT specified via DIRECTORY_ENTRY_IMPORT (this is the default mode and typically recommended for most PEs and system DLLs).

Looking to the Future

PE Tree remains under active development, so expect to see new features frequently. How many parasite eve games are there. The next major release will focus on rekall support, offering the ability to view and dump processes from either a memory dump or live system:

Figure 10. The future… Dumping active processes using Rekall!

To learn more and to access the PE Tree source code, please visit the BlackBerry GitHub account.

Just as Python is a high-level language, oTree is a high-level framework. You don't need to know all the nitty-gritty details of HTTP, SQL, etc. Jump in and start building fun things right away!

Clear code

oTree Studio is a visual layer on top of an easy-to-understand Python code format.

Players will be automatically split into groups of 2, and the game repeats for 10 rounds.

This page has a time limit of 60 seconds, and is only shown to player 1.

Multiplayer games are super simple. Just add a WaitPage in your game, and it will automatically synchronize players, at which point you can perform calculations.

This page gives the user a choice to finish the current section, or skip to one of your other apps (e.g. questionnaire).

Dynamic templates

Design your user interface with dynamic tags, HTML, and CSS.

Built-in components like a chat box and automatic form layout.

Features for advanced users

OpenOpen Source TreeGenerator

Test your apps with bots, which run in parallel to play multiplayer games against each other. You can program different bot strategies and run multi-agent simulations.

Live pages let players interact within the same page, in real time. Send messages to specific players using their ID, or broadcast to the group using special ID 0.

The above just scratches the surface of what oTree can do. Check out the documentation for more details.