A new security tool released by BlackBerry for Reverse Engineering PE Files

Source: PE TREE Reverse Engineering tool (BlackBerry)

Today, BlackBerry released a new tool for the cyber-security community at the Black Hat USA 2020 Security Conference. BlackBerry named it PE TREE, a new Python-based tool for Linux, Windows and Mac that can be used to reverse-engineer and analyze the internal structure of Portable Executable (PE) files (a common file that malware authors have used to hide malicious payloads). Since last week, This tool has been open-sourced on GitHub, but today marks its official release.

As BlackBerry in a press release today that Reverse Engineering of a malware is an extremely time taken and labor intensive process, which can involve hours of disassembling and sometimes deconstructing a software program. They also said that the BlackBerry Research and Intelligence team initially developed this open source tool for internal use and is now making it available to the malware reverse engineering community.

Benefits of PE TREE

According to BlackBerry, There are multiple benefits of using PE Tree include:

Listing Portable Executables file content in an easy-to-navigate tree view.
Integration with the IDA Pro decompiler (easy navigation of PE structures, performing import reconstruction, dumping in-memory PE files).
VirusTotal search integration.
Can send data to CyberChef.
Can run as either an IDAPython plugin or a standalone application.
Open source license allows community contributions.

This tool is an alternative of PE-bear, a similar tool developed by Aleksandra "Hasherezade" Doniec (Malware Analyst at Malwarebytes).

Cyber-Security vendors embracing the open-source space

The tool PE Tree also marks the release of yet another useful cyber-security tool into the open source space. This is a major change in approach for cyber-security firms, which have historically kept their private internal tools out of the public eye, or under expensive commercial licenses. Over the past two yrs, we have seen:

FireEye release CommandoVM, a Windows-based VM specifically built for malware research, as an alternative to Kali Linux, the community's favorite Operating System.
FireEye release Flashmingo, an application to automatically search for Flash vulnerabilities.
FireEye release Crescendo, a real-time event viewer tool for MacOS.
FireEye release StringSifter, a machine learning utility that automatically ranks strings based on their relevance for malware analysis.
FireEye release SharPersist, a red-team tool for establishing persistence on Windows using different techniques.
FireEye release Capa, a utility that can analyze malware and detect malicious capabilities.
FireEye release SilkETW, a utility for collecting and searching Event Tracing for Windows (ETW) logs.
CERT-Poland release DRAKVUF, an automated hypervisor-level malware analysis sandbox/system.
CyberArk release SkyWrapper, a utility that can scan AWS infrastructure and detect if attackers have abused self-replicating tokens to maintain access to compromised systems.
CyberArk release SkyArk, a tool to detect shadow admin accounts in Azure and AWS environments.
F-Secure release TamaGo, a Go-based firmware for bare metal ARM System-on-Chip components.
F-Secure release Jandroid, a tool to identify potential logic flaw exploit chains on Android.
F-Secure release C3, an open source tool for building custom command-and-control (C3) servers.
SEC Consult release SEC Xtractor, a tool for firmware extraction and hardware exploitation.
NCC Group release Sniffle, the world's first open source sniffer tool for Bluetooth 5.
NCC Group release Phantom Tap (PhanTap), a utility for silently intercepting network traffic.
NCC Group releases WStalker, a proxy to support testing of web API calls.
Google release Tsunami, vulnerability scanner for large-scale enterprise networks.
Google release UKIP, a utility to prevent USB keystroke injection attacks on Linux.
Cloudflare release Flan Scan, a network based vulnerability scanner.
Red Canary release Chain Reactor, a utility for adversary simulations on Linux systems.
SpecterOps release Satellite, a proxy and payload service for red team operations.
Trustwave release SCShell, a utility for fileless lateral movement that relies on Service Manager.
Trustwave release CrackQ, a utility for managing hashcat password-cracking jobs in a queuing system.
France's ANSSI cyber-security agency release DFIR ORC, an open-source tool for forensics dedicated to artifact collection from Windows systems.
Sophos release Sandboxie, a user-friendly application to let users sandbox (isolate) dangerous apps inside their own limited container.
The NSA release Ghidra, a complete software package of reverse-engineering toolkit.
Intel release HBFA, an application to help with firmware security testing.


Previous Post Next Post