How do I dump a running process with PE Tools?

Use the Process Viewer to select a process, then access the PE Dumper for full, partial, or region dumps. Administrative rights are required for SeDebugPrivilege to access memory.

PE Tools vs LordPE: which is better for reverse engineering?

PE Tools offers more integrated features like entropy analysis and a comparator, and is actively updated. LordPE is older and less maintained, but some prefer its interface. PE Tools is a modernized successor with broader tooling.

Can PE Tools edit .NET executables?

Limited; the .NET Directory Viewer is listed as a to-do item, so core .NET metadata editing isn't available. It can edit PE headers but not specific .NET structures like MSIL code.

How to use PE Tools on macOS?

Run the Windows executable via Wine, as tested with versions like 3.4. Download from GitHub releases and use Wine to launch PETools.exe, but performance and compatibility may vary compared to native Windows.

Is PE Tools open source?

No, it's closed-source; the README states source code isn't available. Developers accept feature suggestions via C/C++ snippets in GitHub issues, but no full code access.

What are the file size limits in PE Tools?

Files over 4 GB are unsupported due to no large file support. This is a documented limitation that affects analysis of large modern binaries.

Open-Awesome

PETools

MITv1.9.762

A Windows toolkit for analyzing, editing, and manipulating Portable Executable (PE) files and processes.

Visit Website GitHub

1.2k stars143 forks0 contributors

What is PETools?

PE Tools is a Windows-based toolkit for manipulating Portable Executable (PE) files and processes. It provides utilities to edit PE headers, dump and rebuild executables, compare files, and analyze running processes, primarily used in reverse engineering and security research.

Target Audience

Security researchers, malware analysts, and low-level Windows developers who need to inspect or modify PE file structures and processes.

Value Proposition

It offers a comprehensive, integrated suite of PE manipulation tools with a long-standing reputation in the reverse engineering community, inspired by tools like LordPE.

Overview

PE Tools - Portable executable (PE) manipulation toolkit

Use Cases

Best For

Analyzing and editing PE file headers and sections
Dumping and rebuilding executable files from memory
Comparing two PE files to identify differences
Inspecting and managing running Windows processes
Detecting packers and analyzing PE file signatures
Converting between virtual addresses and file offsets

Not Ideal For

Reverse engineering ARM-based Windows PE files (e.g., for Windows IoT, Mobile, or RT)
Handling PE files larger than 4 GB, such as modern game binaries or large applications
Teams requiring open-source tools for security auditing, customization, or transparency
Projects exclusively focused on 64-bit Windows environments, as the native Win64 version is still in development

Pros & Cons

Pros

Comprehensive PE Editing

Allows direct editing of PE and DOS headers, sections, and key directories like imports, exports, and TLS, providing granular low-level control for reverse engineering.

Integrated Tool Suite

Combines editor, dumper, rebuilder, comparator, and sniffer in one application, streamlining workflows without switching between multiple tools.

Active Modern Updates

Recent version 1.9 added features like entropy analysis, 64-bit disassembler, and high-DPI support, showing ongoing maintenance and relevance.

Broad Compatibility

Supports Windows from XP to 10, and runs on macOS via Wine or ReactOS natively, extending usability beyond traditional Windows setups.

Cons

No Large File Support

Cannot handle PE files over 4 GB due to lack of large file support, limiting analysis of contemporary large binaries like games or complex software.

Closed-Source Nature

Source code is not publicly available, preventing community contributions, security audits, and customization, which is a drawback for transparency-focused users.

Incomplete Architecture Support

Lacks ARM disassembler support and has a pending Win64 version, making it less suitable for modern platforms like Windows on ARM or 64-bit-exclusive environments.

Open Source Alternative To

PETools is an open-source alternative to the following products:

LordPE

LordPE is a Windows executable file editor and analysis tool used for examining and modifying PE (Portable Executable) file structures, commonly employed in reverse engineering and software development.

Frequently Asked Questions

Related Projects

angr

A powerful and user-friendly binary analysis platform!

Stars8,920

Forks1,177

Last commit13 hours ago

RetDec

RetDec is a retargetable machine-code decompiler based on LLVM.

Stars8,564

Forks992

Last commit1 month ago

de4dot

.NET deobfuscator and unpacker.

Stars7,431

Forks2,810

Last commit5 years ago

Capa

The FLARE team's open-source tool to identify capabilities in executable files.

Stars6,077

Forks706

Last commit3 days ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub