Changelog

pev 0.81 (January 11, 2021)

Totally unexpected new release mainly to help package maintainers update their binaries.

New features

• peldd: new tool to check library dependencies from PE files - 5988ec3
• peres: be able to extract and restore icons from resources - 465cd8b
• peres: print both file and product versions - 097aa54
• readpe: exported function now displays Address and Name - 1c281cc
• readpe: imported function now displays Hint and Name - 79eb2f4

Improvements

• Added support for OpenSSL 1.1 - 53eb494, 3fc1d6a
• peres: New resources directory parser, which has been moved to libpe - 7bbe21e
• readpe: section output renamed and rearranged according to PE specification - b1225c3

Fixes

• output/json: properly escape controle codes - 7bf8408
• pehash: multiple security fixes - 6bdd07c, 2554a25, 6b35131, 7d2a3ab
• fix multiple memory leaks c5ef893, 339ce93, 36b64dc
• plugins: fix readdir bug - d1632ef
• readpe: check if timestamp is valid - 8197055
• pepack: remove bad packer signatures - 9b12602, c3a184d
• readpe: fixed ordinal to name resolution in print_exports - 228dcc4
• output/json: fix invalid JSON output - 9c08465
• readpe: non-existent and/or non-mapped characteristic names were causing invalid JSON output - aacb2aa
• readpe: fix output of section size. Large values were printed as negative due to the improper format specifier - 01286d0
• readpe: properly read section names - e137329
• packaging: fix ZIP file creation using newer versions of Cygwin - eecc98d
• fix binary garbage on stderr when open() fails - #111

pev 0.80 (January 7, 2017)

• Now the -V switch is used by all pev programs to show their version numbers.
• pehash: Now the hash of the whole file is shown by default (-c option).
• pestr: --net option removed (we may readd this in the future). This also removed PCRE dependency.
• udis86 updated to version 1.7.2.
• Basic plugins support.
• cpload: new tool for CPL file debugging (Windows only).
• Fixed: pestr: unable to handle too big strings.
• Fixed: valid XML and HTML output formats (@jseidl).
• pehash: Import Hash (imphash) support for both Mandiant and pefile's implementation.
• peres: output the PE File Version with -v option.
• Support for pev.conf configuration file.
• readpe can now read virtual import descriptors.

pev 0.70 (December 26, 2013)

• libpe: rewritten, now using mmap (@jweyrich).
• pestr: added countries domains suffixes.
• readpe and peres: output enhancements (@jweyrich).

• pehash: sections and headers hash calculation (@jweyrich).
• pehash: ssdeep fuzzy hash calculation.
• pehash: support for new digest hashes like sha512, ripemd160 and more.
• peres: added new tool to analyze/extract PE resources (@marcelomf).
• pescan: cpl malware detection.
• pescan: undocumented anti-disassembly fpu trick detection.
• pesec: show and extract cerfiticates from digitally signed binaries (@jweyrich).

pev 0.60 (October 31, 2012)

• pedis: -F/--function option replaced by -r/--rva.
• added manpages for all tools.
• pedis: added -m/--mode option to set disassembly mode (16, 32 or 64-bit).
• pedis: added -n option to limit number of disassembled instructions.
• pedis: added options to disassembly entrypoint and raw fille offset.
• pedis: disassemble bytes number specified by -n option.
• pehash: new tool to calculate PE file hashes (@jseidl).
• pepack: added PEiD signature search (@ipax).
• pescan: added -f/--format option to format output.
• pescan: added section, imagebase and timestamp analysis.
• readpe: added --exports option to show exported functions.
• pedis: fixed address representation in calls and jump instructions.

pev 0.50 (June 25, 2012)

• Improved pev tools Makefile (@gabrielnb).
• MEW packer detection in packid (@rrbranco).
• pev now is a collection of binaries and a library to work with PE executables.
• libpe: xmalloc trick and fixes (@rrbranco).
• Output in monospaced text and csv in most programs.
• pedis: disassemble functions and sections (Tiago Zaniquelli).
• pepack: detect fake EP (Wagner Barongello).
• pescan: new tool to search for suspicious things in PE files including TLS callbacks.
• pesec: find security features in PE files.
• readpe can now show imported functions with --imports or -i switch.
• readpe: show PE headers and sections information (most of obsolete pev binary).
• Released libpe 1.0 to support our programs.
• rva2ofs and ofs2rva: convert from rva to raw file offset and vice-versa.
• Fixed erroneuous ord numbers in functions imported without name.
• Fixed two bugs with fake TLS callbacks in petls (thanks to Qualys guys for reporting).

pev 0.40 (August 7, 2011)

• Compatible with PE/COFF specification v8.2.
• Date format in COFF header similar to RFC 2822.
• Improved function to get machine type (Gabriel Duarte).
• Added "-r" option to show resource items at first level.
• Added more human-readable fields, like subsystem and section characteristics.
• Added TLS callback functions detection in every PE section.
• ASLR and DEP identification.
• PE32+ support. Now pev can handle 64-bits executables.
• Variable data directories support (no more fixed to 16).

pev 0.31 (May 11, 2011)

• Added characteristics flags in COFF output.
• Added human-readable machine types in COFF output.
• Fixed compilation in OS X (@gustavorobertux).
• Fixed warning with Linux 32-bits boxes when compiling.

pev 0.30 (February 20, 2011)

• Improved memory usage.
• Now pev shows the Product Version with option "-p".
• Added option "-a" to show all information.
• Added option "-c" to show the COFF header.
• Added option "-d" to show the DOS header.
• Added option "-o" to show the Option (PE) header.
• Added option "-s" to show executable sections.

pev 0.22 (January 9, 2011)

• Improved Makefile.
• Added manpage.

pev 0.2 (December 26, 2011)

The xmas time where I decided to parse the PE structure instead of searching stuff through the whole binary.

• Improved search algorithm.
• Fixed bug compiling in MS-Windows platform.

pev 0.1 (December 12, 2010)

Initial release by Eduardo Fernandes, Fernando Mercês, Francivan Bezerra and Thiago Moraes.