At BlackHat USA 2020, BlackBerry announced on Monday that its open-source internal tool PE Tree is now available for all security professionals to use for reverse engineering malware.
This tool allows reverse engineers to view Portable Executable (PE) files in a tree view using pefile and PyQt5. This makes it easier to dump and reconstruct malware from memory while providing an open-source PE viewer code-base. The tool integrates with Hex-Rays’ IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction.
SEE: Black Hat 2020: Cybersecurity trends, tools, and threats (free PDF) (TechRepublic)
PE Tree was developed in Python and supports the Windows, Linux, and Mac operating systems. It can be installed and run as a standalone application or an IDAPython plugin, allowing users to examine any executable Windows file and see what its composition is.
Eric Milam, vice president of research operations for BlackBerry, said in a press release, “As cybercriminals up their game, the cybersecurity community needs new tools in their arsenal to defend and protect organizations and people. We’ve created this solution to help the cybersecurity community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.”
SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)
Reverse engineers use several tools to deconstruct malware, including disassemblers, debuggers, PE viewers, and network analyzers.
Later this week at Black Hat USA 2020, Kevin Livelli, BlackBerry’s director of threat intelligence, will be presenting on Decade of the RATs on August 5 at 11-11:40 am PT. BlackBerry will also be presenting a sponsored webinar about its partnership with Intel to stop cryptojacking malware, and this session will drill down into BlackBerry Optics AI-based EDR technology for Linux.