// the find
hasherezade/pe-bear
Portable Executable reversing tool with a friendly GUI
PE-bear is a GUI tool for inspecting and editing Portable Executable files, built on top of hasherezade's own bearparser library. It's aimed at malware analysts who need to quickly triage suspicious binaries — it handles malformed PEs that would crash other tools. Cross-platform via Qt, runs on Windows, Linux, and macOS.
Handles malformed and deliberately broken PE files without crashing, which is the one thing that matters most when analyzing packed malware. The disassembly view (backed by capstone) is integrated directly into the structure browser, so you can jump from an import entry to its code without switching tools. Editing support is real — you can add sections, patch imports, and modify headers directly, not just read them. Available via winget/Chocolatey/Scoop, so it's easy to drop into a Windows forensics environment without a build step.
Building from source requires Qt and cmake with three submodules — fine once you know what you're doing, but the build docs are thin and Qt version mismatches are a common pain point on Linux. The signature database (from PEiD) hasn't been updated since 2022, so detection coverage for newer packers and protectors is stale. No scripting or automation interface — you can't drive it from a Python analysis pipeline or extract structured data without writing your own code against bearparser directly. The diff/compare feature exists but is limited to side-by-side hex; there's no semantic diff that highlights structural changes between two versions of the same binary.