exespy


Nameexespy JSON
Version 1.0.1 PyPI version JSON
download
home_pagehttps://github.com/andyjsmith/Exe-Spy
SummaryCross-platform PE viewer
upload_time2024-07-07 13:46:46
maintainerNone
docs_urlNone
authorAndy Smith
requires_python>=3.8
licenseNone
keywords pe forensics windows forensics forensics tools
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            ![ExeSpy](exespy/img/wordmark.png)

![](https://img.shields.io/github/v/release/andyjsmith/Exe-Spy)
![](https://img.shields.io/github/downloads/andyjsmith/Exe-Spy/total)

# ExeSpy: Cross-Platform PE File Viewer (EXE/DLL)

ExeSpy is a free, open-source cross-platform Windows PE file viewer. It supports all valid PE formats, including EXE, DLL, COM, OCX, SYS, SCR, CPL, AX, ACM, WINMD, MUI, EFI, TSP, and DRV.

It can view PE information, including:

- General information
- Headers
- Sections
- Libraries
- Imports
- Exports
- Resources
- Manifest

Additional functionality includes:

- Hashes of the file
- Viewing disassembly of x86/x64 PEs
- Hex viewer
- String search
- Identifying packers used to obfuscate the file
- VirusTotal searching
- Entropy analysis

## Requirements

- Python 3.8+
- Windows 10 1809+, macOS, or Linux
  - See [https://doc.qt.io/qt-6/supported-platforms.html](https://doc.qt.io/qt-6/supported-platforms.html)
  - Older Linux versions than what are listed at the link above may work correctly

## Installation

Download the latest version from the [releases page](https://github.com/andyjsmith/Exe-Spy/releases). Alternatively, use one of the following methods.

### pip (recommended)

1. `pip install exespy`
2. `exespy`

### Manual

1. `pip install -r requirements.txt`
2. `python setup.py install`
3. `exespy`

### Standalone

1. `pip install -r requirements.txt`
2. `python run.py`

## Usage

To open a PE file, use File->Open or Ctrl+O and select the file. The different tabs will load as they become available. Due to the nature of Python, larger executables may take a few seconds to load. I wouldn't recommend loading PE files larger than 50MB.

See the [documentation](#documentation) for more information.

## Screenshots

### General

![General](screenshots/general.png)

### Headers

![Headers](screenshots/headers.png)

### Sections

![Sections](screenshots/sections.png)

### Strings

![Strings](screenshots/strings.png)

### Hex Viewer

![Hex Viewer](screenshots/hexview.png)

### Disassembly

![Disassembly](screenshots/disassembly.png)

### Entropy

![Entropy](screenshots/entropy.png)

### VirusTotal

![VirusTotal](screenshots/virustotal.png)

## Building

Dependencies:

- PyInstaller 4.5+

Regular building:
`pyinstaller exespy_install.spec`

Creating a single file:
`pyinstaller exespy_onefile.spec`

## Documentation

The menu bar has various options.

- File
  - Open PE: open a PE file
  - Quit: exit the program
- View
  - Use native style: toggle between native (OS) theme and the Qt fusion theme
- Options
  - Set VirusTotal API Key: set your VirusTotal API key
- Help
  - About: version and license information
  - Third-Party Licenses: licenses for third-party libraries used by ExeSpy

### General

The general tab shows general information about the PE file. If available, it attempts to show the file's icon, though this may pick the wrong or lower resolution icon.

The file information table shows file metadata. This is not embedded in the PE, but from the filesystem.

The image information table shows common information from within the PE. The signature verification row uses the LIEF library to verify the PE's digital signature. It does NOT verify that the PE was signed with a trusted certificate, just that the signature is valid. The checksum row calculates a checksum for the PE and compares it to the PE's embedded checksum. Some PEs don't include a checksum, so this row may show as invalid when the checksum isn't included and set to 0x0.

### Headers

The headers tab shows the DOS, file, and optional headers from the PE file. The DOS section includes both the name from the internal PE structure and a description of what it represents, since the given name can be difficult to understand.

The Characteristics and DLLCharacteristics rows show the characteristics that were parsed out from the raw value.

### Sections

The sections tab shows the sections inside the PE file and all of their properties. This includes deprecated section header variables like PointerToLinenumbers for thoroughness. The characteristics column shows the section characteristics. In particular is MEM_EXECUTE, which means that the section is executable.

### Libraries

The libraries tab shows the libraries that are loaded by the PE file as a result of the import table. It also displays the number of functions that are imported from each library.

### Imports

The imports tab shows the functions the PE file imports through the DLL entries in the import directory table (.idata). It also shows the corresponding DLL name and address of the function.

### Exports

The exports tab shows the functions the PE exports (.edata). This includes the function's name, ordinal value (if used by ordinal importing instead of by name), and the address of the function.

If the PE doesn't export any functions, this tab will be empty.

### Resources

The resources tab shows all of the resources in the PE resource table (.rsrc). This includes the type of the resource, its ID, offset, language, and sublanguage. ExeSpy also uses libmagic to calculate the magic for the resource. This is useful for identifying the type of resource.

To save an individual resource for further analysis, right-click on it and click Save.

### Manifest

The manifest tab extracts the PE's manifest from its resources if it has one. This includes some metadata and important information about how the file works. For example, the `requestedExecutionLevel` property shows if the file will run with higher privileges and will be set to `highestAvailable` or `requireAdministrator` if so.

If no manifest was found, this tab will be empty.

### Strings

The strings tab searches for strings of ASCII characters inside of the PE file, similar to the UNIX `strings` command. It also shows the offset the string was found at.

You can filter the list by typing in the search box. You can also click on the column headers to change the sort order.

By default, the search is case insensitive. You can change this by clicking the case sensitive checkbox.

To configure how many ASCII characters are needed in a row before it is considered a string, change the minimum length.

### Hex View

The hex view tab is a basic hex viewer for the PE file. The columns are the offset from the start of the file, the hex values, and an ASCII decoding of the hex values.

Since Python and Qt are fairly slow together, this tab may take a while to load.

### Hashes

The hashes tab shows many different hashes of the PE file. These include:

- CRC32
- MD5
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
- SHA3-224
- SHA3-256
- SHA3-384
- SHA3-512
- BLAKE2s
- BLAKE2b

It also includes other specialized hashes. The imphash is calculated from the import table. The authentihashes are hashes of the authenticode signature. [More info.](https://lief-project.github.io/doc/stable/tutorials/13_pe_authenticode.html#exploring-pkcs-7-signature)

### Disassembly

The disassembly tab uses [iced-x86](https://github.com/icedland/iced) to disassemble the PE file. It shows the address, hex of the full instruction, opcode, and operands.

The Go to Entrypoint button jumps to the entrypoint of the PE file. This is useful since the first lines in the disassembly are going to be incorrectly disassembled versions of the PE headers.

You can jump to a specific address by entering it into the textbox. It intelligently determines whether you entered an address with or without the image base included, so you can either include the image base or not.

You can also specify which assembly syntax you want the disassembly to use. By default, it uses Intel syntax.

### Packers

The packers tab uses Yara to search for packers that may have been used to obfuscate the PE file, as well as other information. The source column shows where each detection came from.

The Yara rules come from PEiD (using a pre-compiled peid2yara.py export) and the following repositories:

- [https://github.com/godaddy/yara-rules](https://github.com/godaddy/yara-rules)
- [https://github.com/Yara-Rules/rules](https://github.com/Yara-Rules/rules)

### Entropy

The entropy tab calculates the entropy of blocks of data in the PE file. You can specify the size of the block to use. The line plot sub-tab shows the entropy of the file as a whole. The heatmap sub-tab shows the entropy as a color from black to white in a 2D grid.

More on entropy:

Entropy is a measure of the randomness in the loaded PE file.

Shannon entropy is scaled between 0 and 8 bits per byte.

- 0 means the data is uniform
- 8 means the data is completely random

Entropy can indicate what kind of data is in the file.

- Higher entropy values may indicate encrypted or compressed data sections
- Plaintext generally has 3.5 to 5 bits of entropy per byte

The block size indicates how many bytes to read at a time and calculate entropy for. Each block's entropy is calculated and then plotted in the charts.

### VirusTotal

The VirusTotal tab shows the VirusTotal report for the PE file. This is useful for finding out if the file has been scanned before, and if it has, it shows the results. To get the results, you need to click on the button. This is to save on excess requests with your API key.

If the file hasn't been scanned before, you can click OK to open VirusTotal.com where you can scan it there.

To use this tab, you need to get a free VirusTotal API key. Register for an account and then go to `https://www.virustotal.com/gui/user/YOUR_USERNAME/apikey` to get your API key. In ExeSpy, go to Options->Set VirusTotal API Key and paste it there.

## License

ExeSpy

Copyright (C) 2023 Andy Smith

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/andyjsmith/Exe-Spy",
    "name": "exespy",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.8",
    "maintainer_email": null,
    "keywords": "pe, forensics, windows forensics, forensics tools",
    "author": "Andy Smith",
    "author_email": null,
    "download_url": "https://files.pythonhosted.org/packages/61/96/e0aef22a40bee89a1b214f8f3599f6bf5e216e7fe3a8d937773544f14362/exespy-1.0.1.tar.gz",
    "platform": null,
    "description": "![ExeSpy](exespy/img/wordmark.png)\r\n\r\n![](https://img.shields.io/github/v/release/andyjsmith/Exe-Spy)\r\n![](https://img.shields.io/github/downloads/andyjsmith/Exe-Spy/total)\r\n\r\n# ExeSpy: Cross-Platform PE File Viewer (EXE/DLL)\r\n\r\nExeSpy is a free, open-source cross-platform Windows PE file viewer. It supports all valid PE formats, including EXE, DLL, COM, OCX, SYS, SCR, CPL, AX, ACM, WINMD, MUI, EFI, TSP, and DRV.\r\n\r\nIt can view PE information, including:\r\n\r\n- General information\r\n- Headers\r\n- Sections\r\n- Libraries\r\n- Imports\r\n- Exports\r\n- Resources\r\n- Manifest\r\n\r\nAdditional functionality includes:\r\n\r\n- Hashes of the file\r\n- Viewing disassembly of x86/x64 PEs\r\n- Hex viewer\r\n- String search\r\n- Identifying packers used to obfuscate the file\r\n- VirusTotal searching\r\n- Entropy analysis\r\n\r\n## Requirements\r\n\r\n- Python 3.8+\r\n- Windows 10 1809+, macOS, or Linux\r\n  - See [https://doc.qt.io/qt-6/supported-platforms.html](https://doc.qt.io/qt-6/supported-platforms.html)\r\n  - Older Linux versions than what are listed at the link above may work correctly\r\n\r\n## Installation\r\n\r\nDownload the latest version from the [releases page](https://github.com/andyjsmith/Exe-Spy/releases). Alternatively, use one of the following methods.\r\n\r\n### pip (recommended)\r\n\r\n1. `pip install exespy`\r\n2. `exespy`\r\n\r\n### Manual\r\n\r\n1. `pip install -r requirements.txt`\r\n2. `python setup.py install`\r\n3. `exespy`\r\n\r\n### Standalone\r\n\r\n1. `pip install -r requirements.txt`\r\n2. `python run.py`\r\n\r\n## Usage\r\n\r\nTo open a PE file, use File->Open or Ctrl+O and select the file. The different tabs will load as they become available. Due to the nature of Python, larger executables may take a few seconds to load. I wouldn't recommend loading PE files larger than 50MB.\r\n\r\nSee the [documentation](#documentation) for more information.\r\n\r\n## Screenshots\r\n\r\n### General\r\n\r\n![General](screenshots/general.png)\r\n\r\n### Headers\r\n\r\n![Headers](screenshots/headers.png)\r\n\r\n### Sections\r\n\r\n![Sections](screenshots/sections.png)\r\n\r\n### Strings\r\n\r\n![Strings](screenshots/strings.png)\r\n\r\n### Hex Viewer\r\n\r\n![Hex Viewer](screenshots/hexview.png)\r\n\r\n### Disassembly\r\n\r\n![Disassembly](screenshots/disassembly.png)\r\n\r\n### Entropy\r\n\r\n![Entropy](screenshots/entropy.png)\r\n\r\n### VirusTotal\r\n\r\n![VirusTotal](screenshots/virustotal.png)\r\n\r\n## Building\r\n\r\nDependencies:\r\n\r\n- PyInstaller 4.5+\r\n\r\nRegular building:\r\n`pyinstaller exespy_install.spec`\r\n\r\nCreating a single file:\r\n`pyinstaller exespy_onefile.spec`\r\n\r\n## Documentation\r\n\r\nThe menu bar has various options.\r\n\r\n- File\r\n  - Open PE: open a PE file\r\n  - Quit: exit the program\r\n- View\r\n  - Use native style: toggle between native (OS) theme and the Qt fusion theme\r\n- Options\r\n  - Set VirusTotal API Key: set your VirusTotal API key\r\n- Help\r\n  - About: version and license information\r\n  - Third-Party Licenses: licenses for third-party libraries used by ExeSpy\r\n\r\n### General\r\n\r\nThe general tab shows general information about the PE file. If available, it attempts to show the file's icon, though this may pick the wrong or lower resolution icon.\r\n\r\nThe file information table shows file metadata. This is not embedded in the PE, but from the filesystem.\r\n\r\nThe image information table shows common information from within the PE. The signature verification row uses the LIEF library to verify the PE's digital signature. It does NOT verify that the PE was signed with a trusted certificate, just that the signature is valid. The checksum row calculates a checksum for the PE and compares it to the PE's embedded checksum. Some PEs don't include a checksum, so this row may show as invalid when the checksum isn't included and set to 0x0.\r\n\r\n### Headers\r\n\r\nThe headers tab shows the DOS, file, and optional headers from the PE file. The DOS section includes both the name from the internal PE structure and a description of what it represents, since the given name can be difficult to understand.\r\n\r\nThe Characteristics and DLLCharacteristics rows show the characteristics that were parsed out from the raw value.\r\n\r\n### Sections\r\n\r\nThe sections tab shows the sections inside the PE file and all of their properties. This includes deprecated section header variables like PointerToLinenumbers for thoroughness. The characteristics column shows the section characteristics. In particular is MEM_EXECUTE, which means that the section is executable.\r\n\r\n### Libraries\r\n\r\nThe libraries tab shows the libraries that are loaded by the PE file as a result of the import table. It also displays the number of functions that are imported from each library.\r\n\r\n### Imports\r\n\r\nThe imports tab shows the functions the PE file imports through the DLL entries in the import directory table (.idata). It also shows the corresponding DLL name and address of the function.\r\n\r\n### Exports\r\n\r\nThe exports tab shows the functions the PE exports (.edata). This includes the function's name, ordinal value (if used by ordinal importing instead of by name), and the address of the function.\r\n\r\nIf the PE doesn't export any functions, this tab will be empty.\r\n\r\n### Resources\r\n\r\nThe resources tab shows all of the resources in the PE resource table (.rsrc). This includes the type of the resource, its ID, offset, language, and sublanguage. ExeSpy also uses libmagic to calculate the magic for the resource. This is useful for identifying the type of resource.\r\n\r\nTo save an individual resource for further analysis, right-click on it and click Save.\r\n\r\n### Manifest\r\n\r\nThe manifest tab extracts the PE's manifest from its resources if it has one. This includes some metadata and important information about how the file works. For example, the `requestedExecutionLevel` property shows if the file will run with higher privileges and will be set to `highestAvailable` or `requireAdministrator` if so.\r\n\r\nIf no manifest was found, this tab will be empty.\r\n\r\n### Strings\r\n\r\nThe strings tab searches for strings of ASCII characters inside of the PE file, similar to the UNIX `strings` command. It also shows the offset the string was found at.\r\n\r\nYou can filter the list by typing in the search box. You can also click on the column headers to change the sort order.\r\n\r\nBy default, the search is case insensitive. You can change this by clicking the case sensitive checkbox.\r\n\r\nTo configure how many ASCII characters are needed in a row before it is considered a string, change the minimum length.\r\n\r\n### Hex View\r\n\r\nThe hex view tab is a basic hex viewer for the PE file. The columns are the offset from the start of the file, the hex values, and an ASCII decoding of the hex values.\r\n\r\nSince Python and Qt are fairly slow together, this tab may take a while to load.\r\n\r\n### Hashes\r\n\r\nThe hashes tab shows many different hashes of the PE file. These include:\r\n\r\n- CRC32\r\n- MD5\r\n- SHA1\r\n- SHA224\r\n- SHA256\r\n- SHA384\r\n- SHA512\r\n- SHA3-224\r\n- SHA3-256\r\n- SHA3-384\r\n- SHA3-512\r\n- BLAKE2s\r\n- BLAKE2b\r\n\r\nIt also includes other specialized hashes. The imphash is calculated from the import table. The authentihashes are hashes of the authenticode signature. [More info.](https://lief-project.github.io/doc/stable/tutorials/13_pe_authenticode.html#exploring-pkcs-7-signature)\r\n\r\n### Disassembly\r\n\r\nThe disassembly tab uses [iced-x86](https://github.com/icedland/iced) to disassemble the PE file. It shows the address, hex of the full instruction, opcode, and operands.\r\n\r\nThe Go to Entrypoint button jumps to the entrypoint of the PE file. This is useful since the first lines in the disassembly are going to be incorrectly disassembled versions of the PE headers.\r\n\r\nYou can jump to a specific address by entering it into the textbox. It intelligently determines whether you entered an address with or without the image base included, so you can either include the image base or not.\r\n\r\nYou can also specify which assembly syntax you want the disassembly to use. By default, it uses Intel syntax.\r\n\r\n### Packers\r\n\r\nThe packers tab uses Yara to search for packers that may have been used to obfuscate the PE file, as well as other information. The source column shows where each detection came from.\r\n\r\nThe Yara rules come from PEiD (using a pre-compiled peid2yara.py export) and the following repositories:\r\n\r\n- [https://github.com/godaddy/yara-rules](https://github.com/godaddy/yara-rules)\r\n- [https://github.com/Yara-Rules/rules](https://github.com/Yara-Rules/rules)\r\n\r\n### Entropy\r\n\r\nThe entropy tab calculates the entropy of blocks of data in the PE file. You can specify the size of the block to use. The line plot sub-tab shows the entropy of the file as a whole. The heatmap sub-tab shows the entropy as a color from black to white in a 2D grid.\r\n\r\nMore on entropy:\r\n\r\nEntropy is a measure of the randomness in the loaded PE file.\r\n\r\nShannon entropy is scaled between 0 and 8 bits per byte.\r\n\r\n- 0 means the data is uniform\r\n- 8 means the data is completely random\r\n\r\nEntropy can indicate what kind of data is in the file.\r\n\r\n- Higher entropy values may indicate encrypted or compressed data sections\r\n- Plaintext generally has 3.5 to 5 bits of entropy per byte\r\n\r\nThe block size indicates how many bytes to read at a time and calculate entropy for. Each block's entropy is calculated and then plotted in the charts.\r\n\r\n### VirusTotal\r\n\r\nThe VirusTotal tab shows the VirusTotal report for the PE file. This is useful for finding out if the file has been scanned before, and if it has, it shows the results. To get the results, you need to click on the button. This is to save on excess requests with your API key.\r\n\r\nIf the file hasn't been scanned before, you can click OK to open VirusTotal.com where you can scan it there.\r\n\r\nTo use this tab, you need to get a free VirusTotal API key. Register for an account and then go to `https://www.virustotal.com/gui/user/YOUR_USERNAME/apikey` to get your API key. In ExeSpy, go to Options->Set VirusTotal API Key and paste it there.\r\n\r\n## License\r\n\r\nExeSpy\r\n\r\nCopyright (C) 2023 Andy Smith\r\n\r\nThis program is free software: you can redistribute it and/or modify\r\nit under the terms of the GNU General Public License as published by\r\nthe Free Software Foundation, either version 3 of the License, or\r\n(at your option) any later version.\r\n\r\nThis program is distributed in the hope that it will be useful,\r\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\r\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\nGNU General Public License for more details.\r\n\r\nYou should have received a copy of the GNU General Public License\r\nalong with this program. If not, see <https://www.gnu.org/licenses/>.\r\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "Cross-platform PE viewer",
    "version": "1.0.1",
    "project_urls": {
        "Homepage": "https://github.com/andyjsmith/Exe-Spy"
    },
    "split_keywords": [
        "pe",
        " forensics",
        " windows forensics",
        " forensics tools"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "55399130e18d4f2a540daa84303c9b904ed2e116374843fea0fdacdaa2ccf9b8",
                "md5": "1f83e8e848335be226c7bb646b570852",
                "sha256": "fa6f9d0d99b4b9d5398a2ede136e1277e6aa4e0e257398f2f9ddf0a9ee9cd9fa"
            },
            "downloads": -1,
            "filename": "exespy-1.0.1-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "1f83e8e848335be226c7bb646b570852",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.8",
            "size": 798267,
            "upload_time": "2024-07-07T13:46:44",
            "upload_time_iso_8601": "2024-07-07T13:46:44.384576Z",
            "url": "https://files.pythonhosted.org/packages/55/39/9130e18d4f2a540daa84303c9b904ed2e116374843fea0fdacdaa2ccf9b8/exespy-1.0.1-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "6196e0aef22a40bee89a1b214f8f3599f6bf5e216e7fe3a8d937773544f14362",
                "md5": "5f66504bbf915826e43b83caf09fe354",
                "sha256": "9daf5f9d4edbecde4445d89e129e3016e004f745a9689b4c41dbb603849ab76f"
            },
            "downloads": -1,
            "filename": "exespy-1.0.1.tar.gz",
            "has_sig": false,
            "md5_digest": "5f66504bbf915826e43b83caf09fe354",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.8",
            "size": 780804,
            "upload_time": "2024-07-07T13:46:46",
            "upload_time_iso_8601": "2024-07-07T13:46:46.382530Z",
            "url": "https://files.pythonhosted.org/packages/61/96/e0aef22a40bee89a1b214f8f3599f6bf5e216e7fe3a8d937773544f14362/exespy-1.0.1.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-07-07 13:46:46",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "andyjsmith",
    "github_project": "Exe-Spy",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [],
    "lcname": "exespy"
}
        
Elapsed time: 0.31873s