readpe

Display all information about a PE file

$ readpe [path/to/executable]

$ readpe --all-headers [path/to/executable]

$ readpe --all-sections [path/to/executable]

$ readpe --header [dos|coff|optional] [path/to/executable]

$ readpe --imports [path/to/executable]

$ readpe --exports [path/to/executable]

readpe [options] file...

--headers, -H
    Displays the DOS, PE, COFF, and optional headers of the PE file.

--sections, -S
    Shows information about the section headers and their characteristics.

--imports, -i
    Lists the imported functions and the DLLs they are imported from.

--exports, -e
    Displays the functions exported by the module, including their names and addresses.

--resources, -r
    Shows information about the resource directory, including embedded icons, strings, and other data.

--debug, -d
    Displays the debug directory entries within the PE file.

--relocs, -R
    Lists the base relocation entries, which are used for adjusting addresses when the module is loaded at a different base address.

--all, -a
    Displays all available information about the PE file. This provides the most comprehensive output.

--version, -V
    Shows the version information for the readpe utility.

--help, -h
    Displays a help message with available options and their usage.

readpe is a command-line utility used for displaying information about Portable Executable (PE) files. PE files are the standard executable file format for Windows operating systems, used for EXEs, DLLs, SYS files, and other components.

Similar to how readelf is used to analyze ELF (Executable and Linkable Format) files on Linux, readpe provides a detailed breakdown of various structures within a PE file. This includes headers (DOS, PE, COFF, Optional), section tables, import and export directories, resource sections, debug information, and relocation tables.

It's an invaluable tool for reverse engineering, malware analysis, or simply understanding the internal layout of Windows binaries on a Linux system, without needing a Windows environment. By parsing the PE structure, readpe helps developers and security researchers examine dependencies, functions, and data within these binaries.

readpe is primarily found as part of cross-compilation toolchains like MinGW-w64 on Linux and might not be installed by default on all distributions. While it parses PE files, it does not execute them or interact with Windows APIs directly. Its output can be quite verbose, especially with the --all option, requiring piping to less or redirecting to a file for easier analysis.

Malware Analysis:
Used to quickly identify imported APIs, suspicious sections, or embedded resources in PE files, aiding in threat intelligence and incident response.

Cross-Platform Development:
Helps verify the structure and dependencies of PE binaries compiled on Linux before deploying them to Windows environments.

Reverse Engineering:
Allows security researchers and developers to understand the file layout, entry points, and dependencies of proprietary Windows applications or libraries.

readpe is usually part of mingw-w64-tools or mingw-w64-binutils packages.

Debian/Ubuntu:
sudo apt install mingw-w64-tools

Fedora:
sudo dnf install mingw-w64-binutils

Arch Linux:
sudo pacman -S mingw-w64-binutils

readpe is typically distributed as part of the GNU Binutils project or related cross-compilation toolchains like MinGW-w64, which aim to provide a complete development environment for Windows targets on Unix-like systems. Its development closely parallels the need for Linux users to inspect and work with Windows binaries without relying on Windows-native tools, especially crucial in cross-development, security analysis, and reverse engineering contexts.

readelf(1), objdump(1), file(1), strings(1)