RogueKillerPE

Forum for announcements and questions about tools and software.

RogueKillerPE

Postby p4r4n0id » Sun Dec 06, 2015 9:13 am

"RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable."

http://www.adlice.com/software/roguekillerpe/

p4r4n0id
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
p4r4n0id
 
Posts: 126
Joined: Thu Sep 22, 2011 11:36 am
Location: Israel
Reputation point: 30

Re: RogueKillerPE

Postby l0wlevel » Sun Dec 06, 2015 12:07 pm

Nice. But PE parsers are difficult to write, because there are many edge cases where it can fail. I don't think I need to since this guy is very well known, but https://code.google.com/p/corkami/wiki/PE
l0wlevel
 
Posts: 4
Joined: Thu Nov 26, 2015 11:29 am
Reputation point: 0

Re: RogueKillerPE

Postby Microwave89 » Sun Dec 06, 2015 4:05 pm

Thanks for the share!

However, I noticed two minor "bugs", at least in my opinion.
1.) Shouldn't the OriginalEntryPoint of the file be named OEP instead of EOP? I can find more related information on the web when looking up "PE" "OEP" instead "PE" "EOP".
2.) When I test the tool with an x64 executable the "Machine" member of the PE header says always Intel x86
and about the "Magic" member at the right side of the window it says "32 bits executable".
The values itself are correct though.

I'd expect something like "Intel x86-64" and "64 bits executable when opening a PE32+ file.
The tool was executed on my Windows 10 TH2 machine and there were no differences whether I opened the file or used the process modules option to view the file in memory.


Best regards,

Microeave89
Microwave89
 
Posts: 52
Joined: Sat Dec 01, 2012 11:28 am
Reputation point: 12

Re: RogueKillerPE

Postby Tigzy » Wed Dec 23, 2015 2:11 pm

Hey, thanks for the post, and feedback :)

@l0wlevel Our PE parser isn't new actually (even if RKPE is), we've being improving the engine for 4 years now as part of our SDK.
RKPE sits on top of that mature SDK, so it should be pretty stable (of course we never know, and new bypass way can show up).

Bugs have been added to our backlog. Thanks.
User avatar
Tigzy
 
Posts: 383
Joined: Mon Feb 07, 2011 5:03 pm
Reputation point: 26

Re: RogueKillerPE

Postby Tigzy » Wed Mar 15, 2017 3:55 pm

Hello,
Just to notify you, the soft has evolved A LOT.
New download link: http://www.adlice.com/download/roguekillerpe/
User avatar
Tigzy
 
Posts: 383
Joined: Mon Feb 07, 2011 5:03 pm
Reputation point: 26

Re: RogueKillerPE

Postby Tigzy » Tue Oct 03, 2017 6:54 am

Version 2.0 is online.

Code: Select all
V2.0.0 10/02/2017
=========================
- Updated EULA
- NEW! Dump RT_ICON as true image
- NEW! DLL characteristics as checkboxes
- NEW! Sections flags as checkboxes
- NEW! Dos Stub, Rich string
- Refactored dashboard
- NEW! Binary image
- Added VBA symbols table
- Added many new indicators
- Removed NAG screen for FREE users
- Fixed multiple bugs
User avatar
Tigzy
 
Posts: 383
Joined: Mon Feb 07, 2011 5:03 pm
Reputation point: 26


Return to Tools/Software

Who is online

Users browsing this forum: No registered users and 5 guests