A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #27365  by p4r4n0id
 Sun Dec 06, 2015 9:13 am
"RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable."


 #27369  by Microwave89
 Sun Dec 06, 2015 4:05 pm
Thanks for the share!

However, I noticed two minor "bugs", at least in my opinion.
1.) Shouldn't the OriginalEntryPoint of the file be named OEP instead of EOP? I can find more related information on the web when looking up "PE" "OEP" instead "PE" "EOP".
2.) When I test the tool with an x64 executable the "Machine" member of the PE header says always Intel x86
and about the "Magic" member at the right side of the window it says "32 bits executable".
The values itself are correct though.

I'd expect something like "Intel x86-64" and "64 bits executable when opening a PE32+ file.
The tool was executed on my Windows 10 TH2 machine and there were no differences whether I opened the file or used the process modules option to view the file in memory.

Best regards,

 #27457  by Tigzy
 Wed Dec 23, 2015 2:11 pm
Hey, thanks for the post, and feedback :)

@l0wlevel Our PE parser isn't new actually (even if RKPE is), we've being improving the engine for 4 years now as part of our SDK.
RKPE sits on top of that mature SDK, so it should be pretty stable (of course we never know, and new bypass way can show up).

Bugs have been added to our backlog. Thanks.
 #30883  by Tigzy
 Tue Oct 03, 2017 6:54 am
Version 2.0 is online.
Code: Select all
V2.0.0 10/02/2017
- Updated EULA
- NEW! Dump RT_ICON as true image
- NEW! DLL characteristics as checkboxes
- NEW! Sections flags as checkboxes
- NEW! Dos Stub, Rich string
- Refactored dashboard
- NEW! Binary image
- Added VBA symbols table
- Added many new indicators
- Removed NAG screen for FREE users
- Fixed multiple bugs