RogueKillerPE

#27365 by p4r4n0id
Sun Dec 06, 2015 9:13 am

"RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable."

http://www.adlice.com/software/roguekillerpe/

p4r4n0id

Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/

Username

p4r4n0id

Posts

126

Joined

Thu Sep 22, 2011 11:36 am

Location

Israel

Contact

Re: RogueKillerPE

#27367 by l0wlevel
Sun Dec 06, 2015 12:07 pm

Nice. But PE parsers are difficult to write, because there are many edge cases where it can fail. I don't think I need to since this guy is very well known, but https://code.google.com/p/corkami/wiki/PE

Username

l0wlevel

Posts

4

Joined

Thu Nov 26, 2015 11:29 am

Re: RogueKillerPE

#27369 by Microwave89
Sun Dec 06, 2015 4:05 pm

Thanks for the share!

However, I noticed two minor "bugs", at least in my opinion.
1.) Shouldn't the OriginalEntryPoint of the file be named OEP instead of EOP? I can find more related information on the web when looking up "PE" "OEP" instead "PE" "EOP".
2.) When I test the tool with an x64 executable the "Machine" member of the PE header says always Intel x86
and about the "Magic" member at the right side of the window it says "32 bits executable".
The values itself are correct though.

I'd expect something like "Intel x86-64" and "64 bits executable when opening a PE32+ file.
The tool was executed on my Windows 10 TH2 machine and there were no differences whether I opened the file or used the process modules option to view the file in memory.

Best regards,

Microeave89

Username

Microwave89

Posts

52

Joined

Sat Dec 01, 2012 11:28 am

Re: RogueKillerPE

#27457 by Tigzy
Wed Dec 23, 2015 2:11 pm

Hey, thanks for the post, and feedback :)

@l0wlevel Our PE parser isn't new actually (even if RKPE is), we've being improving the engine for 4 years now as part of our SDK.
RKPE sits on top of that mature SDK, so it should be pretty stable (of course we never know, and new bypass way can show up).

Bugs have been added to our backlog. Thanks.

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm

Re: RogueKillerPE

#30116 by Tigzy
Wed Mar 15, 2017 3:55 pm

Hello,
Just to notify you, the soft has evolved A LOT.
New download link: http://www.adlice.com/download/roguekillerpe/

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm

Re: RogueKillerPE

#30883 by Tigzy
Tue Oct 03, 2017 6:54 am

Version 2.0 is online.

Code: Select all

V2.0.0 10/02/2017
=========================
- Updated EULA
- NEW! Dump RT_ICON as true image
- NEW! DLL characteristics as checkboxes
- NEW! Sections flags as checkboxes
- NEW! Dos Stub, Rich string
- Refactored dashboard
- NEW! Binary image
- Added VBA symbols table
- Added many new indicators
- Removed NAG screen for FREE users
- Fixed multiple bugs

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm