10 Hidden Features in PE Explorer You Should KnowPE Explorer is a powerful Windows Portable Executable (PE) analysis tool that goes well beyond simple header inspection. Many users rely on its basic capabilities — viewing imports/exports and resources — but PE Explorer also includes lesser-known features that can significantly speed reverse engineering, malware analysis, and binary troubleshooting. This article walks through ten hidden or underused features, how to access them, and practical scenarios where each one shines.
1. Built-in Dependency Scanner with Visual Graphs
PE Explorer’s dependency scanner does more than list DLLs — it can draw a visual graph of module dependencies and highlight potentially problematic links (missing or version-mismatched modules). Use this when diagnosing start-up failures or investigating which modules a plugin or driver truly relies on.
How to use:
- Open the PE file, go to the Dependencies pane, then switch to Graph view.
- Hover nodes to see version and path details; missing modules show in a different color.
Practical tip: Export the graph as an image to include in bug reports or documentation.
2. Editable Resource Tree with Binary Import/Export
Beyond viewing resources, PE Explorer allows editing and replacement of resources (icons, dialogs, strings) and can import/export resource sections as raw binaries. This is useful for localizing software, customizing installers, or stripping branding from test builds.
How to use:
- Open the Resources pane, right-click an entry and choose Export Resource or Replace Resource.
- For raw exports, choose the binary option to preserve section alignment.
Practical tip: When replacing icons, match the original icon sizes and color depths to avoid visual glitches.
3. Structure and Field Editor for Data Directories
PE Explorer exposes data directory structures (Export Table, Import Table, Exception Table, TLS, etc.) and permits manual editing of fields. This feature is invaluable for forensic reconstruction or crafting test binaries with modified directory entries.
How to use:
- Navigate to the Data Directories view, expand an entry, and use the field editor to adjust offsets, RVAs, and sizes.
- Save changes to a new file to preserve the original.
Caution: Changing directory fields without adjusting related data can corrupt the binary; keep backups.
4. Disassembler with Cross-Reference Navigation
The internal disassembler is more capable than many expect: it shows assembly, function boundaries, and cross-references (xrefs). You can jump from a function reference to its callers or callees, which accelerates control-flow mapping during reverse engineering.
How to use:
- Open the Disassembler pane and press Ctrl+F to find addresses or symbols.
- Use the xref list to jump to all locations that reference the current function or data.
Practical tip: Use the bookmarking feature to mark important functions and create a quick navigation index.
5. Integrated Checksum and Signature Tools
PE Explorer includes tools to compute and verify PE checksums and to examine digital signatures. You can recompute checksums after edits and validate Authenticode signatures to see whether a binary has been tampered with.
How to use:
- In the Tools menu, choose Checksum or Digital Signatures.
- For signatures, view certificate chains and timestamp information.
Practical tip: Re-signing requires proper certificates; for testing, use test certs and keep originals intact.
6. Section Editor with Alignment and Permissions Control
The Section Editor lets you add, remove, resize, and modify section attributes (characteristics like read/write/execute). This is helpful when packing/unpacking binaries or preparing test modules with custom memory layouts.
How to use:
- Open the Sections pane, right-click a section, and select Edit Section.
- Change VirtualSize, RawSize, and Characteristics; alignments are applied automatically when rebuilding.
Caution: Misaligned sections can break loaders — always test in a safe environment.
7. Resource Localization and String Table Tools
PE Explorer’s string table editor and localization helpers let you extract string tables to CSV or import translations back into the binary. This speeds UI translation workflows for legacy applications without source code.
How to use:
- Open String Tables under Resources, export entries to CSV, translate externally, then import.
- The tool preserves encoding and character sets (ANSI/Unicode) on import.
Practical tip: Keep a mapping of resource IDs to UI contexts to avoid mistranslations.
8. Malware-Friendly Sandbox Integration
Some PE Explorer builds provide integration hooks with sandboxing tools or a one-click way to dump selected sections for offline dynamic analysis. This is especially useful for safely handling suspicious binaries.
How to use:
- Use the Export Selected Section feature or the Sandbox menu to submit a binary fragment to a configured sandbox.
- Combine with the Disassembler to extract suspicious code regions only.
Practical tip: Always analyze unknown binaries in an isolated virtual environment to avoid accidental infection.
9. RVA and File Offset Converter with Bookmarking
Converting between RVA (Relative Virtual Address) and file offset is a frequent task; PE Explorer’s converter supports batch conversions and bookmarking of important addresses for quick recall during long sessions.
How to use:
- Open the RVA/Offset tool, paste addresses (one per line) and get converted values.
- Use bookmarks to label addresses like function entry points, resource offsets, or patched bytes.
Practical tip: Export bookmarked lists when handing off analysis to teammates.
10. Scriptable Automation & Command-Line Options
For repeatable tasks, PE Explorer supports scripting and command-line operations (depending on the edition). You can automate bulk checks, resource exports, or checksum recalculations across many files.
How to use:
- Consult the Help → Scripting Guide for supported commands and syntax.
- Build small scripts to loop through a folder, extract version info, and output CSV reports.
Practical tip: Combine command-line runs with CI pipelines to enforce binary standards for releases.
When to Use These Features
- Debugging startup crashes: Dependency graphs, section edits, signature checks.
- Reverse engineering: Disassembler xrefs, RVA bookmarking, structure editor.
- Localization/customization: Resource editor, string table export/import.
- Malware analysis: Sandbox integration, section dumping, disassembler.
- Release engineering: Checksums, section permissions, scripting for automation.
Final notes
Many of these features are powerful and can break binaries if misused. Always work on copies, keep backups, and test changes in controlled environments. If you need step-by-step instructions for any specific feature (for example, editing a resource or converting multiple RVAs at once), tell me which feature and the file type you’re working with and I’ll provide a concise walkthrough.
Leave a Reply