PEBrowse Professional is a static-analysis tool and disassembler for
Win32/Win64 executables and .NET assemblies produced
according to the Portable Executable specifications published by
With the PEBrowse
disassembler, one can open and examine any executable without the need
to have it loaded as part of an active process with a debugger.
Applications, system DLLs, device-drivers and .NET assemblies
are all candidates for offline analysis using PEBrowse. The information
is organized in a convenient treeview index with the major divisions of
the PE file displayed as nodes. In most cases selecting nodes will
enable context-sensitive multiple view menu options, including binary
dump, section detail, disassembly and structure options as well as
displaying sub-items, such as optional header directory entries or
exported functions, that can be found as part of a PE file unit.
Several table displays, hex/ASCII equivalents, window messages and
error codes, as well as a calculator and scratchpads are accessible
from the main menu.
While the binary dump display offers
various display options, e.g., BYTE, WORD, or DWORD alignment, the
greatest value of PEBrowse comes when one disassembles an entry-point.
An entry-point in PEBrowse is defined as:
- Module entry-point
- Exports (if any)
- Debug-symbols (if a valid PDB, i.e., program database file, is present)
- Imported API references
- Relocation addresses
- Internal functions/subroutines
- Any valid address inside of the module
and disassembling any number of these entry-points produces a versatile
display rich in detail including upper/lowercase display,
C/Pascal/Assembler suffix/prefixing, object code, color-coded
statements, register usage highlighting, and jump/call target preview
popups. Additional information, such as variable and function names,
will also be present if one has access to a valid PDB file. Disassembly
comes in two flavors: linear sweep (sequential disassembly from a
starting address) and recursive traversal, aka, analysis mode
(disassembly of all statements reachable by non-call statements -
extended analysis disassembles all internal call statements as well).
The latter mode also presents local variables with cross-referencing,
highlighting, and renaming options. If one adds/changes variable name
or adds comments to specific lines, these can be displayed in a session
file which will record and save all currently opened displays.
Professional will decompile type library information either embedded
inside of the binary as the resource "TYPELIB" or inside of individual
type libraries, i.e., .TLB or .OLB files.
also displays all metadata for .NET assemblies and displays IL
(Intermediate Language) for .NET methods. It seamlessly handles mixed
assemblies, i.e., those that contain both native and managed code.
PEBrowse can be employed as a file browse utility for any type of file
with the restriction that the file must be small enough that it can be