Chapter 1. What is pev?

Table of Contents


Since version 0.50, pev is a multiplatform toolkit to work with PE (Portable Executable) binaries. Its main goal is to provide feature-rich tool for proper analyze binaries, specially suspicious ones.


pev was born back in 2010 from a simple need: a program to find out the version (File Version) of a PE32 file and that could run in Linux. This version number is stored in Resources (.rsrc) section but at the time we've decided to simply search for the string in the whole binary, without any optimization.

Later on we've decided to parse the PE32 file until reach .rsrc section and get the File Version field. In order to do that, we realized we had to parse the entire file and we thought if we could print out all the fields and values we went through as well.

Until version 0.40, pev was an unique program to parse the PE headers and sections (now readpe is responsible for this). In version 0.50 we focused on binary analysis and splitted pev into various programs beyond a library, called libpe. Currently most of pev toolkit programs depends on libpe.