Chapter 7. FAQ (Frequently Asked Questions)

Q: What's imphash?
Q: I use pev in Windows and everytime I run one of the pev tools I see CYGWIN complaining about Windows-style file paths.
Q: How can I get the File Version from PE files like I'm used to do with previous versions of pev?
Q: Can my machine be infected when analyzing malware with pev tools?
Q: Can any pev tool rate a file as malicious?
Q: I can't compile pev from the latest source code on git repository. What can I do?
Q: How do I uninstall the pev version I've installed from source code?
Q: Can I use pev with my project?
Q: I like pev. How do I let you guys know that?
Q: I found a bug. What do I do?
Q: My question is not listed here. How do I get an answer for that?

Q:

What's imphash?

A:

It's a MD5 hash from the imported functions names, normally used to search for variants of the same file. The ideas was took in place by Mandiant and it is explained in their blog Tracking malware with Import Hashing, but keep in mind there are some people out there saying that the current algorithm for calculating imphash is broken. See Imphash implementation and Imphash implementation does not follows convention to understand better. This implementation from pefile is the one used in all software that we are aware of - and it's the one we use too.

Q:

I use pev in Windows and everytime I run one of the pev tools I see CYGWIN complaining about Windows-style file paths.

A:

Windows version of pev are dependant on CYGWIN libraries that are included in the ZIP package provided for Windows users, so CYGWIN is still there. A workaround is setting the CYGWIN environment variable to disable these warnings:

$ set CYGWIN=nodosfilewarning

You can confirm the variable is set by running the following command on MS-DOS Prompt or Powershell:

$ set | findstr CYGWIN

If you want to make it permanent, you'll have to add this variable with this value set in System Properties - Advanced - Environment Variables, as the image below shows:

Q:

How can I get the File Version from PE files like I'm used to do with previous versions of pev?

A:

Use peres tool -v swtich.

Q:

Can my machine be infected when analyzing malware with pev tools?

A:

Yes. We have cpload tool that actually EXECUTES the target on Windows machines. Apart from that, attackers could exploit a vulnerability we don't know about in one of the tools to execute arbitrary code by sending you a specially crafted PE file. So please, consider using pev tools in a protected/isolated virtual machine for binary file analysis.

Q:

Can any pev tool rate a file as malicious?

A:

No. Some tools can give you a hint but it's nearly impossible to programatically claim a piece of code is malicious.

Q:

I can't compile pev from the latest source code on git repository. What can I do?

A:

You can open an issue on GitHub. The repository usually has under development code and sometimes things are, indeed, broken.

Q:

How do I uninstall the pev version I've installed from source code?

A:

On Linux and OS X, just point to the pev source code directory and run make uninstall. On Windows, just delete the pev folder.

Q:

Can I use pev with my project?

A:

Yes, as long as you respect GPLv2 terms for pev tools and LGPLv3 terms for libpe.

Q:

I like pev. How do I let you guys know that?

A:

We're glad you like it. Please, consider star it on GitHub or SourceForge (you can also make a comment), send your feedback to the pev-users list, tell your friends that pev exists, anything. We look forward to hear from you. Really.

Q:

I found a bug. What do I do?

A:

If you suspect it is a bug we recommend you to first discuss that in the pev-users mailing list. If you are sure, please open an issue on GitHub project page.

Q:

My question is not listed here. How do I get an answer for that?

A:

Send it over to pev-users mailing list or, if you're a developer, send it to pev-devel mailing list.