 Hello, I'm DDS Davens. In this video, we are going to look at the new feature of my PE check tool, namely the locate option L option. So let me show you how PE check works in normal circumstances. So you just give it a PE file and so Windows executable, PE check. And I'm going to give it my XOR search tool and then it does the analysis of the PE file containing my XOR search tool and displays you all kinds of information. And you can, for example, have options to say I want an overview of the sections and then you have all the sections. Now, if you run this tool on a file that is not a PE file, you will get an error, like a PNG file here. You get another error, dos header magic not found. That comes from PE file, the module for PE files developed by Ero Carrera that I use here in my PE check tool to read PE files. And so it doesn't recognize the dos header. So that is the MZ header that you have at the beginning of PE file. And if we check with file, sample, indeed, it is a PNG image. Now that new locate option. Locate option will find any PE file in any binary data that you give it. So it will search for the dos header MZ, then the PE header, and then it will parse that piece of data that is inside the file. And if it can parse it without errors as a PE file, then it will report that it found the PE file. So let's do this on sample. So locate and uppercase P means that you want an overview of all the PE files that it finds in the file that you give it. Okay, so this is a PNG file that I manipulated. I appended two DLLs at the end, as you can see a 32 bit and a 64 bit DLL. And that is something that malware others will do regularly. They take a B9 file format like an image or a PostScript or a PDF, and then they append their malicious payload, the PE file here at the end. So with PE check, you can get an overview of all the PE files found inside that sample. And they receive an index so that you can select them to work on. Here, this is the first byte, the location of the first byte of the PE file. So the M of the MZ here starts at 2 EBB. It's a DLL, a 32 bit DLL. And the DLL without overlay, so the PE file without any overlay goes until position 16EBA. So that is the last byte of that DLL. And here you have the MD5 hash of that DLL again without overlay. This here is until the end of file. It's something that I probably will change later on in PE check because I've experienced that this is not very useful. So you can forget about this. This is just each time the last byte in the file. So the last byte in the file and the file is at position 270BA. And then here you have a second file and you can see it starts at 16EBB. And here you have 16EBA. So that means that the 64 bit DLL that was found is found immediately after that 32 bit DLL. And here you have the end of the PE file without overlay. And you can see that it's 270BA. And that corresponds to this 270BA. So now you know that here the PE file without overlay at the end is the last PE file and also the last sequence of bytes that you find appended to that PNG file. And then again here the MD5 hash without overlay. I also have variables, environment variables that you can change that you can set. Sorry if you want something else than the MD5 hash here. For example of SHA256. Now, if I want to analyze one of those files, embedded files, I just have to say locate the first one and so the 32 bit DLL. And then PE check will do the analysis of the file. For example, an overview of the sections like this. And of course I can do the same. Locate the second file in the sample and then it does the analysis. And here you can also, for example, overview of resources. Okay, there are no resources. Overview of sections. Here are the sections and indeed there is no resource section so there are no resources. Now say that you want to extract that file, to do something else with that file. Not only have PE check analyzed, but for example if it is a file, a PE file, that is not known on VirusTotal. Maybe you can decide to submit it to VirusTotal. So sample here. So I have this first file that I want to extract. So I'm going to run PE check, locate the first file and I'm going to tell it to get something from that file. And what we want to get is the complete file, the complete stripped file. So the PE file without any overlay. So that is SS stands for stripped. And if you do that on sample here, you will see that you get an ASCII dump. Sorry, that's a wrong command. Let me fix this like this. And if I say uppercase A, then I will also have an ASCII hex dump, but unlinked and coded. And let's pipe this through less. And as you can see here, you have the MZ, the header, the DOS header, start of the DOS header. Here the PE and then the sections. So that's an ASCII dump. You can also do a binary dump like in most of my tools. Now the small difference here in PE check with many of my other tools like only dump is for a binary dump, you have to use option D, but uppercase D. And that's because lowercase D has already been for a long time assigned for another function, namely a database of PE ID signatures. So that will give you the binary data. And then you can say, for example, sample.exe.vir redirected. And then you extract that PE file from the PMG file. If I run file here on sample.exe, and indeed you can see that the 32-bit DLL has been extracted. If I calculate the hash, I have this here and let's compare this. And indeed we have the same hash here.