# PE Files

## Malchive

Perform static analysis of various aspects of malicious code.

**Website**: <https://github.com/MITRECND/malchive>\
**Author**: The MITRE Corporation, <https://github.com/MITRECND/malchive/graphs/contributors>\
**License**: Apache License 2.0: <https://github.com/MITRECND/malchive/blob/main/LICENSE>\
**Notes**: Malchive command-line tools start with the prefix `malutil-`. See [utilities documentation](https://github.com/MITRECND/malchive/wiki/Utilities) for details.\
**State File**: [remnux.python3-packages.malchive](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/malchive.sls)

## Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

**Website**: <https://github.com/mandiant/speakeasy>\
**Author**: Mandiant, Andrew Davis\
**License**: MIT License: <https://github.com/mandiant/speakeasy/blob/master/LICENSE.txt>\
**Notes**: To run the tool, use `speakeasy`, `emu_exe.py`, and `emu_dll.py` commands.\
**State File**: [remnux.python3-packages.speakeasy](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/speakeasy.sls)

## binee (Binary Emulation Environment)

Analyze I/O operations of a suspicious PE file by emulating its execution.

**Website**: <https://github.com/carbonblack/binee>\
**Author**: Carbon Black, Kyle Gwinnup, John Holowczak\
**License**: GNU General Public License (GPL) v2: <https://github.com/carbonblack/binee/blob/master/LICENSE>\
**Notes**: Before using this tool, place the files your sample requires under /opt/binee-files/win10\_32. For example, the Windows DLLs it needs should go /opt/binee-files/win10\_32/windows/system32. If you have a Windows 10 64-bit system, you can get the 32-bit DLLs from C:\Windows\SysWOW64 To check which DLLs you might need by examining the import table using the "-i" parameter.\
**State File**: [remnux.packages.binee](https://github.com/REMnux/salt-states/blob/master/remnux/packages/binee.sls)

## mbcscan

Scan a PE file to list the associated Malware Behavior Catalog (MBC) details.

**Website**: <https://github.com/accidentalrebel/mbcscan>\
**Author**: Karlo Licudine: <https://x.com/accidentalrebel>\
**License**: GNU General Public License (GPL) v3.0: <https://github.com/accidentalrebel/mbcscan/blob/master/LICENSE>\
**Notes**: mbcscan.py\
**State File**: [remnux.scripts.mbcscan](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/mbcscan.sls)

## capa

Detect suspicious capabilities in PE files.

**Website**: <https://github.com/mandiant/capa>\
**Author**: Mandiant, Willi Ballenthin: <https://x.com/williballenthin>, Moritz Raabe: <https://x.com/m_r_tz>\
**License**: Apache License 2.0: <https://github.com/mandiant/capa/blob/master/LICENSE.txt>\
**State File**: [remnux.tools.capa](https://github.com/REMnux/salt-states/blob/master/remnux/tools/capa.sls)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.