A developer upgrades their application to pure 64-bit. Suddenly, calls to RegOpenKeyExW fail. PE Explorer reveals:
No article on PE Explorer is complete without mentioning packers. Malware authors and software protectors use "packers" (like UPX, Themida, or Armadillo) to compress and encrypt executables.
The classic PE Explorer had a heuristic scanner to detect these. The 64-bit Version 2 faces a harder battle: modern packers for 64-bit files are incredibly sophisticated. They utilize virtualization and code mutation.
However, Version 2 fights back with improved Signature Detection. It maintains a database of packer signatures specifically for x64 architectures. It can tell you, "This isn't just a generic EXE; it's packed with UPX 3.0 (64-bit mode)." This saves an analyst hours of manual debugging, instantly telling them that they need to unpack the file before they can even begin to analyze the code inside. pe explorer 64bit version 2
Unlike its 32-bit predecessor, the 64-bit version of PE Explorer is specifically engineered to handle the PE32+ format (the 64-bit extension to the Portable Executable specification). Version 2 brings a modernized UI, faster parsing, and deeper handling of 64-bit-specific structures like IMAGE_THUNK_DATA64 and 64-bit relocation tables.
It is not a debugger and not a decompiler—but it is the best-in-class structure editor and resource tuner.
With excellent free alternatives like CFF Explorer and x64dbg plugins available, you might ask: Why use PE Explorer? A developer upgrades their application to pure 64-bit
The answer lies in its workflow integration. PE Explorer has always been a "Swiss Army Knife." It combines a resource editor, a section viewer, a dependency scanner, and a disassembler (via a plugin) into one cohesive window.
Version 2 retains that "all-in-one" feel. You don’t have to open three different tools just to check the header, modify an icon, and view the imports. For developers needing to troubleshoot a build or analysts quickly triaging a suspicious file, that speed matters.
A suspicious clipsp.sys (Microsoft’s Windows Client License) driver is modified. Using PE Explorer 64bit Version 2: Malware authors and software protectors use "packers" (like
Tip 1: Correlate with Debuggers
Use Version 2 to extract the .pdata (exception table), then load the same binary in x64dbg. Set breakpoints on all RUNTIME_FUNCTION start addresses to trace exception flow.
Tip 2: Unpack 64-bit Themida
PE Explorer’s “Section Editor” allows you to dump the .text section after OEP (Original Entry Point) is reached in a debugger. Then use Version 2’s “Rebuild PE” to fix the Epoch field in the optional header.
Tip 3: Hunt for Hollowed Processes
Compare the ImageBase from PE Explorer (on disk) with the loaded base address in a memory dump. Any mismatch > 0x10000 suggests process hollowing (common in malware).
The built-in dependency scanner visualizes: