Peer deep inside .NET files with PExe

PExe

PExe is a tiny free tool for identifying and disassembling .NET executables.

This could be useful for basic troubleshooting (is this a .NET program?), looking inside an application before you run it, detecting signs of malware, and more.

PExe arrives as a single 540KB executable, no installation required. Just unzip and run.

The interface is basic, with no option to view folders or browse multiple files. Instead you simply click "Import…", choose your target file and click "Check…".

If this is a .NET file then PExe displays the message "NET Assembly", otherwise you’ll see "Native Code".

Click "Disassemble" and PExe extracts and saves the resources of your executable (as .resources files), and disassembles the code to a file called "disassemble.il" in the same folder.

This is mostly highly technical -- even for experts -- but there are some immediately useful features. If you’re looking for malware, for instance, searching for strings like "http" or "www" not only finds matching URLs, but also displays them in context.

As an example, we pointed PExe at Bulk Crap Uninstaller, and found a link to PayPal. It’s a trusted program that’s been around for years, so we were sure there was nothing dubious going on, but could PExe give us any more information? Here’s the relevant part of the file (focus on the underlined parts).

 {
 // Method begins at RVA 0x10540
 // Code size 25 (0x19)
 .maxstack 8
 IL_0000: /* 17 | */ ldc.i4.1
 IL_0001: /* 8D | (01)00007E */ newarr [System/*23000007*/]System.Uri/*0100007E*/
 IL_0006: /* 25 | */ dup
 IL_0007: /* 16 | */ ldc.i4.0
 IL_0008: /* 72 | (70)005D7C */ ldstr “http_://www.paypal.com/cgi-bin/webscr\?cmd=_s-xclic“
 + “k&hosted_button_id=TB9DA2P8KQX52” /* 70005D7C */
 IL_000d: /* 73 | (0A)000205 */ newobj instance void [System/*23000007*/]System.Uri/*0100007E*/::.ctor(string) /* 0A000205 */
 IL_0012: /* A2 | */ stelem.ref
 IL_0013: /* 28 | (06)000282 */ call void BulkCrapUninstaller.Forms.MainWindow/*02000020*/::OpenUrls(class [mscorlib/*23000001*/]System.Collections.Generic.IEnumerable`1/*0100000F*/<class [System/*23000007*/]System.Uri/*0100007E*/>) /* 06000282 */
 IL_0018: /* 2A | */ ret
 } // end of method MainWindow::donateButton_Click

This is disassembled rather than decompiled, so most of this will mean nothing to anyone, but there are just two relevant parts. The PayPal link is attached to a button, and the final line tells us it’s the Click event for the main window’s Donate button. It all looks totally innocent (just as you’d expect from a trusted program that’s been around for years).

PExe worked as advertised for us, but it’s basic, and if you’re after more power then there are some very capable alternatives around.

If you’re just looking to see if an executable is .NET, open it in the excellent PEStudio and check the Signature field. There’s no disassembly, but integrated VirusTotal support and string viewing more than make up for that.

And if you’ve development experience, and would like to look at the code, a decompiler such as dnSpy will tell you more.

Just as a trivial example, here’s what the Button_Click event above looks like when it’s decompiled, rather than disassembled:

‘ BulkCrapUninstaller.Forms.MainWindow
Private Sub donateButton_Click(sender As Object, e As EventArgs)
    MainWindow.OpenUrls(New Uri()() { New Uri(“httpx://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=……………..“) })
End Sub

Much more readable.

Still, PExe is a fraction of the size, far easier to use, and can still provide helpful information about .NET assemblies. If you ever need to check out EXEs, and you don’t have a decompiler already, then it’s a simple way to get started.

PExe is a freeware application for Windows 7 and later.

Comments are closed.

© 1998-2025 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.