PETriage

A fast, cross-platform PE (Portable Executable) surface analysis tool for malware triage, written in Rust. Designed for analysts who need practical PE triage on Linux, macOS, and Windows without relying on a Windows-only workflow.

Formerly readpe (renamed to avoid naming collisions with existing tools).

Concept

• Static-only -- The PE is never loaded or executed. Safe for malware triage.
• CLI-first -- Lightweight default workflow suitable for batch analysis and automation.
• Composable -- JSON/NDJSON output for piping to jq, SIEMs, and scripting pipelines.
• Offline -- No network calls. Suitable for fully air-gapped environments.

Interfaces

Quick Install

Default CLI build:

cargo install petriage

For TUI and GUI builds, build from source with feature flags.

Or build from source:

git clone https://github.com/uky007/petriage.git
cd petriage
cargo build --release

See docs/installation.md for GUI/TUI build dependencies and cross-compilation.

Quick Usage

petriage <file.exe>              # Surface analysis (all except strings)
petriage <file.exe> -a           # All information including strings
petriage <file.exe> -H           # Headers only
petriage <file.exe> -i           # Imports only
petriage <file.exe> --hashes     # File hashes only
petriage <file.exe> --json       # JSON output
petriage --batch <dir> --ndjson  # Batch-analyze all PEs in a directory
petriage <file.exe> --fail-on warning  # Exit code 3 if anomalies meet the selected threshold

petriage -x <file.exe>           # TUI hex viewer
petriage-gui                     # GUI (file dialog)
petriage-gui <file.exe>          # GUI (open file directly)

See docs/usage.md for full CLI options, jq recipes, TUI/GUI details, and example output.

Screenshots

CLI

GUI

Headers (Structure View + Editor)

Header Editor (Inline Editing)

Exit Codes

Docs

• Overview & Features
• Installation
• Usage & Examples
• Survey of Existing Tools
• Future Work

License

MIT OR Apache-2.0