A recovery algorithm for PE files in a multi-core system

Several tools are available for reverse engineering Windows portable executable (PE) files. The first step of reverse engineering is to disassemble the PE file. However, files sometimes do not load or open correctly due an incorrect PE file format. We therefore developed an algorithm that restores the PE file structure of an incorrectly formatted PE file. The program that uses this algorithm loads the file to memory, reconstructs the file format automatically, and then saves the new file. However, processing of many large files can result in performance degradation. We therefore adopted a parallel programming technique that uses open multi-processing (OpenMP) to simultaneously process large files. For parallel programming, we used thread level parallelism and data decomposition. We compared the performance of a sequential implementation of our algorithm and two parallel implementations of the algorithm by evaluating execution time, CPU usage, and concurrency for three different files using Visual Studio´s Profiler and Intel Parallel Studio 2011. Parallel processing reduced execution time by about 75% compared to sequential processing.