PE DIFFER TOOLKIT
Roger's Malware Analysis Toolkit
================================================================================

WHAT'S INCLUDED
---------------
✓ CPEDiffer.cls          - Main differ class with comprehensive comparison
✓ CDiffEntry.cls         - Difference record class
✓ frmPEDiffer.frm        - Full GUI interface with filtering and export
✓ modPEDifferExamples    - Usage examples and patterns
✓ modPEDifferCLI         - Command-line batch operations module
✓ PE_DIFFER_GUIDE.txt    - Complete documentation

QUICK START
-----------
1. Add both .cls files to your VB6 project
2. Add the .frm file for GUI usage (optional)
3. Add example modules for reference (optional)

BASIC USAGE - PROGRAMMATIC
--------------------------
Dim pe1 As New CPEEditor
Dim pe2 As New CPEEditor  
Dim differ As New CPEDiffer

pe1.LoadFile "original.exe"
pe2.LoadFile "modified.exe"

If differ.Compare(pe1, pe2) Then
    Debug.Print differ.GetTextReport
End If

BASIC USAGE - GUI
-----------------
frmPEDiffer.Show

Then:
1. Browse and select two PE files
2. Click "Compare Files"
3. Use category filter to focus on specific changes
4. Export report if needed

BASIC USAGE - COMMAND LINE
---------------------------
' From VB6 Immediate Window:
Call ComparePEFiles("file1.exe", "file2.exe")
Call ComparePEFiles("file1.exe", "file2.exe", "report.txt")
Call BatchCompareFolder("C:\samples\", "*.exe")

WHAT IT COMPARES
----------------
✓ File metadata (machine type, timestamp, .NET info)
✓ Optional header (all fields including security flags)
✓ All data directory entries
✓ Section headers and characteristics  
✓ Import tables (DLLs and functions)
✓ Export tables (functions, addresses, ordinals)
✓ Resources (complete hierarchy)
✓ Relocations (all tables and entries)
✓ Debug directory and PDB paths
✓ Import hash (imphash)

OUTPUT FORMATS
--------------
✓ Formatted text report
✓ ListView grid (with color coding by category)
✓ Collection of CDiffEntry objects for custom processing
✓ CSV export (via CLI module)
✓ Filterable by category

MALWARE ANALYSIS WORKFLOWS
---------------------------
✓ Compare packed vs unpacked samples
✓ Track malware variants
✓ Verify unpacking results
✓ Monitor file modifications
✓ Analyze packer behavior
✓ Compare memory dumps vs disk files
✓ Batch compare sample sets

INTEGRATION
-----------
Works seamlessly with your existing tools:
✓ PDFStreamDumper PE analyzer
✓ IDA Pro automation
✓ x64dbg plugins
✓ scdbg workflows
✓ VB Decompiler analysis

PERFORMANCE
-----------
- Sub-second comparison for typical executables
- Handles files up to 500MB
- Uses efficient dictionary lookups for imports/exports
- Imphash pre-filter for batch operations

EXAMPLE WORKFLOWS
-----------------

1. Quick Comparison:
   ComparePEFiles "file1.exe", "file2.exe"

2. Packer Analysis:
   Compare before/after unpacking
   Look for import additions, section changes, EntryPoint shifts

3. Batch Processing:
   Compare all variants in folder against baseline
   Generate summary reports

4. Monitoring:
   Load baseline, compare periodically
   Alert on EntryPoint, checksum, or critical field changes

5. Forensics:
   Document file state at different times
   Track modification timeline
   Generate evidence reports

For detailed documentation, see PE_DIFFER_GUIDE.txt
For usage examples, see modPEDifferExamples.bas
For CLI automation, see modPEDifferCLI.bas

ROGER'S NOTES
-------------
This differ is built to handle the real-world malware analysis scenarios I deal
with daily. It compares EVERYTHING that matters - not just the obvious stuff.

Key features for malware work:
- Catches subtle packer modifications
- Tracks import table manipulations  
- Identifies resource hiding techniques
- Monitors section characteristic changes
- Fast enough for batch variant analysis
- Integrates with my IDA/x64dbg workflows

Pro tip: Always check imphash first. If it matches, you know imports are
identical and can focus on other differences. If it differs, the import 
comparison will tell you exactly what changed.

Use the category filtering to zero in on what matters for your current analysis.
Packers? Focus on sections and optional header. Capability analysis? Focus on 
imports and exports. Resource packers? You know where to look.

Built for speed and accuracy. No fluff.

================================================================================
Roger's Malware Analysis Toolkit - Because analysis is about the details.
================================================================================
