Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   PE Anatomist (https://forum.exetools.com/showthread.php?t=19393)

Jupiter 12-02-2019 00:24

PE Anatomist
1 Attachment(s)
PE Anatomist - PE files internals

PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.

Author: RamMerLabs
Project Home: rammerlabs.alidml.ru


  • PE32
  • PE32+

  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM8-64)

  • IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
  • Table of COFF symbols
  • Sections table, supporting long section names (via symbols table) and entropy calculating
  • Import table (supports MS-styled names demangling)
  • Bound Import Table
  • Delayed Import Table
  • Export Table with additional info
  • Resource Table with additional info about different resource types and detailed view for all types
  • Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • Brief info about PE Authenticode Signature
  • LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
  • Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • TLS config and callbacks table with additional information about some fields
  • Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
  • Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • IAT table contents


0.2.5 (2021-08-25):
  • ListView context menu revision and keyboard accessibility improvements
  • Added support for Cxx20Modules in MSVC ILStore parser (CxxIL)
  • Added settings for the number of remembered recent files and the formatting of text copied to the clipboard
  • Updated some ARM64EC related structures from WDK 22000
  • Significantly speeded up the construction of the ExceptionsData table in OBJ files
  • Fixed several bugs
  • DOWNLOAD (2019-11-23)
  • Fixed parsing of import table modified by some packers
  • Added forced cleaning of recent files list
  • Added reaction to the ENTER key in FLC text fields
  • New settings:
  • set main window always on top;
  • contrast selection of alternating lists background;
  • number of bytes displayed in the HEX form in the description in the Base Relocations table;
  • restore last opened tab;
  • pasting the list header into the data copied to the clipboard;
  • use the ESC key to exit the program
  • Display of minor instrument version in RICH signature for VS2017 and higher fixed
  • Fixed incorrect behavior when resizing the main window
  • Deleting file associations fixed
  • FLC editboxes are cleared after loading a new file
  • Fixed the error in displaying the section table if some header fields were nullified
  • Added section naming by number if their name is not specified in the header or does not contain printable characters
  • The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
  • Several FLC bugs fixed (2019-11-09)
  • IMAGE_DIRECTORY_ENTRY_IAT table parsing available
  • Symbols description added in Dynamic Value Relocations table
  • Data description added in Volatile Metadata table for x86
  • Minor optimizations of the code prepearing new GUI
  • FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
  • FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
  • RVA of instructions for appropriate unwind codes added in table for x64 (2019-10-31)
  • ExceptionsData table LSDA headers parsing improved
  • LSDA headers parsing implemented for C Builder 10.2 and newer
  • Commandline keys are not required to open a file
  • Minor error in filename processing fixed
  • Recent files menu available now
  • The program settings file layout modified
  • Any size overlays supported
  • GUI handling optimized
  • Hide unused tabs
  • HighDPI support (2019-10-19)
  • x64 ExceptionsData Table parsing bug fixed (2019-10-18)
  • Taskbar file icon display fixed
    Crash on unsupported files fixed
    Files load errors display added
    Internal data size optimization
    ExceptionsData Table parsing speed optimization


evlncrn8 12-02-2019 03:00

still wondering why nobody has made a pe util and called it pedofile... ;p

leewm 12-26-2019 08:37

Version: Update at 2019-12-20
PE Anatomist.v.0.1.8.zip

What's new?

Added description for COFF Groups in the debug information table
Updating the interface of the main window using a tree view of the available information
Added parsing IAT table in CHPE for emulated architecture
Added construction of a CFG bitmap and its display in a HEX form
Added parsing of some specific tables for applications created in Visual Basic 5/6
Added file upload log displaying warnings about non-compliance with the PE format (the list of checks will expand)
Implemented multiple selection of rows in lists

bigboss-62 01-01-2020 23:02

Version: Update at 2019-12-27
PE Anatomist.v.0.1.9.zip

What's new?

Optimize some internal data formats
Fixed way to save settings, now the mechanism uses next rules:
- if there are no settings files in the program directory and in %appdata%, then the settings file will be created in the program directory;
- if the program directory doesn't contain the settings file and the directory is not writable, then %appdata% will be used for storing the settings;
- if there is a valid settings file in the program directory, then this is the only way to read the settings, and the settings also will store here, if the file is writable;
- if the settings file is already in %appdata%, then it is always used to read/write settings.
Directories hidden by decreasing "Number Of RVA And Sizes" values are grayed out if available

RamMerLabs 02-05-2020 23:15

I am the developer of PEAnatomist and I'm glad to see my modest tool here.
I will be grateful for any criticism, ideas or suggestions.

Moreover, there is a new version 0.1.11 (2020-01-30): PEAnatomist-0.1.11.zip

Version (2020-01-10)
+Added mapping of redirects to another UNWIND_INFO between managed / unmanaged code in the ExceptionsData table for x64
+Added parsing of tables and metadata of dotNET

Version (2020-01-30)
#Fixed bug when parsing the old version of the delay import table
#Small optimization of a number-to-string converter
+Added parsing of Native Import Sections table (ReadyToRun, NGEN)
+Added parsing of the MethodDef EntryPoints table (ReadyToRun)
#Minor optimization of settings storage structure
#Slight list sorting optimization
#Fixed copying large lists to the clipboard (more than 100,000 lines)
#Fixed loading error after drag-n-drop shortcut of the investigated file to the program file
+Updated program settings dialog
+Added some new settings
#FLC optimization
#The mechanism for parsing .NET metadata tables has been redesigned for quick access to any fields, rows, tables
+Added description of .NET metadata token in some tables

Unfortunately, an error was detected after the release: if integration into the shell context menu was performed on this version, then opening a file through the context menu fails. The cause is a missing quotation mark in the command line parameter.
Upcoming update will fix this.

Abaddon 02-11-2020 00:19

Hi RamMerLabs,
It is a nice PE dumper at the moment.
I like how you handle things like RICH signature (not sure if someone documented it, or it is product of your own research? Anw, good job) and certificates.

Lots can be done towards improving it, though i'm not sure if it's your purpose to go towards this direction:

Make it a PE Editor, rather than a dumper (make fields editable).
Add an embedded hexeditor window, to show things like contents of buffers (or certificates).
etc, etc.

Anw, its a nice project, that at least adds something new (to the tools i was accustomed to). Good job.

RamMerLabs 02-11-2020 01:21

Hi Abaddon!
First, thanks for the feedback, it encourages the further development of the project!

>>not sure if someone documented it, or it is product of your own research?
There is no official documentation, but there are several articles about the content of the signature itself. I just added and refined the list of tools a bit and made a link to the VS versions (and particular builds), but yes, I had to do some research on a fairly large number of files.
What about certificates page - it will be totally redone in one of the next versions. For now it uses crypt32.dll API and lacks flexibility, so I decide to use own ASN.1 decoder.

>>Lots can be done towards improving it
Exactly! I have "to do" list, which consists of hundred of ideas. But time is running out as always. As you can see, the program is written in MASM and it takes a little more time to develop, but brings much more pleasure :)

>>Make it a PE Editor
Oh, I want it myself, but for now this is too big a task.
>>Add an embedded hexeditor window
Hexview (not a hexeditor) is already in the process of implementation, but not ready for public presentation yet. I hope, 0.2.0 version will show a lot of program's GUI transformations and new features.

>>that at least adds something new
Actually, this is the main purpose of publishing this tool. I am very glad that it became useful.

Abaddon 02-13-2020 01:54


The more i play with it, the more i realize the amount of research (either original, or just collecting information on a specific PE feature) this project entails. Just to name some of the most impressive features, decoding of language specific exception handler data, .NET directory info, VB5 & VB6 specific data decoding etc (Not sure where you decided to stop dealing with the VB, or .Net specific data, since you could actually build a full fledged decompiler when you go in sufficient depth). Thanks for the work put into this project.

One think i would advise against, though (sorry for being a bit intrusive here) is your language of choice for the development of the application; an application that lies heavily on GUI, would benefit greatly from being developed in a RAD-oriented language (i'm pointing towards some of the .net applications here). I do understand the urge to develop something in ASM, due to seeing it as a challenge to master, or being a purist (been through that stage), but in my experience, projects tend to quickly become difficult to manage in ASM. However it is your project, and you should develop it as you see fit.

Again thanks for releasing it, and i do hope to see more of it. :cool:

RamMerLabs 02-13-2020 04:40

>>decoding of language specific exception handler data
Well, this feature still impresses me myself :) Its source code is represented by the largest file from the entire project. But some details are not displayed yet - I just could not find a place for them in the GUI. For example, decoding MS Cpp FuncInfo or the latest MS Cpp EH4 format still does not show the header itself and some of its important fields, DWARF support is very limited. But the work will continue. In addition, new formats of language specific data will be added soon.

I agree, each task requires suitable tools. But I chose MASM consciously, because first of all this project is designed to satisfy my curiosity and an assembly language only contributes to this. After all, the GUI is separate from the logic and rewriting the GUI in another language is generally not a big problem. But I definitely would not want to mess with interpreted languages.

The new version is planned in a couple of days, but most of the changes in it are aimed at fixing bugs and preparing for the upcoming big changes. So stay tuned, and thank you too especially for making me practice English. :) I really hope that this practice of mine does not make you suffer while reading.

RamMerLabs 02-14-2020 03:55

Version (2020-02-13)

Change Log:
#A context menu integration bug fixed
#The behavior of the program when loading a new file with open resource properties window is fixed
#Fixed error displaying descriptions of some characters in the Dyn.Value Relocations table
#Fixed error parsing ExceptionsData table for ARM Thumb: incorrect information about stored registers in compressed form of UnwindInfo
+Natural sorting added for several more lists
#Fixed error populating the Catch Handlers list for UnwindInfo.EHData.CPP_EH4
#Fixed a bug leading to the slow execution of the "Select All" operation on large lists
+Some lists with a large number of elements are switched to virtual mode
+Added navigation through the associated UNWIND_INFO elements of the ExceptionData list for x64

ExceptionData list in in virtual mode now as well as several other lists. This significantly increased the list display speed for a large number of entries.

RamMerLabs 04-26-2020 00:47

Version 0.1.13 (2020-04-25):
[#] Fixed error sorting some lists with a signed-long integers
[#] Fixed error displaying the table ExceptionsData in the presence of incorrect data
[#] Fixed error displaying the name of the section in the RVA description in some cases
[+] Added new description lines for section groups on the POGO page in IMAGE_DEBUG_DIRECTORY
[#]Optimization and refactoring of a significant part of the code
[+] Added new fields to LOAD_CONFIG_DIRECTORY from SDK 19041 - GuardEHContinuations, and undocumented ones - eXtended CFG (xFG)
[+] Added GuardEHContinuations list page
[+] Added new feature flags in the GFID list
[#] Fixed bug with incorrect line ending when copying to clipboard
[#] Fixed error parsing the table of COFF symbols if an incorrect address is specified
[-] The icon of the main program window no longer changes to the icon of the file being processed
[+] Added support for OBJ file and LIB file formats
[+] Added support for non-COFF OBJ files
[+] Added parsing a symbol table for OBJ files
[+] Added page for summary information about import library entries in LIB files
[+] Added parsing of table of sections and relocations of OBJ files
[+] The number of file extensions for integration into the Explorer context menu has been increased
[#] Fixed bug with integration into the shell context menu if the file extension was not previously registered in the system

web # PEAnatomist 0.1.13

RamMerLabs 04-28-2020 20:36

Version 0.1.14 (2020-04-28):
[#] Fixed a bug that caused the program to crash when viewing the file header of PE files built by Borland Delphi (0.1.13 regression)
[#] Minor optimization of internal data structures
[+] Added the ability to extract members from LIB files
[+] Added file close menu

web # PEAnatomist 0.1.14

RamMerLabs 05-31-2020 06:20

Version 0.1.15 (2020-05-30):
[#] Fixed the error in determining the minor version of VS 2017-2019 when decoding the Rich signature (regression 0.1.13 and 0.1.14)
[#] Fixed decoding of RT_STRING resources in the presence of incorrect data
[+] Added tab with detailed description of PE resource headers
[#] Resource tab redone to list without grouping by resource type
[#] Fixed sorting of the list of resources
[#] The procedure for parsing the resource directory has been changed, new criteria for data correctness have been added
[#] Fixed processing of the settings file during the first launch of the program
[#] Corrected the behavior of the COFF character parser in the presence of incorrect info about long symbol names
[#] Fixed the bug of constructing the context menu for listview in virtual mode
[#] Fixed saving the selected file type filter in the "Open file" dialog
[#] Fixed incorrect recognition of UTF16 lines in rare cases
[+] Added page of detected ANSI and UTF16 lines in PE file
[+] Added CodeView Debug Info parsing for OBJ files
[+] Added CodeView Debug Symbols parsing for OBJ files
[+] Added parsing of CodeView Types for OBJ files
[+] Added parsing of new CodeView Debug Symbol records up to S_REGREL32_INDIR_ENCTMP inclusive
[+] Added parsing of new CodeView Type leafs up to and including LF_INTERFACE2
[+] Added parsing of type information in OBJ files compiled by MSVC with the /GL flag or others in MS ILStore format

CodeView decoding is only available for OBJ files so far, PDB on the way to the next version is probably. Symbols and types are processed, the rest of the data will be with the PDB. New records of symbols and types are available up to the latest from VS16.6 (S_REGREL32_INDIR_ENCTMP - 0x117B and LF_INTERFACE2 - 0x160B, respectively). For the selected records, a description of all the structure fields of these records is available, but so far some records look clumsy enough (LF_FIELDLIST). I hope that soon I will make a more human-readable description, possibly including decoding into C or MASM syntax.

Types from OBJ files compiled by MSVC with the /GL flag are decoded too (i.e. the result of the frontend of the compiler in the form of CIL (C Immediate Language, not Common IL from dotnet!), formatted in ILStore format).

I also want to ask for help with information about ILStore format itself. I have already interpreted some structures, but this is a drop in the ocean. Perhaps there is something to read about this format (C Immediate Language, ILStore)? Thanks!


RamMerLabs 05-31-2020 17:06

>>C Immediate Language
I made a mistake in the text, there really should be a "C Intermediate Language", sorry.

RamMerLabs 06-27-2020 02:13

Version 0.1.16 (2020-06-26):
[#] Slight optimization
[#] Fixed an error in determining of a register names in the CodeView symbols description in very rare cases
[+] Added the ability to copy entire columns to the clipboard with multiple row selection
[+] Added display settings for the FLC panel and status panel
[#] The error of scaling the size of the statusbar cells is fixed
[+] Splitter controls have been added in most of tabs
[+] Added host resolving for ApiSet libraries in import tables
[+] Added selection of an external DLL for determining the ApiSet host in the program settings
[+] A partial search has been added to the ExceptionsData table (experimental function)

WEB # PEAnatomist-0.1.16

All times are GMT +8. The time now is 05:57.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX