Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   PE Anatomist (https://forum.exetools.com/showthread.php?t=19393)

Jupiter 12-02-2019 00:24

PE Anatomist
 
1 Attachment(s)
PE Anatomist - PE files internals

PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.

Author: RamMerLabs
Project Home: rammerlabs.alidml.ru

Overview

FILE FORMATS
  • PE32
  • PE32+

PE IMAGE ARCHITECTURES
  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM8-64)

HEADERS AND DATA STRUCTURES PARSING
  • IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
  • Table of COFF symbols
  • Sections table, supporting long section names (via symbols table) and entropy calculating
  • Import table (supports MS-styled names demangling)
  • Bound Import Table
  • Delayed Import Table
  • Export Table with additional info
  • Resource Table with additional info about different resource types and detailed view for all types
  • Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • Brief info about PE Authenticode Signature
  • LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
  • Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • TLS config and callbacks table with additional information about some fields
  • Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
  • Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • IAT table contents

History

0.2.5 (2021-08-25):
  • ListView context menu revision and keyboard accessibility improvements
  • Added support for Cxx20Modules in MSVC ILStore parser (CxxIL)
  • Added settings for the number of remembered recent files and the formatting of text copied to the clipboard
  • Updated some ARM64EC related structures from WDK 22000
  • Significantly speeded up the construction of the ExceptionsData table in OBJ files
  • Fixed several bugs
  • DOWNLOAD


0.1.6.260 (2019-11-23)
  • Fixed parsing of import table modified by some packers
  • Added forced cleaning of recent files list
  • Added reaction to the ENTER key in FLC text fields
  • New settings:
  • set main window always on top;
  • contrast selection of alternating lists background;
  • number of bytes displayed in the HEX form in the description in the Base Relocations table;
  • restore last opened tab;
  • pasting the list header into the data copied to the clipboard;
  • use the ESC key to exit the program
  • Display of minor instrument version in RICH signature for VS2017 and higher fixed
  • Fixed incorrect behavior when resizing the main window
  • Deleting file associations fixed
  • FLC editboxes are cleared after loading a new file
  • Fixed the error in displaying the section table if some header fields were nullified
  • Added section naming by number if their name is not specified in the header or does not contain printable characters
  • The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
  • Several FLC bugs fixed

0.1.5.46 (2019-11-09)
  • IMAGE_DIRECTORY_ENTRY_IAT table parsing available
  • Symbols description added in Dynamic Value Relocations table
  • Data description added in Volatile Metadata table for x86
  • Minor optimizations of the code prepearing new GUI
  • FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
  • FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
  • RVA of instructions for appropriate unwind codes added in table for x64

0.1.4.192 (2019-10-31)
  • ExceptionsData table LSDA headers parsing improved
  • LSDA headers parsing implemented for C Builder 10.2 and newer
  • Commandline keys are not required to open a file
  • Minor error in filename processing fixed
  • Recent files menu available now
  • The program settings file layout modified
  • Any size overlays supported
  • GUI handling optimized
  • Hide unused tabs
  • HighDPI support

0.1.3.2 (2019-10-19)
  • x64 ExceptionsData Table parsing bug fixed

0.1.2.57 (2019-10-18)
  • Taskbar file icon display fixed
    Crash on unsupported files fixed
    Files load errors display added
    Internal data size optimization
    ExceptionsData Table parsing speed optimization

Download

evlncrn8 12-02-2019 03:00

still wondering why nobody has made a pe util and called it pedofile... ;p

leewm 12-26-2019 08:37

Version: 0.1.8.234 Update at 2019-12-20
Download:
PE Anatomist.v.0.1.8.zip

What's new?

Added description for COFF Groups in the debug information table
Updating the interface of the main window using a tree view of the available information
New header information pages added: DOS_HEADER, FILE_HEADER, OPTIONAL_HEADER, CHPE_HEADER, VOLATILE_METADATA_HEADER
Added parsing IAT table in CHPE for emulated architecture
Added construction of a CFG bitmap and its display in a HEX form
Added parsing of some specific tables for applications created in Visual Basic 5/6
Added file upload log displaying warnings about non-compliance with the PE format (the list of checks will expand)
Implemented multiple selection of rows in lists

bigboss-62 01-01-2020 23:02

Version: 0.1.9.64 Update at 2019-12-27
Download:
PE Anatomist.v.0.1.9.zip

What's new?

Optimize some internal data formats
Fixed way to save settings, now the mechanism uses next rules:
- if there are no settings files in the program directory and in %appdata%, then the settings file will be created in the program directory;
- if the program directory doesn't contain the settings file and the directory is not writable, then %appdata% will be used for storing the settings;
- if there is a valid settings file in the program directory, then this is the only way to read the settings, and the settings also will store here, if the file is writable;
- if the settings file is already in %appdata%, then it is always used to read/write settings.
Directories hidden by decreasing "Number Of RVA And Sizes" values are grayed out if available

RamMerLabs 02-05-2020 23:15

Hi!
I am the developer of PEAnatomist and I'm glad to see my modest tool here.
I will be grateful for any criticism, ideas or suggestions.

Moreover, there is a new version 0.1.11 (2020-01-30): PEAnatomist-0.1.11.zip

Changes:
Version 0.1.10.97 (2020-01-10)
+Added mapping of redirects to another UNWIND_INFO between managed / unmanaged code in the ExceptionsData table for x64
+Added parsing of tables and metadata of dotNET

Version 0.1.11.155 (2020-01-30)
#Fixed bug when parsing the old version of the delay import table
#Small optimization of a number-to-string converter
+Added parsing of Native Import Sections table (ReadyToRun, NGEN)
+Added parsing of the MethodDef EntryPoints table (ReadyToRun)
#Minor optimization of settings storage structure
#Slight list sorting optimization
#Fixed copying large lists to the clipboard (more than 100,000 lines)
#Fixed loading error after drag-n-drop shortcut of the investigated file to the program file
+Updated program settings dialog
+Added some new settings
#FLC optimization
#The mechanism for parsing .NET metadata tables has been redesigned for quick access to any fields, rows, tables
+Added description of .NET metadata token in some tables

Unfortunately, an error was detected after the release: if integration into the shell context menu was performed on this version, then opening a file through the context menu fails. The cause is a missing quotation mark in the command line parameter.
Upcoming update will fix this.

Abaddon 02-11-2020 00:19

Hi RamMerLabs,
It is a nice PE dumper at the moment.
I like how you handle things like RICH signature (not sure if someone documented it, or it is product of your own research? Anw, good job) and certificates.

Lots can be done towards improving it, though i'm not sure if it's your purpose to go towards this direction:

Make it a PE Editor, rather than a dumper (make fields editable).
Add an embedded hexeditor window, to show things like contents of buffers (or certificates).
etc, etc.

Anw, its a nice project, that at least adds something new (to the tools i was accustomed to). Good job.

RamMerLabs 02-11-2020 01:21

Hi Abaddon!
First, thanks for the feedback, it encourages the further development of the project!

>>not sure if someone documented it, or it is product of your own research?
There is no official documentation, but there are several articles about the content of the signature itself. I just added and refined the list of tools a bit and made a link to the VS versions (and particular builds), but yes, I had to do some research on a fairly large number of files.
What about certificates page - it will be totally redone in one of the next versions. For now it uses crypt32.dll API and lacks flexibility, so I decide to use own ASN.1 decoder.

>>Lots can be done towards improving it
Exactly! I have "to do" list, which consists of hundred of ideas. But time is running out as always. As you can see, the program is written in MASM and it takes a little more time to develop, but brings much more pleasure :)

>>Make it a PE Editor
Oh, I want it myself, but for now this is too big a task.
>>Add an embedded hexeditor window
Hexview (not a hexeditor) is already in the process of implementation, but not ready for public presentation yet. I hope, 0.2.0 version will show a lot of program's GUI transformations and new features.

>>that at least adds something new
Actually, this is the main purpose of publishing this tool. I am very glad that it became useful.

Abaddon 02-13-2020 01:54

RamMerLabs,

The more i play with it, the more i realize the amount of research (either original, or just collecting information on a specific PE feature) this project entails. Just to name some of the most impressive features, decoding of language specific exception handler data, .NET directory info, VB5 & VB6 specific data decoding etc (Not sure where you decided to stop dealing with the VB, or .Net specific data, since you could actually build a full fledged decompiler when you go in sufficient depth). Thanks for the work put into this project.

One think i would advise against, though (sorry for being a bit intrusive here) is your language of choice for the development of the application; an application that lies heavily on GUI, would benefit greatly from being developed in a RAD-oriented language (i'm pointing towards some of the .net applications here). I do understand the urge to develop something in ASM, due to seeing it as a challenge to master, or being a purist (been through that stage), but in my experience, projects tend to quickly become difficult to manage in ASM. However it is your project, and you should develop it as you see fit.

Again thanks for releasing it, and i do hope to see more of it. :cool:

RamMerLabs 02-13-2020 04:40

Abaddon
>>decoding of language specific exception handler data
Well, this feature still impresses me myself :) Its source code is represented by the largest file from the entire project. But some details are not displayed yet - I just could not find a place for them in the GUI. For example, decoding MS Cpp FuncInfo or the latest MS Cpp EH4 format still does not show the header itself and some of its important fields, DWARF support is very limited. But the work will continue. In addition, new formats of language specific data will be added soon.

I agree, each task requires suitable tools. But I chose MASM consciously, because first of all this project is designed to satisfy my curiosity and an assembly language only contributes to this. After all, the GUI is separate from the logic and rewriting the GUI in another language is generally not a big problem. But I definitely would not want to mess with interpreted languages.

The new version is planned in a couple of days, but most of the changes in it are aimed at fixing bugs and preparing for the upcoming big changes. So stay tuned, and thank you too especially for making me practice English. :) I really hope that this practice of mine does not make you suffer while reading.

RamMerLabs 02-14-2020 03:55

Version 0.1.12.73 (2020-02-13)
PEAnatomist-0.1.12.zip

Change Log:
#A context menu integration bug fixed
#The behavior of the program when loading a new file with open resource properties window is fixed
#Fixed error displaying descriptions of some characters in the Dyn.Value Relocations table
#Fixed error parsing ExceptionsData table for ARM Thumb: incorrect information about stored registers in compressed form of UnwindInfo
+Natural sorting added for several more lists
#Fixed error populating the Catch Handlers list for UnwindInfo.EHData.CPP_EH4
#Fixed a bug leading to the slow execution of the "Select All" operation on large lists
+Some lists with a large number of elements are switched to virtual mode
+Added navigation through the associated UNWIND_INFO elements of the ExceptionData list for x64

ExceptionData list in in virtual mode now as well as several other lists. This significantly increased the list display speed for a large number of entries.

RamMerLabs 04-26-2020 00:47

Version 0.1.13 (2020-04-25):
[#] Fixed error sorting some lists with a signed-long integers
[#] Fixed error displaying the table ExceptionsData in the presence of incorrect data
[#] Fixed error displaying the name of the section in the RVA description in some cases
[+] Added new description lines for section groups on the POGO page in IMAGE_DEBUG_DIRECTORY
[#]Optimization and refactoring of a significant part of the code
[+] Added new fields to LOAD_CONFIG_DIRECTORY from SDK 19041 - GuardEHContinuations, and undocumented ones - eXtended CFG (xFG)
[+] Added GuardEHContinuations list page
[+] Added new feature flags in the GFID list
[#] Fixed bug with incorrect line ending when copying to clipboard
[#] Fixed error parsing the table of COFF symbols if an incorrect address is specified
[-] The icon of the main program window no longer changes to the icon of the file being processed
[#] Fixed IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT parsing
[+] Added support for OBJ file and LIB file formats
[+] Added support for non-COFF OBJ files
[+] Added parsing a symbol table for OBJ files
[+] Added page for summary information about import library entries in LIB files
[+] Added parsing of table of sections and relocations of OBJ files
[+] The number of file extensions for integration into the Explorer context menu has been increased
[#] Fixed bug with integration into the shell context menu if the file extension was not previously registered in the system


web # PEAnatomist 0.1.13

RamMerLabs 04-28-2020 20:36

Version 0.1.14 (2020-04-28):
[#] Fixed a bug that caused the program to crash when viewing the file header of PE files built by Borland Delphi (0.1.13 regression)
[#] Minor optimization of internal data structures
[+] Added the ability to extract members from LIB files
[+] Added file close menu


web # PEAnatomist 0.1.14

RamMerLabs 05-31-2020 06:20

Version 0.1.15 (2020-05-30):
[#] Fixed the error in determining the minor version of VS 2017-2019 when decoding the Rich signature (regression 0.1.13 and 0.1.14)
[#] Fixed decoding of RT_STRING resources in the presence of incorrect data
[+] Added tab with detailed description of PE resource headers
[#] Resource tab redone to list without grouping by resource type
[#] Fixed sorting of the list of resources
[#] The procedure for parsing the resource directory has been changed, new criteria for data correctness have been added
[#] Fixed processing of the settings file during the first launch of the program
[#] Corrected the behavior of the COFF character parser in the presence of incorrect info about long symbol names
[#] Fixed the bug of constructing the context menu for listview in virtual mode
[#] Fixed saving the selected file type filter in the "Open file" dialog
[#] Fixed incorrect recognition of UTF16 lines in rare cases
[+] Added page of detected ANSI and UTF16 lines in PE file
[+] Added CodeView Debug Info parsing for OBJ files
[+] Added CodeView Debug Symbols parsing for OBJ files
[+] Added parsing of CodeView Types for OBJ files
[+] Added parsing of new CodeView Debug Symbol records up to S_REGREL32_INDIR_ENCTMP inclusive
[+] Added parsing of new CodeView Type leafs up to and including LF_INTERFACE2
[+] Added parsing of type information in OBJ files compiled by MSVC with the /GL flag or others in MS ILStore format

CodeView decoding is only available for OBJ files so far, PDB on the way to the next version is probably. Symbols and types are processed, the rest of the data will be with the PDB. New records of symbols and types are available up to the latest from VS16.6 (S_REGREL32_INDIR_ENCTMP - 0x117B and LF_INTERFACE2 - 0x160B, respectively). For the selected records, a description of all the structure fields of these records is available, but so far some records look clumsy enough (LF_FIELDLIST). I hope that soon I will make a more human-readable description, possibly including decoding into C or MASM syntax.

Types from OBJ files compiled by MSVC with the /GL flag are decoded too (i.e. the result of the frontend of the compiler in the form of CIL (C Immediate Language, not Common IL from dotnet!), formatted in ILStore format).

I also want to ask for help with information about ILStore format itself. I have already interpreted some structures, but this is a drop in the ocean. Perhaps there is something to read about this format (C Immediate Language, ILStore)? Thanks!

WEB
PEAnatomist-0.1.15

RamMerLabs 05-31-2020 17:06

>>C Immediate Language
I made a mistake in the text, there really should be a "C Intermediate Language", sorry.

RamMerLabs 06-27-2020 02:13

Version 0.1.16 (2020-06-26):
[#] Slight optimization
[#] Fixed an error in determining of a register names in the CodeView symbols description in very rare cases
[+] Added the ability to copy entire columns to the clipboard with multiple row selection
[+] Added display settings for the FLC panel and status panel
[#] The error of scaling the size of the statusbar cells is fixed
[+] Splitter controls have been added in most of tabs
[+] Added host resolving for ApiSet libraries in import tables
[+] Added selection of an external DLL for determining the ApiSet host in the program settings
[+] A partial search has been added to the ExceptionsData table (experimental function)

WEB # PEAnatomist-0.1.16

RamMerLabs 09-11-2020 03:36

Version 0.1.17 (2020-09-10):
[+] Added recognition of the target from a MSI shortcut
[#] Fixed a bug with displaying some dialogs from the resources
[+] Updated set of CET policy flags and LOAD_CONFIG_DIRECTORY structure from SDK 20201
[+] Added display of xFG-hash value in the GFID list
[+] Added descriptions of several section groups on the "POGO" page in IMAGE_DEBUG_DIRECTORY
[#] Accelerated display of found strings in PE files
[+] Added an optional restriction to start the only instance of the program
[+] Added a menu for launching a copy of the program with the currently open file
[+] Added the ability to open a file from the clipboard
[#] Fixed loss of a symbol in strings detection if a long string was split into several
[+] Added string detection settings: recognition threshold and ignoring of strings without a trailing zero
[+] Added a dialog for selecting a Section object and opening a mapped file
[+] Introduced a limitation of one instance of the resource properties dialog per entry
[#] Optimization and clean up of a part of the code for working with ListView


WEB # PEAnatomist 0.1.17

RamMerLabs 10-22-2020 04:46

Version 0.1.18 (2020-10-21):
[#] Fixed error displaying data from ~GUID in .NET metadata tables
[+] Added description of flags for entries in .NET metadata tables
[#] Fixed bug with positioning child windows on multi-monitor configurations
[+] Added creation of a minidump in case of an unhandled exception
[#] Updated @feat.00 flag description
[#] Changed description text for several IDs in Rich Signature
[#] Rewrote a part of the code to enumerate the 'Section' objects
[+] Added a column to the ExceptionsData X64 table to display the size of the stack allocation
[+] Added a request to start a new copy of the program when the restriction on starting the only instance of the program is enabled and running copy does not respond
[#] ExceptionsData X64 chain table format changed to more verbose
[#] Fixed error in determining the allocation size for UWOP_ALLOC_LARGE (1)
[+] Added a page for xFG hash values for OBJ files
[+] Added ExceptionsData x64, ARM64 and ARM for OBJ files
[#] Fixed a bug with working with sections in OBJ files in the presence of BSS with a certain set of parameters
[#] Fixed a bug with parsing unwind codes for ARM and ARM64 (in PE and OBJ files), which could appear on small files or in presence of a large number of epilogues in a function
[#] Cleaning up and slight optimization of the IA64 unwind codes parser
[+] Added a description of the section and an offset in it to the COFF symbol, which is referenced by the CodeView symbol in the corresponding forms of debug information
[+] Added options to search any value less or greater than the specified
[+] Added setting of the initial search position based on: the last found line, the selected line, or forced from the beginning of the list
[+] Added full-text search in all columns of the list (minimum query length - 2 characters, search is case insensitive only for ANSI characters)
[+] Added the ability to search in any list
[#] Fixed a bug with displaying the type name from TypeDef in the .NET metadata token description in rare cases (only the method name was displayed, without the type name)


WEB # PEAnatomist 0.1.18

mak 11-01-2020 00:45

@RamMerLabs

Could you make a plugin for x64dbg as a separate modification of your PEAnatomist program, that would be very convenient.

RamMerLabs 11-01-2020 05:28

@mak
Nice idea!
I am currently reworking most of the code and this is a good chance to provide the ability to run the application as a plugin. But so far only for x86. I will probably gradually rewrite some parts in C, then it will be possible to talk about x64.

RamMerLabs 01-04-2021 21:10

Release 0.2.0 (2021-01-04):
Minor optimization and cleaning of list sorting code
Background color of resource properties dialog and hexview changed to standard for the used control
Cleaning headers, unifying declared data types, dividing code into independent modules
Fix display error for the symbols CV_COMPILESYM and CV_COMPILESYM3
Update register names and CodeView symbols from VS 16.8 and 16.9Preview
Add display of the COFF symbol referenced by the CLR token in the COFF symbol table
Add display of CLR token in CodeView symbols
Fix error displaying RT_STRING resource as text in rare cases
Fix error in defining COFF-symbol of exception handler in x64 OBJ-files
The used data types from CoreCLR 5 have been updated
Fix a crash when displaying the contents of the metadata tables of some obfuscated or compressed .NET files
Change .NET metadata streams description - stream RVA is displayed now
Fix matching RVA to offset for some alignment and section parameter combinations in PE files compiled by MinGW
Fix displaying a DelayImport table with incorrect content (regression starting 0.1.8)
Fix matching RVA to offset in case of forced loading of PE without sections
Add .NET Vtable Fixups display
Fix a rare error with displaying the name of some Codeview types in the pivot table (an incorrect name could be displayed if in fact it was of zero length)
Add decoding of MSVC ILStore symbol table (.cil$gl) in OBJ files (x86, x64, ARMThumb, ARM64) for VS16.8
Change the appearance of the main window in the absence of a loaded file
Add description for selected symbol in the MSVC ILStore symbol table
Add correction of indexes in the MSVC ILStore table of types in case of using PCH
Add description of types by their index in all supported MSVC ILStore tables
Add description of MSVC ILStore symbols referenced by selected symbol from table .cil$gl
Add parsing of CHPE configuration header and DynamicDataRelocations table for hybrid x64-over-ARM64 images (arm64x) from InsiderPreview 21277
Add x64 ExceptionsData table for hybrid x64-over-ARM64 images (arm64x)
Add parsing of ARM64 unwind codes for SIMD registers
Fix detection of the ARM64 unwind chain
New view of the settings dialog, division of settings into new categories
Add formatting settings for text copied to the clipboard from program tables
Fix error reading CodeView C13 subsections in some cases (most often it appeared on CodeView created by early versions of tools from VS2002 and VS2003)
Add search settings: remembering the last query and saving the selected starting position of the search
Add search options for text: match only from the beginning of a string, inversion of search results (i.e. search for strings where the desired text is absent)
Fix error displaying the "Parent Offset" parameter in the CodeView symbols S_DEFRANGE_REGISTER_REL and S_DEFRANGE_REGISTER_REL_INDIR
Fix error of reading MSVC ILStore type table when there are nested tables
Add support for decoding MSVC ILStore symbol table for all public versions of VisualStudio (7-16.9Preview2)
Add the ability to select all found lines for text search
Prevent unclosed search dialog from being used after destroying its associated ListView
Configuration file format has been changed to text view


WEB (updated) # Direct link to PEAnatomist-0.2.0

RamMerLabs 03-05-2021 03:58

Release 0.2.1 (2021-03-04):

110B.009: Significant improvement to the MSVC ILStore (CxxIL) symbols parser and increased compatibility with different VS versions
1111.027: Decoding of local symbols table (.cil$sy) of MSVC ILStore (CxxIL) format in OBJ files
1117.033: Displaying the line number of the beginning of the function in the source file in the description of symbols MSVC ILStore (CxxIL)
1117.034: Fixed display of source file names in MSVC ILStore (CxxIL) symbols descriptions for VS 2002 and 2003 versions (encoding is not UTF8)
1118.035: Fixed decoding of LF_POINTER in CodeView and MSVC ILStore (CxxIL) type tables if the described type is a pointer to a class member
1119.036: Changed the names of some keys in the configuration file for portability in future versions
111B.039: Fixed display of CodeView type description in MSVC ILStore (CxxIL) tables, if debug information is moved to PDB
111C.046: Fixed error displaying the incorrect name in the description of a CodeView type referenced by another type or symbol (in rare cases)
1201.071: Accelerated access to sections and their data in OBJ files
1205.081: Added support for ExtendedObj files (a.k.a. BIGOBJ, obj files with more than 0xFEFF sections)
1207.094: For some types of CodeView debug information, a more detailed description is available (for example, for LF_POINTER, LF_MODIFIER, LF_ARRAY and LF_BITFIELD, the description of the type to which they refer and some properties are displayed)
120C.110: Clarified interpretation of data from Rich signature
121B.116: The program license was changed from MIT to Freeware (the text of the License Agreement is located in the "Readme" file)
1303.122: Fixed a bug with parsing version information from the resources section in some cases
1304.123: Fixed error getting a member name for LIB archives created by BSD-compatible toolkit
1304.124: Support for ARM64EC in OBJ files


website # Direct link to PEAnatomist-0.2.1

RamMerLabs 03-25-2021 05:29

Release 0.2.2 (2021-03-25):

1305.000: Fixed display of the CodeView type name in the description if the type index is not specified
1307.001: Fixed error displaying manifest text from PE resources in rare cases
1307.003: Added support for IA64, MIPS and Hitachi SH4 architectures in the CxxIL parser
1308.006: Fixed CxxIL parsing error for MSVC from VS2008Beta1
1309.007: Fixed infinite parsing of IMAGE_DIRECTORY_ENTRY_BASERELOC table in rare cases
1309.008: Fixed error of IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG display for some files created by linker versions below 6.0
1309.010: Fixed possible erroneous OBJ file recognition (regression of version 0.2.1)
130D.019: Cleaning and optimization of the parser for the ARM Thumb and ARM64 unwind codes
130F.022: Added a textual description of the epilogue execution condition for ARM Thumb unwind codes
130F.023: Fixed error displaying the epilogue execution condition for ARM Thumb unwind codes if the epilogue is specified as the only one (flag E)
130F.028: Added calculation of the epilogue beginning for the ARM Thumb and ARM64 unwind codes, if the epilogue is specified as the only one (flag E)
1311.029: Fixed light error in defining VS2017-2019 minor version in Rich signature (regression of version 0.2.1)
1311.030: Fixed error in displaying values from IMAGE_DELAYLOAD_DESCRIPTOR.UnloadInformationTableRVA in the delayed import table
1312.044: Fixed the mechanism for filling information for the description of RVA in PE, added detection of new information
1312.045: Accelerated display of the GFID table
1313.046: Simplified procedure for loading some files
1315.051: The storage of information for the description of RVA in PE files has been transferred to a hash table, the search time for the description for RVA has been significantly reduced
1318.053: Ctrl+Insert can be used along with Ctrl+C to copy information from the ListView to the clipboard
1318.057: The set of status information from the ListView has been expanded, there are: focused row index, total count of rows, count of selected rows


website # Direct link to PEAnatomist-0.2.2

Abaddon 03-25-2021 18:39

Just a heads up, the links are (temporarliy?) unavalailable.
Thanks for the new release.

Edit: Apparently it was a temporary situation. Accessible after a few minutes.

RamMerLabs 03-25-2021 18:53

Abaddon
Thank you for your feedback. I can't even guess what the reason is. I checked the server, it works fine. Sometimes, of course, there are interruptions, but today no incidents with either the server or the connection have been logged.

Abaddon 03-25-2021 19:01

1 Attachment(s)
Some suggestions/feedback regarding string detection (low priority)

The user should be able to define the alphabet of the searchable characters.

Or

Pre-selected combinations should be availale to select from (in the form of a dropdown list).

The current cofiguration does not allow someone enough flexibility (i.e. excluding special characters); or, to be precise, the 64 characters to choose from are not transparent to the user.

Also, a good feature would be to be able to search unicode characters, characters from different languages (i.e. Russian) etc.

Again, thanks for the nice application.

RamMerLabs 03-25-2021 20:04

>>The user should be able to define the alphabet of the searchable characters.
Undoubtedly, there should be such a choice.
Moreover, I already did some of what you proposed, but the performance dropped noticeably and I had to remove these innovations (temporarily, I hope).
There were options with a choice of detected encodings, code pages, and a filter based on various criteria, but at the moment the implementation does not suit me.

PS: Unfortunately, I could not see the screenshot from the attachment - not enough rights.

Abaddon 03-25-2021 22:28

No problem, it was just a screenshot from the string options dialog.
I have described everything in text, which I assume communicated the message.
I should have foreseen the problem, being myself a plebeian. However, in my case, the title is well deserved, for I have been a very selfish reverse engineer.
You on the other hand, have contributed to the community; therefore, I ask the moderators/admins to promote you.

RamMerLabs 05-09-2021 06:54

Release 0.2.3 (2021-05-09):
1319.000: Fixed the Statusbar value of the focused line for an empty ListView in certain situations
131A.001: Eliminated possible freeze after the search resumed, if the contents of the list have been changed
131B.007: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for x64
131B.008: Fixed displaying the type index in the CodeView types table in OBJ files if PCH is used (regression of version 0.2.2)
140B.011: Optimized display of status information from ListView for very large lists
140B.014: Added display of additional Function (.bf, .ef) and FunctionSym symbols in the COFF symbol table of OBJ files
140C.015: Fixed erroneous display of INT value in CFG IAT table if import is performed by ordinal (regression of version 0.2.2)
140D.017: Added XFGHASHMAP parsing in LIB files
140F.022: Added collection of information about exception handlers (x64, ARM, ARM Thumb, ARM64, IA64) and COFF symbols for describing RVA in PE files
1410.025: Accelerated display of COFF symbol table in PE files, added display of some additional symbol records
1411.029: A 'Column' drop-down list in a searching dialog is disabled if only fulltext search is available (i.e. only one search option)
1413.031: Added export of GFID bitmap to file
1415.032: Fixed a bug with parsing the resource table in PE files if IMAGE_RESOURCE_DATA_ENTRY is placed at the end of the table
1416.038: Added optional display of full paths in the recent files list, long paths are limited to the file name and the initial part of the path
1416.039: Changed the format of the main window title, the name of the loaded file is displayed first now
1417.045: Eliminated redundant work with the menu when loading files and generating a list of recent files
1418.046: Added OS shell notification about file associations changing
1419.049: Added optional tooltip with description of RVA calculated in FLC (disabled by default)
141A.053: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for ARM64 (InsiderPreview 21364)
141B.055: Fixed error displaying multiple values of the "Translation" key in RT_VERSION resources
141B.057: Added a column with functions description in the ExceptionsData table for all supported architectures (for x64, ARM Thumb and ARM64, some columns are now hidden by default)
1505.059: Fixed error displaying SEH Scope on the ExceptionsData page for ARM7/ARM LE in some cases
1507.060: Added a separate tab for the ARM64 unwind chain on the ExceptionsData page
1507.072: Added recognition of some types of exception handlers for all supported architectures
1507.073: Added a column with the type of exception handlers in the ExceptionsData table, the column with the handler's RVA is hidden by default
1508.074: Fixed a rare error filling information from the export table for the RVA description


Homepage # PEAnatomist 0.2.3

RamMerLabs 06-09-2021 05:58

Release 0.2.4 (2021-06-08):
150F.001: Added unwinding code for ARM64 Pointer Authentication extension instructions (InsiderPreview 21382)
1511.003: Added a column with the unwind chain depth in the x64 ExceptionsData table (hidden by default)
1511.004: Fixed a bug with enabling ListView columns hidden by default after restarting the program (regression from version 0.2.0)
1516.013: Fixed crash during parsing of corrupted COFF symbol table in PE files
1517.015: Fixed the old error of displaying the "Security" tab for PE files in some cases
1518.016: Fixed error in validation of program window position settings if opposite sides of the window go beyond the desktop (regression from version 0.2.0)
151B.021: Added entropy plotting
151B.025: Added entropy calculation settings for plotting and plot display settings
1601.032: Added a hint about the fileoffset and the corresponding section under the cursor on the entropy plot
1604.033: The last active tab of the settings dialog is restored after reopening
1608.040: Added optional labels for section boundaries on the entropy plot


Homepage # PEAnatomist 0.2.4

RamMerLabs 08-25-2021 19:50

Release 0.2.5 (2021-08-25):
  • ListView context menu revision and keyboard accessibility improvements
  • Added support for Cxx20Modules in MSVC ILStore parser (CxxIL)
  • Added settings for the number of remembered recent files and the formatting of text copied to the clipboard
  • Updated some ARM64EC related structures from WDK 22000
  • Significantly speeded up the construction of the ExceptionsData table in OBJ files
  • Fixed several bugs

Homepage # Changelog # PEAnatomist 0.2.5

RamMerLabs 11-09-2021 01:57

Release 0.2.6 (2021-11-08):
  • Fixed a number of errors in the parser of import tables for modified PE
  • Updated information about new Codeview symbols from VS2022
  • Clarified interpretation of some build numbers from Rich signature
  • Expanded dataset for describing CoffGroups in the IMAGE_DEBUG_TYPE_POGO table
  • Numerous minor fixes

Homepage # Changelog # PEAnatomist 0.2.6

Kurapica 11-09-2021 02:31

Excellent work.

Respect+

RamMerLabs 01-04-2022 04:34

Release 0.2.7 (2022-01-03):
  • Entropy calculation with configurable block overlap for entropy graph
  • Ability to save several PE resources or LIB members to a file at once
  • A page describing WoW thunks in hybrid PE (ARM64EC, ARM64X)
  • Fixed error in processing the exception table for emulated architecture code in hybrid PE (ARM64EC)
  • Improved compatibility with certain older versions of MS Visual Studio

Homepage # Changelog # PEAnatomist 0.2.7

RamMerLabs 03-06-2022 04:03

Release 0.2.8 Final (2022-03-05):
  • Added display of information about IMAGE_DEBUG_TYPE_BBT (Basic Block Transformation)
  • Fixed CORCOMPILE_HEADER header parsing error for .NetFramework 4.6 - 4.6.2
  • Added support for IMAGE_FILE_MACHINE_POWERPCBE (Xbox 360, uncompressed PE only)
  • Added support for IMAGE_REL_BASED_HIGHADJ
  • Fixed a number of bugs

Homepage # Changelog # PEAnatomist 0.2.8

Abaddon 03-07-2022 13:35

RamMerLabs, if you are in one of the countries involved in the current conflict, I wish that you and your family are safe and well. Same goes for any other members of this forum.
Sorry to contact you like this in a public forum, but i have no pm privileges, and no other means of reaching you.
Be safe.

DavidXanatos 03-13-2022 22:42

I think the loading of exports for arm 32 bit is not quite right:
for my win 11 test machine \SysArm32\ntdll.dll's LdrLoadDll has according tho the PEAnatomist the RVA or 0x2F9F1 and the image base is 0x4B280000, however when stepping through a arm32 project LdrLoadDll is in my instance at 0x7723F9F0 with base at 0x77210000 so the RVA seams to be 0x2F9F0, 1 less than what PEAnatomist shows, also checking with IDA it says the address of that function is 0x4B2AF9F0, that minus the base address gives also 0x2F9F0 as the correct RVA.
Now that Said the peview of process hacker makes the same mistake :/
its strange that the values in the file are all off by exactly 1, its teh same for all functions I checked.
Cheep fix add -1 to the RVA if its an arm image, but I woudl preffer to understand why its so ans have a proper fix.

RamMerLabs 03-13-2022 23:25

The reason is that Windows runs ARM7 in a Thumb instructions set mode. And "1" in every RVA of executive code is an indicator of this: 1 - Thumb, no 1 - no Thumb. There is no mistake, it's native.
ARM7 has 2 or 4 bytes instructions length, so this 1 in RVA doesn't affect real addresses.
BTW, it's right to apply (AND (NOT 0x1)) instead of substraction.

RamMerLabs 03-16-2022 04:12

Release 0.2.9 Final Fix1 (2022-03-15):
  • Fixed entropy graph drawing error on Windows 7 and newer

Homepage # Changelog # PEAnatomist 0.2.9

RamMerLabs 04-17-2022 02:15

Release 0.2.10 Final Fix2 (2022-04-16):
  • Fixed error displaying data from UnwindInfo CxxFH3 tables for ARM7
  • Fixed CodeView symbols S_DEFRANGE_CONSTVAL_ON_ENTRY and S_DEFRANGE_GLOBALSYM_ON_ENTRY from VS2022 17.2Pre3
  • Fixed leak of GDI objects when using more than one ListView column setup dialog at the same time

Homepage # Changelog # PEAnatomist 0.2.10

RamMerLabs 05-18-2022 05:31

Release 0.2.11 Final Fix3 (2022-05-18):
  • Fixed bug with enumeration of IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE symbol in DVRT table
  • Added separate page for IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE symbol content in DVRT table (backport from 0.3.10516.1931)

Homepage # Changelog # PEAnatomist 0.2.11


All times are GMT +8. The time now is 10:04.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX