Thread: PE Anatomist
View Single Post
  #1  
Old 12-02-2019, 00:24
Jupiter's Avatar
Jupiter Jupiter is offline
Lo*eXeTools*rd
  
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 216
Rept. Given: 36
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 20
Thanks Rcvd at 153 Times in 44 Posts
Jupiter Reputation: 61
Lightbulb PE Anatomist
PE Anatomist - PE files internals

PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.

Author: RamMerLabs
Project Home: rammerlabs.alidml.ru

Overview

FILE FORMATS
  • PE32
  • PE32+

PE IMAGE ARCHITECTURES
  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM8-64)

HEADERS AND DATA STRUCTURES PARSING
  • IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
  • Table of COFF symbols
  • Sections table, supporting long section names (via symbols table) and entropy calculating
  • Import table (supports MS-styled names demangling)
  • Bound Import Table
  • Delayed Import Table
  • Export Table with additional info
  • Resource Table with additional info about different resource types and detailed view for all types
  • Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • Brief info about PE Authenticode Signature
  • LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
  • Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • TLS config and callbacks table with additional information about some fields
  • Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
  • Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • IAT table contents

History

0.2.5 (2021-08-25):
  • ListView context menu revision and keyboard accessibility improvements
  • Added support for Cxx20Modules in MSVC ILStore parser (CxxIL)
  • Added settings for the number of remembered recent files and the formatting of text copied to the clipboard
  • Updated some ARM64EC related structures from WDK 22000
  • Significantly speeded up the construction of the ExceptionsData table in OBJ files
  • Fixed several bugs
  • DOWNLOAD


0.1.6.260 (2019-11-23)
  • Fixed parsing of import table modified by some packers
  • Added forced cleaning of recent files list
  • Added reaction to the ENTER key in FLC text fields
  • New settings:
  • set main window always on top;
  • contrast selection of alternating lists background;
  • number of bytes displayed in the HEX form in the description in the Base Relocations table;
  • restore last opened tab;
  • pasting the list header into the data copied to the clipboard;
  • use the ESC key to exit the program
  • Display of minor instrument version in RICH signature for VS2017 and higher fixed
  • Fixed incorrect behavior when resizing the main window
  • Deleting file associations fixed
  • FLC editboxes are cleared after loading a new file
  • Fixed the error in displaying the section table if some header fields were nullified
  • Added section naming by number if their name is not specified in the header or does not contain printable characters
  • The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
  • Several FLC bugs fixed

0.1.5.46 (2019-11-09)
  • IMAGE_DIRECTORY_ENTRY_IAT table parsing available
  • Symbols description added in Dynamic Value Relocations table
  • Data description added in Volatile Metadata table for x86
  • Minor optimizations of the code prepearing new GUI
  • FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
  • FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
  • RVA of instructions for appropriate unwind codes added in table for x64

0.1.4.192 (2019-10-31)
  • ExceptionsData table LSDA headers parsing improved
  • LSDA headers parsing implemented for C Builder 10.2 and newer
  • Commandline keys are not required to open a file
  • Minor error in filename processing fixed
  • Recent files menu available now
  • The program settings file layout modified
  • Any size overlays supported
  • GUI handling optimized
  • Hide unused tabs
  • HighDPI support

0.1.3.2 (2019-10-19)
  • x64 ExceptionsData Table parsing bug fixed

0.1.2.57 (2019-10-18)
  • Taskbar file icon display fixed
    Crash on unsupported files fixed
    Files load errors display added
    Internal data size optimization
    ExceptionsData Table parsing speed optimization

Download
Attached Files
File Type: 7z PEAnatomist-0.1.6.7z (66.1 KB, 29 views)
__________________
EnJoy!
Last edited by Jupiter; 10-17-2021 at 18:44. Reason: v0.2.5 (2021-08-25)
Reply With Quote
The Following 20 Users Say Thank You to Jupiter For This Useful Post:
ahmadmansoor (12-05-2019), alekine322 (01-11-2020), binarylaw (09-11-2020), chessgod101 (12-27-2019), danrevella (06-11-2021), darkBLACK (12-15-2019), Doit (12-04-2019), Dr.FarFar (09-13-2022), Mahmoudnia (02-11-2020), MarcElBichon (12-02-2019), memo-5 (12-05-2019), mr.exodia (02-16-2020), Nacho_dj (12-02-2019), nimaarek (02-12-2020), nulli (12-02-2019), sh3dow (03-26-2021), WildGoblin (06-07-2022), wilson bibe (12-02-2019)