Thread: PE Anatomist
View Single Post
  #13  
Old 05-31-2020, 06:20
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Version 0.1.15 (2020-05-30):
[#] Fixed the error in determining the minor version of VS 2017-2019 when decoding the Rich signature (regression 0.1.13 and 0.1.14)
[#] Fixed decoding of RT_STRING resources in the presence of incorrect data
[+] Added tab with detailed description of PE resource headers
[#] Resource tab redone to list without grouping by resource type
[#] Fixed sorting of the list of resources
[#] The procedure for parsing the resource directory has been changed, new criteria for data correctness have been added
[#] Fixed processing of the settings file during the first launch of the program
[#] Corrected the behavior of the COFF character parser in the presence of incorrect info about long symbol names
[#] Fixed the bug of constructing the context menu for listview in virtual mode
[#] Fixed saving the selected file type filter in the "Open file" dialog
[#] Fixed incorrect recognition of UTF16 lines in rare cases
[+] Added page of detected ANSI and UTF16 lines in PE file
[+] Added CodeView Debug Info parsing for OBJ files
[+] Added CodeView Debug Symbols parsing for OBJ files
[+] Added parsing of CodeView Types for OBJ files
[+] Added parsing of new CodeView Debug Symbol records up to S_REGREL32_INDIR_ENCTMP inclusive
[+] Added parsing of new CodeView Type leafs up to and including LF_INTERFACE2
[+] Added parsing of type information in OBJ files compiled by MSVC with the /GL flag or others in MS ILStore format

CodeView decoding is only available for OBJ files so far, PDB on the way to the next version is probably. Symbols and types are processed, the rest of the data will be with the PDB. New records of symbols and types are available up to the latest from VS16.6 (S_REGREL32_INDIR_ENCTMP - 0x117B and LF_INTERFACE2 - 0x160B, respectively). For the selected records, a description of all the structure fields of these records is available, but so far some records look clumsy enough (LF_FIELDLIST). I hope that soon I will make a more human-readable description, possibly including decoding into C or MASM syntax.

Types from OBJ files compiled by MSVC with the /GL flag are decoded too (i.e. the result of the frontend of the compiler in the form of CIL (C Immediate Language, not Common IL from dotnet!), formatted in ILStore format).

I also want to ask for help with information about ILStore format itself. I have already interpreted some structures, but this is a drop in the ocean. Perhaps there is something to read about this format (C Immediate Language, ILStore)? Thanks!

WEB
PEAnatomist-0.1.15
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (05-31-2020), wilson bibe (05-31-2020), WRP (06-01-2020)
The Following 11 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (05-31-2020), darkBLACK (06-20-2020), Mendax47 (05-31-2020), TQN (06-01-2020), traf0 (06-01-2020), Wannabe (06-01-2020), wilson bibe (05-31-2020), WRP (06-01-2020), xtiaoshi (05-31-2020), Zeokat (05-31-2020), zeuscane (05-31-2020)