PE Anatomist

[Jupiter]

PE Anatomist - PE files internals

PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.

Author: RamMerLabs
Project Home: rammerlabs.alidml.ru

Overview

FILE FORMATS

• PE32
• PE32+

PE IMAGE ARCHITECTURES

• Intel x86
• AMD64
• ARM7
• ARM7 Thumb
• ARM8-64
• Intel IA64
• CHPE (x86 on ARM8-64)

HEADERS AND DATA STRUCTURES PARSING

• IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
• Table of COFF symbols
• Sections table, supporting long section names (via symbols table) and entropy calculating
• Import table (supports MS-styled names demangling)
• Bound Import Table
• Delayed Import Table
• Export Table with additional info
• Resource Table with additional info about different resource types and detailed view for all types
• Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
• Brief info about PE Authenticode Signature
• LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
• Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
• TLS config and callbacks table with additional information about some fields
• Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
• Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
• Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
• IAT table contents

History

0.2.5 (2021-08-25):

• ListView context menu revision and keyboard accessibility improvements
• Added support for Cxx20Modules in MSVC ILStore parser (CxxIL)
• Added settings for the number of remembered recent files and the formatting of text copied to the clipboard
• Updated some ARM64EC related structures from WDK 22000
• Significantly speeded up the construction of the ExceptionsData table in OBJ files
• Fixed several bugs
• DOWNLOAD

0.1.6.260 (2019-11-23)

• Fixed parsing of import table modified by some packers
• Added forced cleaning of recent files list
• Added reaction to the ENTER key in FLC text fields
• New settings:
• set main window always on top;
• contrast selection of alternating lists background;
• number of bytes displayed in the HEX form in the description in the Base Relocations table;
• restore last opened tab;
• pasting the list header into the data copied to the clipboard;
• use the ESC key to exit the program
• Display of minor instrument version in RICH signature for VS2017 and higher fixed
• Fixed incorrect behavior when resizing the main window
• Deleting file associations fixed
• FLC editboxes are cleared after loading a new file
• Fixed the error in displaying the section table if some header fields were nullified
• Added section naming by number if their name is not specified in the header or does not contain printable characters
• The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
• Several FLC bugs fixed

0.1.5.46 (2019-11-09)

• IMAGE_DIRECTORY_ENTRY_IAT table parsing available
• Symbols description added in Dynamic Value Relocations table
• Data description added in Volatile Metadata table for x86
• Minor optimizations of the code prepearing new GUI
• FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
• FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
• RVA of instructions for appropriate unwind codes added in table for x64

0.1.4.192 (2019-10-31)

• ExceptionsData table LSDA headers parsing improved
• LSDA headers parsing implemented for C Builder 10.2 and newer
• Commandline keys are not required to open a file
• Minor error in filename processing fixed
• Recent files menu available now
• The program settings file layout modified
• Any size overlays supported
• GUI handling optimized
• Hide unused tabs
• HighDPI support

0.1.3.2 (2019-10-19)

• x64 ExceptionsData Table parsing bug fixed

0.1.2.57 (2019-10-18)

• Taskbar file icon display fixed
  Crash on unsupported files fixed
  Files load errors display added
  Internal data size optimization
  ExceptionsData Table parsing speed optimization

Download

• PEAnatomist-0.1.6.zip

[evlncrn8]

still wondering why nobody has made a pe util and called it pedofile... ;p

[leewm]

Version: 0.1.8.234 Update at 2019-12-20
Download:
PE Anatomist.v.0.1.8.zip

What's new?

Added description for COFF Groups in the debug information table
Updating the interface of the main window using a tree view of the available information
New header information pages added: DOS_HEADER, FILE_HEADER, OPTIONAL_HEADER, CHPE_HEADER, VOLATILE_METADATA_HEADER
Added parsing IAT table in CHPE for emulated architecture
Added construction of a CFG bitmap and its display in a HEX form
Added parsing of some specific tables for applications created in Visual Basic 5/6
Added file upload log displaying warnings about non-compliance with the PE format (the list of checks will expand)
Implemented multiple selection of rows in lists

[bigboss-62]

Version: 0.1.9.64 Update at 2019-12-27
Download:
PE Anatomist.v.0.1.9.zip

What's new?

Optimize some internal data formats
Fixed way to save settings, now the mechanism uses next rules:
- if there are no settings files in the program directory and in %appdata%, then the settings file will be created in the program directory;
- if the program directory doesn't contain the settings file and the directory is not writable, then %appdata% will be used for storing the settings;
- if there is a valid settings file in the program directory, then this is the only way to read the settings, and the settings also will store here, if the file is writable;
- if the settings file is already in %appdata%, then it is always used to read/write settings.
Directories hidden by decreasing "Number Of RVA And Sizes" values are grayed out if available

[Abaddon]

Hi RamMerLabs,
It is a nice PE dumper at the moment.
I like how you handle things like RICH signature (not sure if someone documented it, or it is product of your own research? Anw, good job) and certificates.

Lots can be done towards improving it, though i'm not sure if it's your purpose to go towards this direction:

Make it a PE Editor, rather than a dumper (make fields editable).
Add an embedded hexeditor window, to show things like contents of buffers (or certificates).
etc, etc.

Anw, its a nice project, that at least adds something new (to the tools i was accustomed to). Good job.

[Abaddon]

RamMerLabs,

The more i play with it, the more i realize the amount of research (either original, or just collecting information on a specific PE feature) this project entails. Just to name some of the most impressive features, decoding of language specific exception handler data, .NET directory info, VB5 & VB6 specific data decoding etc (Not sure where you decided to stop dealing with the VB, or .Net specific data, since you could actually build a full fledged decompiler when you go in sufficient depth). Thanks for the work put into this project.

One think i would advise against, though (sorry for being a bit intrusive here) is your language of choice for the development of the application; an application that lies heavily on GUI, would benefit greatly from being developed in a RAD-oriented language (i'm pointing towards some of the .net applications here). I do understand the urge to develop something in ASM, due to seeing it as a challenge to master, or being a purist (been through that stage), but in my experience, projects tend to quickly become difficult to manage in ASM. However it is your project, and you should develop it as you see fit.

Again thanks for releasing it, and i do hope to see more of it.

[mak]

@RamMerLabs

Could you make a plugin for x64dbg as a separate modification of your PEAnatomist program, that would be very convenient.

[Abaddon]

Just a heads up, the links are (temporarliy?) unavalailable.
Thanks for the new release.

Edit: Apparently it was a temporary situation. Accessible after a few minutes.

[Abaddon]

Some suggestions/feedback regarding string detection (low priority)

The user should be able to define the alphabet of the searchable characters.

Or

Pre-selected combinations should be availale to select from (in the form of a dropdown list).

The current cofiguration does not allow someone enough flexibility (i.e. excluding special characters); or, to be precise, the 64 characters to choose from are not transparent to the user.

Also, a good feature would be to be able to search unicode characters, characters from different languages (i.e. Russian) etc.

Again, thanks for the nice application.

[Abaddon]

No problem, it was just a screenshot from the string options dialog.
I have described everything in text, which I assume communicated the message.
I should have foreseen the problem, being myself a plebeian. However, in my case, the title is well deserved, for I have been a very selfish reverse engineer.
You on the other hand, have contributed to the community; therefore, I ask the moderators/admins to promote you.

[Kurapica]

Excellent work.

Respect+

[Abaddon]

RamMerLabs, if you are in one of the countries involved in the current conflict, I wish that you and your family are safe and well. Same goes for any other members of this forum.
Sorry to contact you like this in a public forum, but i have no pm privileges, and no other means of reaching you.
Be safe.

[DavidXanatos]

I think the loading of exports for arm 32 bit is not quite right:
for my win 11 test machine \SysArm32\ntdll.dll's LdrLoadDll has according tho the PEAnatomist the RVA or 0x2F9F1 and the image base is 0x4B280000, however when stepping through a arm32 project LdrLoadDll is in my instance at 0x7723F9F0 with base at 0x77210000 so the RVA seams to be 0x2F9F0, 1 less than what PEAnatomist shows, also checking with IDA it says the address of that function is 0x4B2AF9F0, that minus the base address gives also 0x2F9F0 as the correct RVA.
Now that Said the peview of process hacker makes the same mistake :/
its strange that the values in the file are all off by exactly 1, its teh same for all functions I checked.
Cheep fix add -1 to the RVA if its an arm image, but I woudl preffer to understand why its so ans have a proper fix.

[TQN]

Check with last version, 0.2.11320.1732
PEAnatomist will crash with DLLs that export API by oridinal when click on Export at tree left
For examples, check with all MFC Dlls: Mfcxxx.dll
And with many other Dlls