|
#1
|
||||
|
||||
PE Anatomist
PE Anatomist - PE files internals
PE Anatomist shows almost all known data structures inside a PE file and makes some analytics. Author: RamMerLabs Project Home: rammerlabs.alidml.ru Overview FILE FORMATS
PE IMAGE ARCHITECTURES
HEADERS AND DATA STRUCTURES PARSING
History 0.2.5 (2021-08-25):
0.1.6.260 (2019-11-23)
0.1.5.46 (2019-11-09)
0.1.4.192 (2019-10-31)
0.1.3.2 (2019-10-19)
0.1.2.57 (2019-10-18)
Download
__________________
EnJoy! Last edited by Jupiter; 10-17-2021 at 18:44. Reason: v0.2.5 (2021-08-25) |
The Following 20 Users Say Thank You to Jupiter For This Useful Post: | ||
ahmadmansoor (12-05-2019), alekine322 (01-11-2020), binarylaw (09-11-2020), chessgod101 (12-27-2019), danrevella (06-11-2021), darkBLACK (12-15-2019), Doit (12-04-2019), Dr.FarFar (09-13-2022), Mahmoudnia (02-11-2020), MarcElBichon (12-02-2019), memo-5 (12-05-2019), mr.exodia (02-16-2020), Nacho_dj (12-02-2019), nimaarek (02-12-2020), nulli (12-02-2019), sh3dow (03-26-2021), WildGoblin (06-07-2022), wilson bibe (12-02-2019) |
#2
|
|||
|
|||
still wondering why nobody has made a pe util and called it pedofile... ;p
|
The Following 4 Users Say Thank You to evlncrn8 For This Useful Post: | ||
Abaddon (12-04-2019), b30wulf (12-26-2019), demon_da (12-02-2019), Sailor_EDA (06-27-2020) |
#3
|
|||
|
|||
Version: 0.1.8.234 Update at 2019-12-20
Download: PE Anatomist.v.0.1.8.zip What's new? Added description for COFF Groups in the debug information table Updating the interface of the main window using a tree view of the available information New header information pages added: DOS_HEADER, FILE_HEADER, OPTIONAL_HEADER, CHPE_HEADER, VOLATILE_METADATA_HEADER Added parsing IAT table in CHPE for emulated architecture Added construction of a CFG bitmap and its display in a HEX form Added parsing of some specific tables for applications created in Visual Basic 5/6 Added file upload log displaying warnings about non-compliance with the PE format (the list of checks will expand) Implemented multiple selection of rows in lists |
The Following User Says Thank You to leewm For This Useful Post: | ||
darkBLACK (12-30-2019) |
#4
|
||||
|
||||
Version: 0.1.9.64 Update at 2019-12-27
Download: PE Anatomist.v.0.1.9.zip What's new? Optimize some internal data formats Fixed way to save settings, now the mechanism uses next rules: - if there are no settings files in the program directory and in %appdata%, then the settings file will be created in the program directory; - if the program directory doesn't contain the settings file and the directory is not writable, then %appdata% will be used for storing the settings; - if there is a valid settings file in the program directory, then this is the only way to read the settings, and the settings also will store here, if the file is writable; - if the settings file is already in %appdata%, then it is always used to read/write settings. Directories hidden by decreasing "Number Of RVA And Sizes" values are grayed out if available |
The Following 2 Users Say Thank You to bigboss-62 For This Useful Post: | ||
foosaa (01-04-2020), mrfearless (01-05-2020) |
#5
|
|||
|
|||
Hi!
I am the developer of PEAnatomist and I'm glad to see my modest tool here. I will be grateful for any criticism, ideas or suggestions. Moreover, there is a new version 0.1.11 (2020-01-30): PEAnatomist-0.1.11.zip Changes: Version 0.1.10.97 (2020-01-10) +Added mapping of redirects to another UNWIND_INFO between managed / unmanaged code in the ExceptionsData table for x64 +Added parsing of tables and metadata of dotNET Version 0.1.11.155 (2020-01-30) #Fixed bug when parsing the old version of the delay import table #Small optimization of a number-to-string converter +Added parsing of Native Import Sections table (ReadyToRun, NGEN) +Added parsing of the MethodDef EntryPoints table (ReadyToRun) #Minor optimization of settings storage structure #Slight list sorting optimization #Fixed copying large lists to the clipboard (more than 100,000 lines) #Fixed loading error after drag-n-drop shortcut of the investigated file to the program file +Updated program settings dialog +Added some new settings #FLC optimization #The mechanism for parsing .NET metadata tables has been redesigned for quick access to any fields, rows, tables +Added description of .NET metadata token in some tables Unfortunately, an error was detected after the release: if integration into the shell context menu was performed on this version, then opening a file through the context menu fails. The cause is a missing quotation mark in the command line parameter. Upcoming update will fix this. |
The Following 6 Users Gave Reputation+1 to RamMerLabs For This Useful Post: | ||
Aaron (02-06-2020), Apuromafo (02-07-2020), chessgod101 (02-06-2020), hors (02-24-2020), MarcElBichon (02-06-2020), WRP (02-06-2020) |
The Following 15 Users Say Thank You to RamMerLabs For This Useful Post: | ||
Abaddon (02-11-2020), alekine322 (02-10-2020), Apuromafo (02-07-2020), besoeso (02-11-2020), binarylaw (06-06-2020), copyleft (02-12-2020), CRC32 (02-07-2020), Dr.FarFar (09-13-2022), niculaita (02-06-2020), quygia128 (01-06-2021), sh3dow (03-26-2021), Stingered (02-11-2020), tgd (06-02-2020), wilson bibe (02-06-2020), WRP (02-06-2020) |
#6
|
|||
|
|||
Hi RamMerLabs,
It is a nice PE dumper at the moment. I like how you handle things like RICH signature (not sure if someone documented it, or it is product of your own research? Anw, good job) and certificates. Lots can be done towards improving it, though i'm not sure if it's your purpose to go towards this direction: Make it a PE Editor, rather than a dumper (make fields editable). Add an embedded hexeditor window, to show things like contents of buffers (or certificates). etc, etc. Anw, its a nice project, that at least adds something new (to the tools i was accustomed to). Good job. |
#7
|
|||
|
|||
Hi Abaddon!
First, thanks for the feedback, it encourages the further development of the project! >>not sure if someone documented it, or it is product of your own research? There is no official documentation, but there are several articles about the content of the signature itself. I just added and refined the list of tools a bit and made a link to the VS versions (and particular builds), but yes, I had to do some research on a fairly large number of files. What about certificates page - it will be totally redone in one of the next versions. For now it uses crypt32.dll API and lacks flexibility, so I decide to use own ASN.1 decoder. >>Lots can be done towards improving it Exactly! I have "to do" list, which consists of hundred of ideas. But time is running out as always. As you can see, the program is written in MASM and it takes a little more time to develop, but brings much more pleasure >>Make it a PE Editor Oh, I want it myself, but for now this is too big a task. >>Add an embedded hexeditor window Hexview (not a hexeditor) is already in the process of implementation, but not ready for public presentation yet. I hope, 0.2.0 version will show a lot of program's GUI transformations and new features. >>that at least adds something new Actually, this is the main purpose of publishing this tool. I am very glad that it became useful. |
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post: | ||
MarcElBichon (02-11-2020) |
#8
|
|||
|
|||
RamMerLabs,
The more i play with it, the more i realize the amount of research (either original, or just collecting information on a specific PE feature) this project entails. Just to name some of the most impressive features, decoding of language specific exception handler data, .NET directory info, VB5 & VB6 specific data decoding etc (Not sure where you decided to stop dealing with the VB, or .Net specific data, since you could actually build a full fledged decompiler when you go in sufficient depth). Thanks for the work put into this project. One think i would advise against, though (sorry for being a bit intrusive here) is your language of choice for the development of the application; an application that lies heavily on GUI, would benefit greatly from being developed in a RAD-oriented language (i'm pointing towards some of the .net applications here). I do understand the urge to develop something in ASM, due to seeing it as a challenge to master, or being a purist (been through that stage), but in my experience, projects tend to quickly become difficult to manage in ASM. However it is your project, and you should develop it as you see fit. Again thanks for releasing it, and i do hope to see more of it. |
The Following User Says Thank You to Abaddon For This Useful Post: | ||
RamMerLabs (02-13-2020) |
#9
|
|||
|
|||
Abaddon
>>decoding of language specific exception handler data Well, this feature still impresses me myself Its source code is represented by the largest file from the entire project. But some details are not displayed yet - I just could not find a place for them in the GUI. For example, decoding MS Cpp FuncInfo or the latest MS Cpp EH4 format still does not show the header itself and some of its important fields, DWARF support is very limited. But the work will continue. In addition, new formats of language specific data will be added soon. I agree, each task requires suitable tools. But I chose MASM consciously, because first of all this project is designed to satisfy my curiosity and an assembly language only contributes to this. After all, the GUI is separate from the logic and rewriting the GUI in another language is generally not a big problem. But I definitely would not want to mess with interpreted languages. The new version is planned in a couple of days, but most of the changes in it are aimed at fixing bugs and preparing for the upcoming big changes. So stay tuned, and thank you too especially for making me practice English. I really hope that this practice of mine does not make you suffer while reading. |
#10
|
|||
|
|||
Version 0.1.12.73 (2020-02-13)
PEAnatomist-0.1.12.zip Change Log: #A context menu integration bug fixed #The behavior of the program when loading a new file with open resource properties window is fixed #Fixed error displaying descriptions of some characters in the Dyn.Value Relocations table #Fixed error parsing ExceptionsData table for ARM Thumb: incorrect information about stored registers in compressed form of UnwindInfo +Natural sorting added for several more lists #Fixed error populating the Catch Handlers list for UnwindInfo.EHData.CPP_EH4 #Fixed a bug leading to the slow execution of the "Select All" operation on large lists +Some lists with a large number of elements are switched to virtual mode +Added navigation through the associated UNWIND_INFO elements of the ExceptionData list for x64 ExceptionData list in in virtual mode now as well as several other lists. This significantly increased the list display speed for a large number of entries. |
The Following 9 Users Say Thank You to RamMerLabs For This Useful Post: | ||
Abaddon (02-14-2020), an0rma1 (02-21-2020), besoeso (02-14-2020), Corsten (02-20-2020), FiNALSErAPH (02-15-2020), LaDidi (02-18-2020), mrfearless (03-26-2020), uranus64 (02-14-2020), wilson bibe (02-14-2020) |
#11
|
|||
|
|||
Version 0.1.13 (2020-04-25):
[#] Fixed error sorting some lists with a signed-long integers [#] Fixed error displaying the table ExceptionsData in the presence of incorrect data [#] Fixed error displaying the name of the section in the RVA description in some cases [+] Added new description lines for section groups on the POGO page in IMAGE_DEBUG_DIRECTORY [#]Optimization and refactoring of a significant part of the code [+] Added new fields to LOAD_CONFIG_DIRECTORY from SDK 19041 - GuardEHContinuations, and undocumented ones - eXtended CFG (xFG) [+] Added GuardEHContinuations list page [+] Added new feature flags in the GFID list [#] Fixed bug with incorrect line ending when copying to clipboard [#] Fixed error parsing the table of COFF symbols if an incorrect address is specified [-] The icon of the main program window no longer changes to the icon of the file being processed [#] Fixed IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT parsing [+] Added support for OBJ file and LIB file formats [+] Added support for non-COFF OBJ files [+] Added parsing a symbol table for OBJ files [+] Added page for summary information about import library entries in LIB files [+] Added parsing of table of sections and relocations of OBJ files [+] The number of file extensions for integration into the Explorer context menu has been increased [#] Fixed bug with integration into the shell context menu if the file extension was not previously registered in the system web # PEAnatomist 0.1.13 |
The Following 5 Users Say Thank You to RamMerLabs For This Useful Post: | ||
Abaddon (04-26-2020), alekine322 (04-27-2020), DavidXanatos (04-27-2020), wilson bibe (04-26-2020), WRP (04-26-2020) |
#12
|
|||
|
|||
Version 0.1.14 (2020-04-28):
[#] Fixed a bug that caused the program to crash when viewing the file header of PE files built by Borland Delphi (0.1.13 regression) [#] Minor optimization of internal data structures [+] Added the ability to extract members from LIB files [+] Added file close menu web # PEAnatomist 0.1.14 |
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post: | ||
hors (05-06-2020) |
#13
|
|||
|
|||
Version 0.1.15 (2020-05-30):
[#] Fixed the error in determining the minor version of VS 2017-2019 when decoding the Rich signature (regression 0.1.13 and 0.1.14) [#] Fixed decoding of RT_STRING resources in the presence of incorrect data [+] Added tab with detailed description of PE resource headers [#] Resource tab redone to list without grouping by resource type [#] Fixed sorting of the list of resources [#] The procedure for parsing the resource directory has been changed, new criteria for data correctness have been added [#] Fixed processing of the settings file during the first launch of the program [#] Corrected the behavior of the COFF character parser in the presence of incorrect info about long symbol names [#] Fixed the bug of constructing the context menu for listview in virtual mode [#] Fixed saving the selected file type filter in the "Open file" dialog [#] Fixed incorrect recognition of UTF16 lines in rare cases [+] Added page of detected ANSI and UTF16 lines in PE file [+] Added CodeView Debug Info parsing for OBJ files [+] Added CodeView Debug Symbols parsing for OBJ files [+] Added parsing of CodeView Types for OBJ files [+] Added parsing of new CodeView Debug Symbol records up to S_REGREL32_INDIR_ENCTMP inclusive [+] Added parsing of new CodeView Type leafs up to and including LF_INTERFACE2 [+] Added parsing of type information in OBJ files compiled by MSVC with the /GL flag or others in MS ILStore format CodeView decoding is only available for OBJ files so far, PDB on the way to the next version is probably. Symbols and types are processed, the rest of the data will be with the PDB. New records of symbols and types are available up to the latest from VS16.6 (S_REGREL32_INDIR_ENCTMP - 0x117B and LF_INTERFACE2 - 0x160B, respectively). For the selected records, a description of all the structure fields of these records is available, but so far some records look clumsy enough (LF_FIELDLIST). I hope that soon I will make a more human-readable description, possibly including decoding into C or MASM syntax. Types from OBJ files compiled by MSVC with the /GL flag are decoded too (i.e. the result of the frontend of the compiler in the form of CIL (C Immediate Language, not Common IL from dotnet!), formatted in ILStore format). I also want to ask for help with information about ILStore format itself. I have already interpreted some structures, but this is a drop in the ocean. Perhaps there is something to read about this format (C Immediate Language, ILStore)? Thanks! WEB PEAnatomist-0.1.15 |
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post: | ||
The Following 11 Users Say Thank You to RamMerLabs For This Useful Post: | ||
#14
|
|||
|
|||
>>C Immediate Language
I made a mistake in the text, there really should be a "C Intermediate Language", sorry. |
#15
|
|||
|
|||
Version 0.1.16 (2020-06-26):
[#] Slight optimization [#] Fixed an error in determining of a register names in the CodeView symbols description in very rare cases [+] Added the ability to copy entire columns to the clipboard with multiple row selection [+] Added display settings for the FLC panel and status panel [#] The error of scaling the size of the statusbar cells is fixed [+] Splitter controls have been added in most of tabs [+] Added host resolving for ApiSet libraries in import tables [+] Added selection of an external DLL for determining the ApiSet host in the program settings [+] A partial search has been added to the ExceptionsData table (experimental function) WEB # PEAnatomist-0.1.16 |
The Following 7 Users Say Thank You to RamMerLabs For This Useful Post: | ||
Abaddon (06-27-2020), besoeso (06-27-2020), MarcElBichon (06-27-2020), mrfearless (09-24-2020), niculaita (06-27-2020), Sany (11-09-2020), wilson bibe (06-27-2020) |
Tags |
coff, ms pdb, pe32 |
Thread Tools | |
Display Modes | |
|
|