Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 11-09-2021, 01:57
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Release 0.2.6 (2021-11-08):
  • Fixed a number of errors in the parser of import tables for modified PE
  • Updated information about new Codeview symbols from VS2022
  • Clarified interpretation of some build numbers from Rich signature
  • Expanded dataset for describing CoffGroups in the IMAGE_DEBUG_TYPE_POGO table
  • Numerous minor fixes

Homepage # Changelog # PEAnatomist 0.2.6
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
chessgod101 (11-09-2021), MarcElBichon (11-09-2021), WRP (11-09-2021)
The Following 8 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (11-09-2021), besoeso (11-10-2021), kienmanowar (11-09-2021), niculaita (11-09-2021), uranus64 (11-09-2021), WildGoblin (11-23-2021), wilson bibe (11-09-2021), zeuscane (04-18-2022)
  #32  
Old 11-09-2021, 02:31
Kurapica's Avatar
Kurapica Kurapica is offline
VIP
 
Join Date: Jun 2009
Location: Archives
Posts: 190
Rept. Given: 20
Rept. Rcvd 143 Times in 42 Posts
Thanks Given: 67
Thanks Rcvd at 404 Times in 87 Posts
Kurapica Reputation: 100-199 Kurapica Reputation: 100-199
Excellent work.

Respect+
Reply With Quote
The Following User Says Thank You to Kurapica For This Useful Post:
RamMerLabs (11-20-2021)
  #33  
Old 01-04-2022, 04:34
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Release 0.2.7 (2022-01-03):
  • Entropy calculation with configurable block overlap for entropy graph
  • Ability to save several PE resources or LIB members to a file at once
  • A page describing WoW thunks in hybrid PE (ARM64EC, ARM64X)
  • Fixed error in processing the exception table for emulated architecture code in hybrid PE (ARM64EC)
  • Improved compatibility with certain older versions of MS Visual Studio

Homepage # Changelog # PEAnatomist 0.2.7
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
DavidXanatos (02-15-2022), MarcElBichon (01-04-2022), WRP (01-04-2022)
The Following 7 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (01-04-2022), besoeso (01-04-2022), tonyweb (01-09-2022), TQN (01-04-2022), wilson bibe (01-04-2022), WRP (01-04-2022), zeuscane (01-04-2022)
  #34  
Old 03-06-2022, 04:03
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Release 0.2.8 Final (2022-03-05):
  • Added display of information about IMAGE_DEBUG_TYPE_BBT (Basic Block Transformation)
  • Fixed CORCOMPILE_HEADER header parsing error for .NetFramework 4.6 - 4.6.2
  • Added support for IMAGE_FILE_MACHINE_POWERPCBE (Xbox 360, uncompressed PE only)
  • Added support for IMAGE_REL_BASED_HIGHADJ
  • Fixed a number of bugs

Homepage # Changelog # PEAnatomist 0.2.8
Reply With Quote
The Following 2 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (03-06-2022), tonyweb (03-13-2022)
The Following 9 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-06-2022), besoeso (03-06-2022), carlitos (03-07-2022), DavidXanatos (03-07-2022), ionioni (03-14-2022), niculaita (03-06-2022), wilson bibe (03-06-2022), WRP (03-08-2022), zeuscane (03-07-2022)
  #35  
Old 03-07-2022, 13:35
Abaddon Abaddon is offline
Friend
 
Join Date: May 2016
Posts: 43
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 181
Thanks Rcvd at 45 Times in 25 Posts
Abaddon Reputation: 3
RamMerLabs, if you are in one of the countries involved in the current conflict, I wish that you and your family are safe and well. Same goes for any other members of this forum.
Sorry to contact you like this in a public forum, but i have no pm privileges, and no other means of reaching you.
Be safe.
Reply With Quote
The Following User Gave Reputation+1 to Abaddon For This Useful Post:
WRP (03-08-2022)
The Following 7 Users Say Thank You to Abaddon For This Useful Post:
binarylaw (03-13-2022), RamMerLabs (03-07-2022), tonyweb (03-13-2022), TQN (03-08-2022), WildGoblin (06-07-2022), WRP (03-08-2022), yoza (03-14-2022)
  #36  
Old 03-13-2022, 22:42
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
I think the loading of exports for arm 32 bit is not quite right:
for my win 11 test machine \SysArm32\ntdll.dll's LdrLoadDll has according tho the PEAnatomist the RVA or 0x2F9F1 and the image base is 0x4B280000, however when stepping through a arm32 project LdrLoadDll is in my instance at 0x7723F9F0 with base at 0x77210000 so the RVA seams to be 0x2F9F0, 1 less than what PEAnatomist shows, also checking with IDA it says the address of that function is 0x4B2AF9F0, that minus the base address gives also 0x2F9F0 as the correct RVA.
Now that Said the peview of process hacker makes the same mistake :/
its strange that the values in the file are all off by exactly 1, its teh same for all functions I checked.
Cheep fix add -1 to the RVA if its an arm image, but I woudl preffer to understand why its so ans have a proper fix.
Reply With Quote
The Following 4 Users Say Thank You to DavidXanatos For This Useful Post:
Abaddon (03-15-2022), binarylaw (03-13-2022), niculaita (03-13-2022), tonyweb (07-23-2022)
  #37  
Old 03-13-2022, 23:25
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
The reason is that Windows runs ARM7 in a Thumb instructions set mode. And "1" in every RVA of executive code is an indicator of this: 1 - Thumb, no 1 - no Thumb. There is no mistake, it's native.
ARM7 has 2 or 4 bytes instructions length, so this 1 in RVA doesn't affect real addresses.
BTW, it's right to apply (AND (NOT 0x1)) instead of substraction.

Last edited by RamMerLabs; 03-13-2022 at 23:43.
Reply With Quote
The Following 4 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-15-2022), DavidXanatos (03-13-2022), ionioni (03-14-2022), tonyweb (07-23-2022)
  #38  
Old 03-16-2022, 04:12
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Release 0.2.9 Final Fix1 (2022-03-15):
  • Fixed entropy graph drawing error on Windows 7 and newer

Homepage # Changelog # PEAnatomist 0.2.9
Reply With Quote
The Following 5 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-16-2022), besoeso (03-16-2022), CRC32 (03-17-2022), MarcElBichon (03-16-2022), wilson bibe (03-16-2022)
  #39  
Old 04-17-2022, 02:15
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Release 0.2.10 Final Fix2 (2022-04-16):
  • Fixed error displaying data from UnwindInfo CxxFH3 tables for ARM7
  • Fixed CodeView symbols S_DEFRANGE_CONSTVAL_ON_ENTRY and S_DEFRANGE_GLOBALSYM_ON_ENTRY from VS2022 17.2Pre3
  • Fixed leak of GDI objects when using more than one ListView column setup dialog at the same time

Homepage # Changelog # PEAnatomist 0.2.10
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (04-17-2022)
The Following 6 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (05-08-2022), Doit (04-19-2022), New Tiger (04-17-2022), tonyweb (04-17-2022), wilson bibe (04-17-2022), WRP (04-17-2022)
  #40  
Old 05-18-2022, 05:31
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Release 0.2.11 Final Fix3 (2022-05-18):
  • Fixed bug with enumeration of IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE symbol in DVRT table
  • Added separate page for IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE symbol content in DVRT table (backport from 0.3.10516.1931)

Homepage # Changelog # PEAnatomist 0.2.11
Reply With Quote
The Following 2 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
Fyyre (05-19-2022), MarcElBichon (05-18-2022)
The Following 6 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (05-19-2022), besoeso (05-19-2022), ionioni (05-27-2022), WildGoblin (06-07-2022), wilson bibe (05-18-2022), WRP (05-18-2022)
  #41  
Old 07-13-2022, 02:44
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Update 0.2.10712.2124 (2022-07-12):
  • A rare error of out-of-border reading was eliminated during recognition of the exception handler kind in some PE files
  • The error of out-of-border access in some distorted PE has been eliminated for the IMAGE_DIRECTORY_ENTRY_DEBUG parsing and the dotnet metadata header handling

Homepage # Changelog # PEAnatomist 0.2
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (07-13-2022)
The Following 6 Users Say Thank You to RamMerLabs For This Useful Post:
besoeso (07-13-2022), Dr.FarFar (09-13-2022), tonyweb (07-23-2022), TQN (07-13-2022), wilson bibe (07-13-2022), WRP (07-13-2022)
  #42  
Old 09-14-2022, 02:49
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Update 0.2.10913.2121 (2022-09-13):
  • Updated list of sections and values of Ready2Run header flags from dotnet 7
  • Fixed signature enumeration error in ImportSections table for Ready2Run and NGEN

Homepage # Changelog # PEAnatomist 0.2
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (09-14-2022)
The Following 5 Users Say Thank You to RamMerLabs For This Useful Post:
besoeso (09-16-2022), binarylaw (09-16-2022), LordGarfio (09-17-2022), user_hidden (09-14-2022), wilson bibe (09-14-2022)
  #43  
Old 11-09-2022, 04:59
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Update 0.2.11108.2330 (2022-11-08):
  • Fixed an error in determining RVA of the PE COFF-symbol table entries made by VS4-6 and some versions of GNU toolsets

Homepage # Changelog # PEAnatomist 0.2
Reply With Quote
The Following 7 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (12-26-2022), besoeso (11-10-2022), darkBLACK (11-10-2022), MarcElBichon (11-09-2022), tonyweb (11-09-2022), TQN (11-09-2022), zeuscane (11-09-2022)
  #44  
Old 01-03-2023, 00:56
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Update 0.2.11302.1901 (2023-01-02):
  • Added recognition of a number of Cpp exception handlers in the IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable table for x86 and parsing of FuncInfo3 structures
  • Added file offset column to specified structure field for lists displaying some PE headers
  • Added VolatileMetadata tab for OBJ files
  • Added a number of improvements to the ExceptionsTable tab for various architectures
  • Fixed several bugs

Homepage # Changelog # PEAnatomist 0.2
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (01-03-2023)
The Following 8 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (01-03-2023), Doit (01-03-2023), niculaita (01-03-2023), nulli (01-03-2023), TQN (01-03-2023), user_hidden (01-03-2023), wilson bibe (01-03-2023), WRP (01-03-2023)
  #45  
Old 01-20-2023, 23:19
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
Update 0.2.11320.1732 (2023-01-20):
  • Expanded support for Dynamic Value Relocations Table
  • Added CORCOMPILE_HEADER header parsing for all published .NET Framework versions
  • Added CORCOMPILE_VERSION_INFO header parsing for all published .NET Framework versions
  • Added parsing of dotNet metadata tables from CORCOMPILE_HEADER and READYTORUN_HEADER headers
  • Fixed several bugs

Homepage # Changelog # PEAnatomist 0.2
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (01-21-2023)
The Following 8 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (01-24-2023), alekine322 (01-22-2023), ionioni (01-21-2023), niculaita (01-21-2023), TQN (01-21-2023), user_hidden (01-21-2023), wilson bibe (01-21-2023), WRP (01-21-2023)
Reply

Tags
coff, ms pdb, pe32

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:09.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )