Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 11-09-2021, 01:57
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
Release 0.2.6 (2021-11-08):
  • Fixed a number of errors in the parser of import tables for modified PE
  • Updated information about new Codeview symbols from VS2022
  • Clarified interpretation of some build numbers from Rich signature
  • Expanded dataset for describing CoffGroups in the IMAGE_DEBUG_TYPE_POGO table
  • Numerous minor fixes

Homepage # Changelog # PEAnatomist 0.2.6
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
chessgod101 (11-09-2021), MarcElBichon (11-09-2021), WRP (11-09-2021)
The Following 8 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (11-09-2021), besoeso (11-10-2021), kienmanowar (11-09-2021), niculaita (11-09-2021), uranus64 (11-09-2021), WildGoblin (11-23-2021), wilson bibe (11-09-2021), zeuscane (04-18-2022)
  #32  
Old 11-09-2021, 02:31
Kurapica's Avatar
Kurapica Kurapica is offline
VIP
 
Join Date: Jun 2009
Location: Archives
Posts: 177
Rept. Given: 20
Rept. Rcvd 140 Times in 39 Posts
Thanks Given: 47
Thanks Rcvd at 338 Times in 70 Posts
Kurapica Reputation: 100-199 Kurapica Reputation: 100-199
Excellent work.

Respect+
Reply With Quote
The Following User Says Thank You to Kurapica For This Useful Post:
RamMerLabs (11-20-2021)
  #33  
Old 01-04-2022, 04:34
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
Release 0.2.7 (2022-01-03):
  • Entropy calculation with configurable block overlap for entropy graph
  • Ability to save several PE resources or LIB members to a file at once
  • A page describing WoW thunks in hybrid PE (ARM64EC, ARM64X)
  • Fixed error in processing the exception table for emulated architecture code in hybrid PE (ARM64EC)
  • Improved compatibility with certain older versions of MS Visual Studio

Homepage # Changelog # PEAnatomist 0.2.7
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
DavidXanatos (02-15-2022), MarcElBichon (01-04-2022), WRP (01-04-2022)
The Following 7 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (01-04-2022), besoeso (01-04-2022), tonyweb (01-09-2022), TQN (01-04-2022), wilson bibe (01-04-2022), WRP (01-04-2022), zeuscane (01-04-2022)
  #34  
Old 03-06-2022, 04:03
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
Release 0.2.8 Final (2022-03-05):
  • Added display of information about IMAGE_DEBUG_TYPE_BBT (Basic Block Transformation)
  • Fixed CORCOMPILE_HEADER header parsing error for .NetFramework 4.6 - 4.6.2
  • Added support for IMAGE_FILE_MACHINE_POWERPCBE (Xbox 360, uncompressed PE only)
  • Added support for IMAGE_REL_BASED_HIGHADJ
  • Fixed a number of bugs

Homepage # Changelog # PEAnatomist 0.2.8
Reply With Quote
The Following 2 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (03-06-2022), tonyweb (03-13-2022)
The Following 9 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-06-2022), besoeso (03-06-2022), carlitos (03-07-2022), DavidXanatos (03-07-2022), ionioni (03-14-2022), niculaita (03-06-2022), wilson bibe (03-06-2022), WRP (03-08-2022), zeuscane (03-07-2022)
  #35  
Old 03-07-2022, 13:35
Abaddon Abaddon is offline
Friend
 
Join Date: May 2016
Posts: 43
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 162
Thanks Rcvd at 45 Times in 25 Posts
Abaddon Reputation: 3
RamMerLabs, if you are in one of the countries involved in the current conflict, I wish that you and your family are safe and well. Same goes for any other members of this forum.
Sorry to contact you like this in a public forum, but i have no pm privileges, and no other means of reaching you.
Be safe.
Reply With Quote
The Following User Gave Reputation+1 to Abaddon For This Useful Post:
WRP (03-08-2022)
The Following 7 Users Say Thank You to Abaddon For This Useful Post:
binarylaw (03-13-2022), RamMerLabs (03-07-2022), tonyweb (03-13-2022), TQN (03-08-2022), WildGoblin (06-07-2022), WRP (03-08-2022), yoza (03-14-2022)
  #36  
Old 03-13-2022, 22:42
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 167
Rept. Given: 2
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 53
Thanks Rcvd at 307 Times in 105 Posts
DavidXanatos Reputation: 39
I think the loading of exports for arm 32 bit is not quite right:
for my win 11 test machine \SysArm32\ntdll.dll's LdrLoadDll has according tho the PEAnatomist the RVA or 0x2F9F1 and the image base is 0x4B280000, however when stepping through a arm32 project LdrLoadDll is in my instance at 0x7723F9F0 with base at 0x77210000 so the RVA seams to be 0x2F9F0, 1 less than what PEAnatomist shows, also checking with IDA it says the address of that function is 0x4B2AF9F0, that minus the base address gives also 0x2F9F0 as the correct RVA.
Now that Said the peview of process hacker makes the same mistake :/
its strange that the values in the file are all off by exactly 1, its teh same for all functions I checked.
Cheep fix add -1 to the RVA if its an arm image, but I woudl preffer to understand why its so ans have a proper fix.
Reply With Quote
The Following 3 Users Say Thank You to DavidXanatos For This Useful Post:
Abaddon (03-15-2022), binarylaw (03-13-2022), niculaita (03-13-2022)
  #37  
Old 03-13-2022, 23:25
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
The reason is that Windows runs ARM7 in a Thumb instructions set mode. And "1" in every RVA of executive code is an indicator of this: 1 - Thumb, no 1 - no Thumb. There is no mistake, it's native.
ARM7 has 2 or 4 bytes instructions length, so this 1 in RVA doesn't affect real addresses.
BTW, it's right to apply (AND (NOT 0x1)) instead of substraction.

Last edited by RamMerLabs; 03-13-2022 at 23:43.
Reply With Quote
The Following 3 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-15-2022), DavidXanatos (03-13-2022), ionioni (03-14-2022)
  #38  
Old 03-16-2022, 04:12
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
Release 0.2.9 Final Fix1 (2022-03-15):
  • Fixed entropy graph drawing error on Windows 7 and newer

Homepage # Changelog # PEAnatomist 0.2.9
Reply With Quote
The Following 5 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-16-2022), besoeso (03-16-2022), CRC32 (03-17-2022), MarcElBichon (03-16-2022), wilson bibe (03-16-2022)
  #39  
Old 04-17-2022, 02:15
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
Release 0.2.10 Final Fix2 (2022-04-16):
  • Fixed error displaying data from UnwindInfo CxxFH3 tables for ARM7
  • Fixed CodeView symbols S_DEFRANGE_CONSTVAL_ON_ENTRY and S_DEFRANGE_GLOBALSYM_ON_ENTRY from VS2022 17.2Pre3
  • Fixed leak of GDI objects when using more than one ListView column setup dialog at the same time

Homepage # Changelog # PEAnatomist 0.2.10
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (04-17-2022)
The Following 6 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (05-08-2022), Doit (04-19-2022), New Tiger (04-17-2022), tonyweb (04-17-2022), wilson bibe (04-17-2022), WRP (04-17-2022)
  #40  
Old 05-18-2022, 05:31
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 37
Rept. Given: 0
Rept. Rcvd 38 Times in 16 Posts
Thanks Given: 9
Thanks Rcvd at 177 Times in 31 Posts
RamMerLabs Reputation: 38
Release 0.2.11 Final Fix3 (2022-05-18):
  • Fixed bug with enumeration of IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE symbol in DVRT table
  • Added separate page for IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE symbol content in DVRT table (backport from 0.3.10516.1931)

Homepage # Changelog # PEAnatomist 0.2.11
Reply With Quote
The Following 2 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
Fyyre (05-19-2022), MarcElBichon (05-18-2022)
The Following 6 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (05-19-2022), besoeso (05-19-2022), ionioni (05-27-2022), WildGoblin (06-07-2022), wilson bibe (05-18-2022), WRP (05-18-2022)
Reply

Tags
pe32

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 19:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )