12-02-2019, 00:24
|
|
Lo*eXeTools*rd
|
|
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 218
Rept. Given: 38
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 23
Thanks Rcvd at 158 Times in 46 Posts
|
|
PE Anatomist
PE Anatomist - PE files internals
PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.
Author: RamMerLabs
Project Home: rammerlabs.alidml.ru
Overview
FILE FORMATS
PE IMAGE ARCHITECTURES
- Intel x86
- AMD64
- ARM7
- ARM7 Thumb
- ARM8-64
- Intel IA64
- CHPE (x86 on ARM8-64)
HEADERS AND DATA STRUCTURES PARSING
- IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
- Table of COFF symbols
- Sections table, supporting long section names (via symbols table) and entropy calculating
- Import table (supports MS-styled names demangling)
- Bound Import Table
- Delayed Import Table
- Export Table with additional info
- Resource Table with additional info about different resource types and detailed view for all types
- Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
- Brief info about PE Authenticode Signature
- LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
- Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
- TLS config and callbacks table with additional information about some fields
- Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
- Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
- Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
- IAT table contents
History
0.2.5 (2021-08-25): - ListView context menu revision and keyboard accessibility improvements
- Added support for Cxx20Modules in MSVC ILStore parser (CxxIL)
- Added settings for the number of remembered recent files and the formatting of text copied to the clipboard
- Updated some ARM64EC related structures from WDK 22000
- Significantly speeded up the construction of the ExceptionsData table in OBJ files
- Fixed several bugs
- DOWNLOAD
0.1.6.260 (2019-11-23) - Fixed parsing of import table modified by some packers
- Added forced cleaning of recent files list
- Added reaction to the ENTER key in FLC text fields
- New settings:
- set main window always on top;
- contrast selection of alternating lists background;
- number of bytes displayed in the HEX form in the description in the Base Relocations table;
- restore last opened tab;
- pasting the list header into the data copied to the clipboard;
- use the ESC key to exit the program
- Display of minor instrument version in RICH signature for VS2017 and higher fixed
- Fixed incorrect behavior when resizing the main window
- Deleting file associations fixed
- FLC editboxes are cleared after loading a new file
- Fixed the error in displaying the section table if some header fields were nullified
- Added section naming by number if their name is not specified in the header or does not contain printable characters
- The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
- Several FLC bugs fixed
0.1.5.46 (2019-11-09)
- IMAGE_DIRECTORY_ENTRY_IAT table parsing available
- Symbols description added in Dynamic Value Relocations table
- Data description added in Volatile Metadata table for x86
- Minor optimizations of the code prepearing new GUI
- FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
- FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
- RVA of instructions for appropriate unwind codes added in table for x64
0.1.4.192 (2019-10-31)
- ExceptionsData table LSDA headers parsing improved
- LSDA headers parsing implemented for C Builder 10.2 and newer
- Commandline keys are not required to open a file
- Minor error in filename processing fixed
- Recent files menu available now
- The program settings file layout modified
- Any size overlays supported
- GUI handling optimized
- Hide unused tabs
- HighDPI support
0.1.3.2 (2019-10-19)
- x64 ExceptionsData Table parsing bug fixed
0.1.2.57 (2019-10-18)
- Taskbar file icon display fixed
Crash on unsupported files fixed
Files load errors display added
Internal data size optimization
ExceptionsData Table parsing speed optimization
Download
__________________
EnJoy!
Last edited by Jupiter; 10-17-2021 at 18:44.
Reason: v0.2.5 (2021-08-25)
|