Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 09-11-2020, 03:36
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Version 0.1.17 (2020-09-10):
[+] Added recognition of the target from a MSI shortcut
[#] Fixed a bug with displaying some dialogs from the resources
[+] Updated set of CET policy flags and LOAD_CONFIG_DIRECTORY structure from SDK 20201
[+] Added display of xFG-hash value in the GFID list
[+] Added descriptions of several section groups on the "POGO" page in IMAGE_DEBUG_DIRECTORY
[#] Accelerated display of found strings in PE files
[+] Added an optional restriction to start the only instance of the program
[+] Added a menu for launching a copy of the program with the currently open file
[+] Added the ability to open a file from the clipboard
[#] Fixed loss of a symbol in strings detection if a long string was split into several
[+] Added string detection settings: recognition threshold and ignoring of strings without a trailing zero
[+] Added a dialog for selecting a Section object and opening a mapped file
[+] Introduced a limitation of one instance of the resource properties dialog per entry
[#] Optimization and clean up of a part of the code for working with ListView


WEB # PEAnatomist 0.1.17
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
JeRRy (09-25-2020)
The Following 3 Users Say Thank You to RamMerLabs For This Useful Post:
besoeso (09-11-2020), MarcElBichon (09-11-2020), wilson bibe (09-11-2020)
  #17  
Old 10-22-2020, 04:46
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Version 0.1.18 (2020-10-21):
[#] Fixed error displaying data from ~GUID in .NET metadata tables
[+] Added description of flags for entries in .NET metadata tables
[#] Fixed bug with positioning child windows on multi-monitor configurations
[+] Added creation of a minidump in case of an unhandled exception
[#] Updated @feat.00 flag description
[#] Changed description text for several IDs in Rich Signature
[#] Rewrote a part of the code to enumerate the 'Section' objects
[+] Added a column to the ExceptionsData X64 table to display the size of the stack allocation
[+] Added a request to start a new copy of the program when the restriction on starting the only instance of the program is enabled and running copy does not respond
[#] ExceptionsData X64 chain table format changed to more verbose
[#] Fixed error in determining the allocation size for UWOP_ALLOC_LARGE (1)
[+] Added a page for xFG hash values for OBJ files
[+] Added ExceptionsData x64, ARM64 and ARM for OBJ files
[#] Fixed a bug with working with sections in OBJ files in the presence of BSS with a certain set of parameters
[#] Fixed a bug with parsing unwind codes for ARM and ARM64 (in PE and OBJ files), which could appear on small files or in presence of a large number of epilogues in a function
[#] Cleaning up and slight optimization of the IA64 unwind codes parser
[+] Added a description of the section and an offset in it to the COFF symbol, which is referenced by the CodeView symbol in the corresponding forms of debug information
[+] Added options to search any value less or greater than the specified
[+] Added setting of the initial search position based on: the last found line, the selected line, or forced from the beginning of the list
[+] Added full-text search in all columns of the list (minimum query length - 2 characters, search is case insensitive only for ANSI characters)
[+] Added the ability to search in any list
[#] Fixed a bug with displaying the type name from TypeDef in the .NET metadata token description in rare cases (only the method name was displayed, without the type name)


WEB # PEAnatomist 0.1.18

Last edited by RamMerLabs; 10-22-2020 at 04:58.
Reply With Quote
The Following User Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (10-22-2020)
The Following 6 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (10-24-2020), besoeso (10-23-2020), niculaita (10-23-2020), wilson bibe (10-22-2020), xobor (10-22-2020), zeuscane (10-22-2020)
  #18  
Old 11-01-2020, 00:45
mak mak is offline
Friend
 
Join Date: Feb 2010
Posts: 33
Rept. Given: 10
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 33
Thanks Rcvd at 30 Times in 13 Posts
mak Reputation: 2
@RamMerLabs

Could you make a plugin for x64dbg as a separate modification of your PEAnatomist program, that would be very convenient.
Reply With Quote
The Following User Says Thank You to mak For This Useful Post:
RamMerLabs (11-01-2020)
  #19  
Old 11-01-2020, 05:28
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
@mak
Nice idea!
I am currently reworking most of the code and this is a good chance to provide the ability to run the application as a plugin. But so far only for x86. I will probably gradually rewrite some parts in C, then it will be possible to talk about x64.
Reply With Quote
The Following 3 Users Say Thank You to RamMerLabs For This Useful Post:
mak (11-01-2020), MarcElBichon (11-01-2020), phroyt (11-16-2020)
  #20  
Old 01-04-2021, 21:10
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Release 0.2.0 (2021-01-04):
Minor optimization and cleaning of list sorting code
Background color of resource properties dialog and hexview changed to standard for the used control
Cleaning headers, unifying declared data types, dividing code into independent modules
Fix display error for the symbols CV_COMPILESYM and CV_COMPILESYM3
Update register names and CodeView symbols from VS 16.8 and 16.9Preview
Add display of the COFF symbol referenced by the CLR token in the COFF symbol table
Add display of CLR token in CodeView symbols
Fix error displaying RT_STRING resource as text in rare cases
Fix error in defining COFF-symbol of exception handler in x64 OBJ-files
The used data types from CoreCLR 5 have been updated
Fix a crash when displaying the contents of the metadata tables of some obfuscated or compressed .NET files
Change .NET metadata streams description - stream RVA is displayed now
Fix matching RVA to offset for some alignment and section parameter combinations in PE files compiled by MinGW
Fix displaying a DelayImport table with incorrect content (regression starting 0.1.8)
Fix matching RVA to offset in case of forced loading of PE without sections
Add .NET Vtable Fixups display
Fix a rare error with displaying the name of some Codeview types in the pivot table (an incorrect name could be displayed if in fact it was of zero length)
Add decoding of MSVC ILStore symbol table (.cil$gl) in OBJ files (x86, x64, ARMThumb, ARM64) for VS16.8
Change the appearance of the main window in the absence of a loaded file
Add description for selected symbol in the MSVC ILStore symbol table
Add correction of indexes in the MSVC ILStore table of types in case of using PCH
Add description of types by their index in all supported MSVC ILStore tables
Add description of MSVC ILStore symbols referenced by selected symbol from table .cil$gl
Add parsing of CHPE configuration header and DynamicDataRelocations table for hybrid x64-over-ARM64 images (arm64x) from InsiderPreview 21277
Add x64 ExceptionsData table for hybrid x64-over-ARM64 images (arm64x)
Add parsing of ARM64 unwind codes for SIMD registers
Fix detection of the ARM64 unwind chain
New view of the settings dialog, division of settings into new categories
Add formatting settings for text copied to the clipboard from program tables
Fix error reading CodeView C13 subsections in some cases (most often it appeared on CodeView created by early versions of tools from VS2002 and VS2003)
Add search settings: remembering the last query and saving the selected starting position of the search
Add search options for text: match only from the beginning of a string, inversion of search results (i.e. search for strings where the desired text is absent)
Fix error displaying the "Parent Offset" parameter in the CodeView symbols S_DEFRANGE_REGISTER_REL and S_DEFRANGE_REGISTER_REL_INDIR
Fix error of reading MSVC ILStore type table when there are nested tables
Add support for decoding MSVC ILStore symbol table for all public versions of VisualStudio (7-16.9Preview2)
Add the ability to select all found lines for text search
Prevent unclosed search dialog from being used after destroying its associated ListView
Configuration file format has been changed to text view


WEB (updated) # Direct link to PEAnatomist-0.2.0

Last edited by RamMerLabs; 01-05-2021 at 18:09. Reason: correcting website link
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (01-04-2021), quygia128 (01-06-2021), WRP (01-05-2021)
The Following 7 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (01-05-2021), besoeso (01-05-2021), niculaita (01-05-2021), quygia128 (01-06-2021), TQN (01-05-2021), wilson bibe (01-05-2021), WRP (01-05-2021)
  #21  
Old 03-05-2021, 03:58
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Release 0.2.1 (2021-03-04):

110B.009: Significant improvement to the MSVC ILStore (CxxIL) symbols parser and increased compatibility with different VS versions
1111.027: Decoding of local symbols table (.cil$sy) of MSVC ILStore (CxxIL) format in OBJ files
1117.033: Displaying the line number of the beginning of the function in the source file in the description of symbols MSVC ILStore (CxxIL)
1117.034: Fixed display of source file names in MSVC ILStore (CxxIL) symbols descriptions for VS 2002 and 2003 versions (encoding is not UTF8)
1118.035: Fixed decoding of LF_POINTER in CodeView and MSVC ILStore (CxxIL) type tables if the described type is a pointer to a class member
1119.036: Changed the names of some keys in the configuration file for portability in future versions
111B.039: Fixed display of CodeView type description in MSVC ILStore (CxxIL) tables, if debug information is moved to PDB
111C.046: Fixed error displaying the incorrect name in the description of a CodeView type referenced by another type or symbol (in rare cases)
1201.071: Accelerated access to sections and their data in OBJ files
1205.081: Added support for ExtendedObj files (a.k.a. BIGOBJ, obj files with more than 0xFEFF sections)
1207.094: For some types of CodeView debug information, a more detailed description is available (for example, for LF_POINTER, LF_MODIFIER, LF_ARRAY and LF_BITFIELD, the description of the type to which they refer and some properties are displayed)
120C.110: Clarified interpretation of data from Rich signature
121B.116: The program license was changed from MIT to Freeware (the text of the License Agreement is located in the "Readme" file)
1303.122: Fixed a bug with parsing version information from the resources section in some cases
1304.123: Fixed error getting a member name for LIB archives created by BSD-compatible toolkit
1304.124: Support for ARM64EC in OBJ files


website # Direct link to PEAnatomist-0.2.1
Reply With Quote
The Following 2 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
MarcElBichon (03-05-2021), WRP (03-06-2021)
The Following 7 Users Say Thank You to RamMerLabs For This Useful Post:
alekine322 (03-07-2021), besoeso (03-06-2021), darkBLACK (03-09-2021), LaDidi (03-05-2021), mak (03-12-2021), wilson bibe (03-05-2021), WRP (03-06-2021)
  #22  
Old 03-25-2021, 05:29
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Release 0.2.2 (2021-03-25):

1305.000: Fixed display of the CodeView type name in the description if the type index is not specified
1307.001: Fixed error displaying manifest text from PE resources in rare cases
1307.003: Added support for IA64, MIPS and Hitachi SH4 architectures in the CxxIL parser
1308.006: Fixed CxxIL parsing error for MSVC from VS2008Beta1
1309.007: Fixed infinite parsing of IMAGE_DIRECTORY_ENTRY_BASERELOC table in rare cases
1309.008: Fixed error of IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG display for some files created by linker versions below 6.0
1309.010: Fixed possible erroneous OBJ file recognition (regression of version 0.2.1)
130D.019: Cleaning and optimization of the parser for the ARM Thumb and ARM64 unwind codes
130F.022: Added a textual description of the epilogue execution condition for ARM Thumb unwind codes
130F.023: Fixed error displaying the epilogue execution condition for ARM Thumb unwind codes if the epilogue is specified as the only one (flag E)
130F.028: Added calculation of the epilogue beginning for the ARM Thumb and ARM64 unwind codes, if the epilogue is specified as the only one (flag E)
1311.029: Fixed light error in defining VS2017-2019 minor version in Rich signature (regression of version 0.2.1)
1311.030: Fixed error in displaying values from IMAGE_DELAYLOAD_DESCRIPTOR.UnloadInformationTableRVA in the delayed import table
1312.044: Fixed the mechanism for filling information for the description of RVA in PE, added detection of new information
1312.045: Accelerated display of the GFID table
1313.046: Simplified procedure for loading some files
1315.051: The storage of information for the description of RVA in PE files has been transferred to a hash table, the search time for the description for RVA has been significantly reduced
1318.053: Ctrl+Insert can be used along with Ctrl+C to copy information from the ListView to the clipboard
1318.057: The set of status information from the ListView has been expanded, there are: focused row index, total count of rows, count of selected rows


website # Direct link to PEAnatomist-0.2.2
Reply With Quote
The Following 8 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-25-2021), chessgod101 (03-25-2021), mak (04-03-2021), MarcElBichon (03-25-2021), sh3dow (03-26-2021), tonyweb (03-25-2021), wilson bibe (03-25-2021), WRP (03-25-2021)
  #23  
Old 03-25-2021, 18:39
Abaddon Abaddon is offline
Friend
 
Join Date: May 2016
Posts: 40
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 128
Thanks Rcvd at 35 Times in 22 Posts
Abaddon Reputation: 2
Just a heads up, the links are (temporarliy?) unavalailable.
Thanks for the new release.

Edit: Apparently it was a temporary situation. Accessible after a few minutes.
Reply With Quote
  #24  
Old 03-25-2021, 18:53
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Abaddon
Thank you for your feedback. I can't even guess what the reason is. I checked the server, it works fine. Sometimes, of course, there are interruptions, but today no incidents with either the server or the connection have been logged.
Reply With Quote
The Following User Says Thank You to RamMerLabs For This Useful Post:
Abaddon (03-25-2021)
  #25  
Old 03-25-2021, 19:01
Abaddon Abaddon is offline
Friend
 
Join Date: May 2016
Posts: 40
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 128
Thanks Rcvd at 35 Times in 22 Posts
Abaddon Reputation: 2
Some suggestions/feedback regarding string detection (low priority)

The user should be able to define the alphabet of the searchable characters.

Or

Pre-selected combinations should be availale to select from (in the form of a dropdown list).

The current cofiguration does not allow someone enough flexibility (i.e. excluding special characters); or, to be precise, the 64 characters to choose from are not transparent to the user.

Also, a good feature would be to be able to search unicode characters, characters from different languages (i.e. Russian) etc.

Again, thanks for the nice application.
Attached Images
File Type: jpg rammer.jpg (27.0 KB, 10 views)
Reply With Quote
The Following 2 Users Say Thank You to Abaddon For This Useful Post:
mak (04-03-2021), RamMerLabs (03-25-2021)
  #26  
Old 03-25-2021, 20:04
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
>>The user should be able to define the alphabet of the searchable characters.
Undoubtedly, there should be such a choice.
Moreover, I already did some of what you proposed, but the performance dropped noticeably and I had to remove these innovations (temporarily, I hope).
There were options with a choice of detected encodings, code pages, and a filter based on various criteria, but at the moment the implementation does not suit me.

PS: Unfortunately, I could not see the screenshot from the attachment - not enough rights.
Reply With Quote
The Following User Says Thank You to RamMerLabs For This Useful Post:
Abaddon (03-25-2021)
  #27  
Old 03-25-2021, 22:28
Abaddon Abaddon is offline
Friend
 
Join Date: May 2016
Posts: 40
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 128
Thanks Rcvd at 35 Times in 22 Posts
Abaddon Reputation: 2
No problem, it was just a screenshot from the string options dialog.
I have described everything in text, which I assume communicated the message.
I should have foreseen the problem, being myself a plebeian. However, in my case, the title is well deserved, for I have been a very selfish reverse engineer.
You on the other hand, have contributed to the community; therefore, I ask the moderators/admins to promote you.
Reply With Quote
  #28  
Old 05-09-2021, 06:54
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Release 0.2.3 (2021-05-09):
1319.000: Fixed the Statusbar value of the focused line for an empty ListView in certain situations
131A.001: Eliminated possible freeze after the search resumed, if the contents of the list have been changed
131B.007: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for x64
131B.008: Fixed displaying the type index in the CodeView types table in OBJ files if PCH is used (regression of version 0.2.2)
140B.011: Optimized display of status information from ListView for very large lists
140B.014: Added display of additional Function (.bf, .ef) and FunctionSym symbols in the COFF symbol table of OBJ files
140C.015: Fixed erroneous display of INT value in CFG IAT table if import is performed by ordinal (regression of version 0.2.2)
140D.017: Added XFGHASHMAP parsing in LIB files
140F.022: Added collection of information about exception handlers (x64, ARM, ARM Thumb, ARM64, IA64) and COFF symbols for describing RVA in PE files
1410.025: Accelerated display of COFF symbol table in PE files, added display of some additional symbol records
1411.029: A 'Column' drop-down list in a searching dialog is disabled if only fulltext search is available (i.e. only one search option)
1413.031: Added export of GFID bitmap to file
1415.032: Fixed a bug with parsing the resource table in PE files if IMAGE_RESOURCE_DATA_ENTRY is placed at the end of the table
1416.038: Added optional display of full paths in the recent files list, long paths are limited to the file name and the initial part of the path
1416.039: Changed the format of the main window title, the name of the loaded file is displayed first now
1417.045: Eliminated redundant work with the menu when loading files and generating a list of recent files
1418.046: Added OS shell notification about file associations changing
1419.049: Added optional tooltip with description of RVA calculated in FLC (disabled by default)
141A.053: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for ARM64 (InsiderPreview 21364)
141B.055: Fixed error displaying multiple values of the "Translation" key in RT_VERSION resources
141B.057: Added a column with functions description in the ExceptionsData table for all supported architectures (for x64, ARM Thumb and ARM64, some columns are now hidden by default)
1505.059: Fixed error displaying SEH Scope on the ExceptionsData page for ARM7/ARM LE in some cases
1507.060: Added a separate tab for the ARM64 unwind chain on the ExceptionsData page
1507.072: Added recognition of some types of exception handlers for all supported architectures
1507.073: Added a column with the type of exception handlers in the ExceptionsData table, the column with the handler's RVA is hidden by default
1508.074: Fixed a rare error filling information from the export table for the RVA description


Homepage # PEAnatomist 0.2.3
Reply With Quote
The Following 2 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
conan981 (05-09-2021), MarcElBichon (05-09-2021)
The Following 5 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (05-10-2021), besoeso (05-09-2021), conan981 (05-09-2021), wilson bibe (05-09-2021), WRP (05-09-2021)
  #29  
Old 06-09-2021, 05:58
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 23 Times in 10 Posts
Thanks Given: 7
Thanks Rcvd at 113 Times in 20 Posts
RamMerLabs Reputation: 23
Release 0.2.4 (2021-06-08):
150F.001: Added unwinding code for ARM64 Pointer Authentication extension instructions (InsiderPreview 21382)
1511.003: Added a column with the unwind chain depth in the x64 ExceptionsData table (hidden by default)
1511.004: Fixed a bug with enabling ListView columns hidden by default after restarting the program (regression from version 0.2.0)
1516.013: Fixed crash during parsing of corrupted COFF symbol table in PE files
1517.015: Fixed the old error of displaying the "Security" tab for PE files in some cases
1518.016: Fixed error in validation of program window position settings if opposite sides of the window go beyond the desktop (regression from version 0.2.0)
151B.021: Added entropy plotting
151B.025: Added entropy calculation settings for plotting and plot display settings
1601.032: Added a hint about the fileoffset and the corresponding section under the cursor on the entropy plot
1604.033: The last active tab of the settings dialog is restored after reopening
1608.040: Added optional labels for section boundaries on the entropy plot


Homepage # PEAnatomist 0.2.4
Reply With Quote
The Following 3 Users Gave Reputation+1 to RamMerLabs For This Useful Post:
hors (06-09-2021), MarcElBichon (06-09-2021), sh3dow (06-11-2021)
The Following 12 Users Say Thank You to RamMerLabs For This Useful Post:
2late (06-16-2021), Abaddon (06-12-2021), besoeso (06-12-2021), darkBLACK (06-14-2021), hors (06-09-2021), LordGarfio (06-10-2021), niculaita (06-10-2021), sh3dow (06-11-2021), traf0 (06-09-2021), wild (06-15-2021), wilson bibe (06-09-2021), Zeokat (06-10-2021)
Reply

Tags
pe32

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 22:20.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )