欢迎光临
我们一直在努力

PE Anatomist - PE files internals

PE Anatomist - PE files internals

PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.

Author: RamMerLabs
Project Home: rammerlabs.alidml.ru

Overview

FILE FORMATS

  • PE32
  • PE32+

PE IMAGE ARCHITECTURES

  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM8-64)

HEADERS AND DATA STRUCTURES PARSING

  • IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
  • Table of COFF symbols
  • Sections table, supporting long section names (via symbols table) and entropy calculating
  • Import table (supports MS-styled names demangling)
  • Bound Import Table
  • Delayed Import Table
  • Export Table with additional info
  • Resource Table with additional info about different resource types and detailed view for all types
  • Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • Brief info about PE Authenticode Signature
  • LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
  • Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • TLS config and callbacks table with additional information about some fields
  • Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
  • Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • IAT table contents

History

0.1.6.260 (2019-11-23)

  • Fixed parsing of import table modified by some packers
  • Added forced cleaning of recent files list
  • Added reaction to the ENTER key in FLC text fields
  • New settings:
  • set main window always on top;
  • contrast selection of alternating lists background;
  • number of bytes displayed in the HEX form in the description in the Base Relocations table;
  • restore last opened tab;
  • pasting the list header into the data copied to the clipboard;
  • use the ESC key to exit the program
  • Display of minor instrument version in RICH signature for VS2017 and higher fixed
  • Fixed incorrect behavior when resizing the main window
  • Deleting file associations fixed
  • FLC editboxes are cleared after loading a new file
  • Fixed the error in displaying the section table if some header fields were nullified
  • Added section naming by number if their name is not specified in the header or does not contain printable characters
  • The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
  • Several FLC bugs fixed

0.1.5.46 (2019-11-09)

  • IMAGE_DIRECTORY_ENTRY_IAT table parsing available
  • Symbols description added in Dynamic Value Relocations table
  • Data description added in Volatile Metadata table for x86
  • Minor optimizations of the code prepearing new GUI
  • FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
  • FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
  • RVA of instructions for appropriate unwind codes added in table for x64

0.1.4.192 (2019-10-31)

  • ExceptionsData table LSDA headers parsing improved
  • LSDA headers parsing implemented for C Builder 10.2 and newer
  • Commandline keys are not required to open a file
  • Minor error in filename processing fixed
  • Recent files menu available now
  • The program settings file layout modified
  • Any size overlays supported
  • GUI handling optimized
  • Hide unused tabs
  • HighDPI support

0.1.3.2 (2019-10-19)

  • x64 ExceptionsData Table parsing bug fixed

0.1.2.57 (2019-10-18)

  • Taskbar file icon display fixed
    Crash on unsupported files fixed
    Files load errors display added
    Internal data size optimization
    ExceptionsData Table parsing speed optimization

Download

  • PEAnatomist-0.1.6.zip
赞(0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址