R0 CREW

PEAnatomist

The free PEAnatomist utility supports almost all known and some undocumented structures inside MS PortableExecutable files (EXE, DLL, SYS and the like), LIB files and object files in COFF, MSVC CxxIL and ExtendedObj formats, and also performs simple analysis of the received data.

File Formats

  • PE32
  • PE32+
  • COFF Object
  • MSVC IntermediateLanguage nonCOFF Object File (MSVC CxxIL)
  • nonCOFF ExtendedObj
  • Objects Library

PE Image Architectures

  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM)
  • ARM64X (x64 on ARM64)

A little of supported headers and data structures

  • PE: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
  • PE: Table of COFF symbols
  • PE: Sections table, supporting long section names (via symbols table) and entropy calculating
  • PE: Import table (supports MS-styled names demangling)
  • PE: Bound Import Table
  • PE: Delayed Import Table
  • PE: Export Table with additional info
  • PE: Resource Table with additional info about different resource types and detailed view for all types
  • PE: Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • PE: Brief info about PE Authenticode Signature
  • PE: LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, CFG LongJumps, CHPE Metadata, ARM64X Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata, CFG Eh Continuations tables parsing and additional information about some fields
  • PE: Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • PE: TLS config and callbacks table with additional information about some fields
  • PE: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • PE: COM Descriptor directory pasring: headers, tables and metadata info available. Some of NGEN and ReadyToRun headers are also included
  • PE: Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • PE: IAT table contents
  • PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
  • PE: Detecting an ANSI and Unicode encoded strings
  • PE: Plotting entropy
  • OBJ: IMAGE_FILE_HEADER, ANON_OBJECT_HEADER, ANON_OBJECT_HEADER_V2, IMPORT_OBJECT_HEADER
  • OBJ: COFF symbol table with decoding @comp.id and @feat.00, as well as auxiliary symbols
  • OBJ: Section table and relocations for the selected section
  • OBJ: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64
  • OBJ: Functions xFG-hash values table
  • OBJ: Table of CodeView Debug Symbols
  • OBJ: Table of CodeView Types
  • OBJ: Table of MSVC CxxIL Types (.cil$db)
  • OBJ: Table of MSVC CxxIL Global Symbols (.cil$gl)
  • OBJ: Table of MSVC CxxIL Local Symbols (.cil$sy)
  • LIB: List of archive members
  • LIB: The first and second (if available) linker members
  • LIB: Summary table of import elements IMPORT_OBJECT_HEADER, if any

Download from:
https://rammerlabs.alidml.ru/index-eng.html

1 Like