Locked PEAnatomist v0.2.5

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

The free PEAnatomist utility supports almost all known and some undocumented structures inside MS PortableExecutable files (EXE, DLL, SYS and the like), LIB files and object files in COFF, MSVC CxxIL and ExtendedObj formats, and also performs simple analysis of the received data.

File Formats

    PE32
    PE32+
    COFF Object
    MSVC IntermediateLanguage nonCOFF Object File (MSVC CxxIL)
    nonCOFF ExtendedObj
    Objects Library

PE Image Architectures

    Intel x86
    AMD64
    ARM7
    ARM7 Thumb
    ARM8-64
    Intel IA64
    CHPE (x86 on ARM)
    ARM64X (x64 on ARM64)

A little of supported headers and data structures

    PE: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
    PE: Table of COFF symbols
    PE: Sections table, supporting long section names (via symbols table) and entropy calculating
    PE: Import table (supports MS-styled names demangling)
    PE: Bound Import Table
    PE: Delayed Import Table
    PE: Export Table with additional info
    PE: Resource Table with additional info about different resource types and detailed view for all types
    PE: Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
    PE: Brief info about PE Authenticode Signature
    PE: LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, CFG LongJumps, CHPE Metadata, ARM64X Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata, CFG Eh Continuations tables parsing and additional information about some fields
    PE: Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
    PE: TLS config and callbacks table with additional information about some fields
    PE: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
    PE: COM Descriptor directory pasring: headers, tables and metadata info available. Some of NGEN and ReadyToRun headers are also included
    PE: Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
    PE: IAT table contents
    PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
    PE: Detecting an ANSI and Unicode encoded strings
    PE: Plotting entropy
    OBJ: IMAGE_FILE_HEADER, ANON_OBJECT_HEADER, ANON_OBJECT_HEADER_V2, IMPORT_OBJECT_HEADER
    OBJ: COFF symbol table with decoding @comp.id and @feat.00, as well as auxiliary symbols
    OBJ: Section table and relocations for the selected section
    OBJ: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64
    OBJ: Functions xFG-hash values table
    OBJ: Table of CodeView Debug Symbols
    OBJ: Table of CodeView Types
    OBJ: Table of MSVC CxxIL Types (.cil$db)
    OBJ: Table of MSVC CxxIL Global Symbols (.cil$gl)
    OBJ: Table of MSVC CxxIL Local Symbols (.cil$sy)
    LIB: List of archive members
    LIB: The first and second (if available) linker members
    LIB: Summary table of import elements IMPORT_OBJECT_HEADER, if any

This is the hidden content, please

• Sign In
• or
• Sign Up