吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 6372|回复: 11
收起左侧

[PEtools] PE Anatomist - PE files internals

  [复制链接]
风吹屁屁凉 发表于 2019-12-2 14:51
PE Anatomist - PE files internals

PE Anatomist shows almost all known data structures inside a PE file and makes some analytics.

Author: RamMerLabs
Project Home: rammerlabs.alidml.ru

Overview

FILE FORMATS
  • PE32
  • PE32+


PE IMAGE ARCHITECTURES
  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM8-64)


HEADERS AND DATA STRUCTURES PARSING
  • IMAGE_DOS_HEADER (partially), IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 with additional information about some fields
  • Table of COFF symbols
  • Sections table, supporting long section names (via symbols table) and entropy calculating
  • Import table (supports MS-styled names demangling)
  • Bound Import Table
  • Delayed Import Table
  • Export Table with additional info
  • Resource Table with additional info about different resource types and detailed view for all types
  • Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • Brief info about PE Authenticode Signature
  • LoadConfig Directory with SEH, GFID, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
  • Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • TLS config and callbacks table with additional information about some fields
  • Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • Partial .NET directory pasring: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
  • Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • IAT table contents


History

0.1.6.260 (2019-11-23)
  • Fixed parsing of import table modified by some packers
  • Added forced cleaning of recent files list
  • Added reaction to the ENTER key in FLC text fields
  • New settings:
  • set main window always on top;
  • contrast selection of alternating lists background;
  • number of bytes displayed in the HEX form in the description in the Base Relocations table;
  • restore last opened tab;
  • pasting the list header into the data copied to the clipboard;
  • use the ESC key to exit the program
  • Display of minor instrument version in RICH signature for VS2017 and higher fixed
  • Fixed incorrect behavior when resizing the main window
  • Deleting file associations fixed
  • FLC editboxes are cleared after loading a new file
  • Fixed the error in displaying the section table if some header fields were nullified
  • Added section naming by number if their name is not specified in the header or does not contain printable characters
  • The mechanism for working with sections and calculating the correspondence of RVA to raw offset has been completely redone
  • Several FLC bugs fixed


0.1.5.46 (2019-11-09)
  • IMAGE_DIRECTORY_ENTRY_IAT table parsing available
  • Symbols description added in Dynamic Value Relocations table
  • Data description added in Volatile Metadata table for x86
  • Minor optimizations of the code prepearing new GUI
  • FuncInfo4 (ExceptionsData table) parsing error fixed, it appears when data layout has optimized
  • FuncInfo4 (ExceptionsData table) with Separated code segments parsing error fixed
  • RVA of instructions for appropriate unwind codes added in table for x64


0.1.4.192 (2019-10-31)
  • ExceptionsData table LSDA headers parsing improved
  • LSDA headers parsing implemented for C Builder 10.2 and newer
  • Commandline keys are not required to open a file
  • Minor error in filename processing fixed
  • Recent files menu available now
  • The program settings file layout modified
  • Any size overlays supported
  • GUI handling optimized
  • Hide unused tabs
  • HighDPI support


0.1.3.2 (2019-10-19)
  • x64 ExceptionsData Table parsing bug fixed


0.1.2.57 (2019-10-18)
  • Taskbar file icon display fixed
    Crash on unsupported files fixed
    Files load errors display added
    Internal data size optimization
    ExceptionsData Table parsing speed optimization


Download

免费评分

参与人数 3吾爱币 +3 热心值 +3 收起 理由
courageous + 1 + 1 鼓励转贴优秀软件安全工具和文档!
darkreg + 1 + 1 鼓励转贴优秀软件安全工具和文档!
秋雨凉心 + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

zlm110 发表于 2019-12-2 15:45
这个东西是干什么用的
CarrotMe 发表于 2019-12-2 16:14
龙性 发表于 2019-12-2 17:37
hfxiang 发表于 2019-12-2 20:00
全是英文,没明白,也不知道怎样用
2Burhero 发表于 2019-12-2 23:54
吾爱破解
jiqimaoer 发表于 2019-12-3 01:47
这是静态反汇编工具? 先谢谢分享了
courageous 发表于 2019-12-3 11:31
好东西,谢谢分享!
夏宇痕 发表于 2019-12-3 17:43
终于看到这东西了,
流浪星空 发表于 2019-12-4 15:23

好东西,谢谢分享!
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-29 13:25

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表