0.2.7.129 (2022-01-03)

PEAnatomist.exe SHA256: C9BA28BEA386B62E6C406B0DF44C944B02DAED157D849FB7D07BF2781EE255D3

  • 1B16.009: Fixed bug in RVA description for delayed import
  • 1B1A.010: Fixed bug with scaling delta value in IMAGE_DYNAMIC_RELOCATION_ARM64X
  • 1C01.011: Removed handling of irrelevant command line parameter "-pe"
  • 1C01.012: An instance of the program will not start after a message about an unknown file format if it is loaded from the command line
  • 1C01.016: Eliminate starting a new instance of the application in the case of an unknown file format on the command line if the limitation for one instance is enabled
  • 1C04.041: Slightly updated appearance of the entropy graph
  • 1C04.049: Fixed a number of inaccuracies in the drawing of the entropy graph and the tooltip contents
  • 1C04.050: Accelerated search with selection of all found lines in some cases
  • 1C08.066: Added calculation of entropy by "sliding window" with configurable block overlap for the graph
  • 1C08.067: Fixed behavior during TabStop navigation on some tabs of the program settings dialog
  • 1C09.068: Fixed IMAGE_LOAD_CONFIG_DIRECTORY parsing error on some files created by linker from VS2002 pre-release versions
  • 1C0A.073: Fixed RT_VERSION parsing error for resources created by some versions of RC/CVTRES from VS98-2003
  • 1C13.078: Added optional display of the second line on the entropy graph with values calculated without block overlap, if the corresponding mode is enabled
  • 1C15.083: Fixed error in processing the exception table for emulated architecture code in hybrid PE (ARM64EC)
  • 1C15.085: Added collection of information about exception handlers (x64, ARM64) for describing RVA in emulated architecture code in hybrid PE (ARM64EC, ARM64X)
  • 1C15.093: Added a page describing WoW thunks in hybrid PE (ARM64EC, ARM64X)
  • 1C1A.101: All selected lines retain their state after sorting virtual lists, previously only the first of the selected lines was
  • 1C1D.120: Added multiple saving to file for resources from PE and records from LIB
  • 1C1E.125: Fixed a minor error in resolving an Apiset host in very rare cases (if the data for resolving in an external library was corrupted)
  • 2101.128: Fixed error reading .NET metadata in some PE due to incorrect address alignment

0.2.6.126 (2021-11-08)

PEAnatomist.exe SHA256: C31A62F8473A37F5D0B5C0120A19A2E210F0B78D6FBCBF05BC7F6E4589D7C532

  • 181C.002: Fixed a bug with splitting long records from the ListView header into multiple lines when copying to the clipboard with column justify
  • 190B.010: Fixed parsing of delayed import table for some compressed PE files
  • 190B.011: Fixed token description error in .NET VTableFixups table
  • 190F.012: Register names and CodeView symbols (S_HYBRIDRANGE) from VS 16.11 and 17.0Preview4 have been updated
  • 1910.016: Changed display order of Rich-signature records
  • 1910.018: Clarified interpretation of some build numbers from Rich signature (WCE Platform Builder)
  • 1A05.045: Corrected sorting of ExceptionsData tables for ARM Thumb and ARM64 in PE and OBJ, slightly accelerated sorting of other tables
  • 1A0D.060: Expanded dataset for describing CoffGroups in the IMAGE_DEBUG_TYPE_POGO table
  • 1A10.070: Fixed a bug with parsing the import table for some modified PE (Mal: Kelios)
  • 1A11.073: Fixed a bug with detecting invalid resources in compressed PE
  • 1A15.086: Fixed a bug with displaying the name of the FramePointer register in the S_FRAMEPROC CodeView symbols for ARM64 and ARM64EC
  • 1A1D.097: Slightly simplified the procedure for enumerating PE resources
  • 1A1E.102: Fixed OOB reading of .NET VTableFixups table in some cases
  • 1B06.121: Numerous minor fixes and minor optimizations
  • 1B08.125: Updated the CodeView symbol (S_SOURCELINK) from VS 17.1Preview1 and the IMAGE_LOAD_CONFIG_DIRECTORY structure (22478+)

0.2.5.267 (2021-08-25)

PEAnatomist.exe SHA256: F759677D747651D4C6242A3F04EAFE2476FDEAD77A4B62DDBD93DE38971A579F

  • 161B.008: Added display of the full path to records in LIB files, long paths are limited to the file name and the initial part of the path
  • 161B.013: Added parsing of ECSYMBOLS record in LIB files (ARM64EC specific symbols)
  • 161C.015: Fixed bug with saving LIB file entries with invalid characters in the default filename
  • 161C.016: Updated some ARM64EC related structures from WDK 22000
  • 1708.038: Added description of IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION elements with index 0x7FFFF in the DynamicData Relocationss
  • 170F.069: Slightly sped up ListView sorting
  • 170F.070: Fixed sorting of the READYTORUN_IMPORT_SECTION list (for R2R and NGEN)
  • 1713.088: The number of recent files became customizable
  • 1714.091: Fixed IP2StateMap enumeration error for MSVC __CxxFrameHandler4 (regression in 0.2.3)
  • 1717.100: Added support for Cxx20Modules in MSVC ILStore (CxxIL) parser and display of corresponding global symbols
  • 171B.106: Hiding a sorted column resets the ListView sort
  • 171C.113: Added optional loading of the last opened file, unless otherwise specified when starting the program
  • 171E.116: Added a submenu for copying individual columns to the clipboard if the ListView context menu was called from the keyboard
  • 171F.124: Added list sorting submenu to ListView context menu
  • 171F.127: Fixed a positioning error of the ListView context menu keyboard-called for the non-visible row
  • 1801.128: Fixed calculation of the allocated memory size for copying to the clipboard from ListView in case of adding a list header
  • 1801.129: Fixed line-by-line copying of the contents of the LoadConfig GFID table to the clipboard if the "XFG-hash" column is populated
  • 1803.142: Fixed error validating ListView settings, which could lead to the inability to display a hidden column
  • 1805.157: The error of copying a separate ListView column to the clipboard, leading to program crash due to possible buffer overflow, has been fixed
  • 1806.160: Fixed a bug with displaying the list of COFF symbols in PE and OBJ in the presence of long symbol names (more than 1000 characters)
  • 1808.175: Added a dialog for configuring ListView columns (show/hide, order) instead of the header context menu
  • 1808.182: Added the ListView header context menu for copying an entire column regardless of the selected rows
  • 1808.183: ListView header context menu command processing moved to WM_MENUCOMMAND
  • 1809.193: Added control of the columns order from the keyboard (CTRL + DOWN/UP/HOME/END) and using drag-n-drop in the ListView column settings dialog
  • 180B.198: Fixed error displaying additional COFF symbols for COMDAT sections in OBJ files if there is a second additional symbol
  • 180F.207: Significantly speeded up the construction of the ExceptionsData table in OBJ files
  • 1811.209: Fixed a bug with displaying long section names in the section table of OBJ files
  • 1811.211: Fixed a bug with indexing COMDAT sections with long names in OBJ files (the data in the ExceptionsData table could not be fully enumerated)
  • 1812.215: Added check of Reproducible PE file timestamp for hash value
  • 1813.220: Added the ability to search only in the selected rows of the ListView to search in several iterations by a set of criteria
  • 1813.223: Fixed the error of incomplete copying of rows from the ListView to the clipboard if the content of at least one cell was longer than 1000 characters
  • 1813.230: Small optimization of memory consumption while copying rows from ListView to clipboard with column justify
  • 1817.261: Added configurable splitting of long ListView cells into multiple lines when copying to the clipboard with column justify

0.2.4.42 (2021-06-08)

PEAnatomist.exe SHA256: 92BB453000C526D799F8417C95812831D57DA8E54206C7DFE4F76BFE8F748B49

  • 150F.001: Added unwinding code for ARM64 Pointer Authentication extension instructions (InsiderPreview 21382)
  • 1511.003: Added a column with the unwind chain depth in the x64 ExceptionsData table (hidden by default)
  • 1511.004: Fixed a bug with enabling ListView columns hidden by default after restarting the program (regression from version 0.2.0)
  • 1516.013: Fixed crash during parsing of corrupted COFF symbol table in PE files
  • 1517.015: Fixed the old error of displaying the "Security" tab for PE files in some cases
  • 1518.016: Fixed error in validation of program window position settings if opposite sides of the window go beyond the desktop (regression from version 0.2.0)
  • 151B.021: Added entropy plotting
  • 151B.025: Added entropy calculation settings for plotting and plot display settings
  • 1601.032: Added a hint about the fileoffset and the corresponding section under the cursor on the entropy plot
  • 1604.033: The last active tab of the settings dialog is restored after reopening
  • 1608.040: Added optional labels for section boundaries on the entropy plot

0.2.3.76 (2021-05-09)

PEAnatomist.exe SHA256: 6D7AE0FB725B07E4C264ED79854556A3D270824307F421521BB22FE0A668236C

  • 1319.000: Fixed the Statusbar value of the focused line for an empty ListView in certain situations
  • 131A.001: The possible freeze of the program after the search resumed, if the contents of the list have been changed
  • 131B.007: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for x64
  • 131B.008: Fixed displaying the type index in the CodeView types table in OBJ files if PCH is used (regression of version 0.2.2)
  • 140B.011: Optimized display of status information from ListView for very large lists
  • 140B.014: Added display of additional Function (.bf, .ef) and FunctionSym symbols in the COFF symbol table of OBJ files
  • 140C.015: Fixed erroneous display of INT value in CFG IAT table if import is performed by ordinal (regression of version 0.2.2)
  • 140D.017: Added XFGHASHMAP parsing in LIB files
  • 140F.022: Added collection of information about exception handlers (x64, ARM, ARM Thumb, ARM64, IA64) and COFF symbols for describing RVA in PE files
  • 1410.025: Accelerated display of COFF symbol table in PE files, added display of some additional symbol records
  • 1411.029: A 'Column' drop-down list in a searching dialog is disabled if only fulltext search is available (i.e. only one search option)
  • 1413.031: Added export of GFID bitmap to file
  • 1415.032: Fixed a bug with parsing the resource table in PE files if IMAGE_RESOURCE_DATA_ENTRY is placed at the end of the table
  • 1416.038: Added optional display of full paths in the recent files list, long paths are limited to the file name and the initial part of the path
  • 1416.039: Changed the format of the main window title, the name of the loaded file is displayed first now
  • 1417.045: Eliminated redundant work with the menu when loading files and generating a list of recent files
  • 1418.046: Added OS shell notification about file associations changing
  • 1419.049: Added optional tooltip with description of RVA calculated in FLC (disabled by default)
  • 141A.053: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for ARM64 (InsiderPreview 21364)
  • 141B.055: Fixed error displaying multiple values of the "Translation" key in RT_VERSION resources
  • 141B.057: Added a column with functions description in the ExceptionsData table for all supported architectures (for x64, ARM Thumb and ARM64, some columns are now hidden by default)
  • 1505.059: Fixed error displaying SEH Scope on the ExceptionsData page for ARM7/ARM LE in some cases
  • 1507.060: Added a separate tab for the ARM64 unwind chain on the ExceptionsData page
  • 1507.072: Added recognition of some types of exception handlers for all supported architectures
  • 1507.073: Added a column with the type of exception handlers in the ExceptionsData table, the column with the handler's RVA is hidden by default
  • 1508.074: Fixed a rare error filling information from the export table for the RVA description

0.2.2.58 (2021-03-25)

PEAnatomist.exe SHA256: DB32FA0BDB8D056E216FD2D0C6266FC1616068D72C1035CC0B9D0B8FF37E70D8

  • 1305.000: Fixed display of the CodeView type name in the description if the type index is not specified
  • 1307.001: Fixed error displaying manifest text from PE resources in rare cases
  • 1307.003: Added support for IA64, MIPS and Hitachi SH4 architectures in the CxxIL parser
  • 1308.006: Fixed CxxIL parsing error for MSVC from VS2008Beta1
  • 1309.007: Fixed infinite parsing of IMAGE_DIRECTORY_ENTRY_BASERELOC table in rare cases
  • 1309.008: Fixed error of IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG display for some files created by linker versions below 6.0
  • 1309.010: Fixed possible erroneous OBJ file recognition (regression of version 0.2.1)
  • 130D.019: Cleaning and optimization of the parser for the ARM Thumb and ARM64 unwind codes
  • 130F.022: Added a textual description of the epilogue execution condition for ARM Thumb unwind codes
  • 130F.023: Fixed error displaying the epilogue execution condition for ARM Thumb unwind codes if the epilogue is specified as the only one (flag E)
  • 130F.028: Added calculation of the epilogue beginning for the ARM Thumb and ARM64 unwind codes, if the epilogue is specified as the only one (flag E)
  • 1311.029: Fixed light error in defining VS2017-2019 minor version in Rich signature (regression of version 0.2.1)
  • 1311.030: Fixed error displaying values from IMAGE_DELAYLOAD_DESCRIPTOR.UnloadInformationTableRVA in the delayed import table
  • 1312.044: Fixed the mechanism for filling information for the description of RVA in PE, added detection of new information
  • 1312.045: Accelerated display of the GFID table
  • 1313.046: Simplified procedure for loading some files
  • 1315.051: The storage of information for the description of RVA in PE files has been transferred to a hash table, the search time for the description for RVA has been significantly reduced
  • 1318.053: Ctrl+Insert can be used along with Ctrl+C to copy information from the ListView to the clipboard
  • 1318.057: The set of status information from the ListView has been expanded, there are: focused row number, total count of rows, count of selected rows

0.2.1.125 (2021-03-04)

PEAnatomist.exe SHA256: BC52CBE85FD779878F0E06624C2BF8A2A4995EBBBD381A400385AE01620B531A

  • 110B.009: Significant improvement to the MSVC ILStore (CxxIL) symbols parser and increased compatibility with different VS versions
  • 1111.027: Decoding of local symbols table (.cil$sy) of MSVC ILStore (CxxIL) format in OBJ files
  • 1117.033: Displaying the line number of the beginning of the function in the source file in the description of symbols MSVC ILStore (CxxIL)
  • 1117.034: Fixed display of source file names in MSVC ILStore (CxxIL) symbols descriptions for VS 2002 and 2003 versions (encoding is not UTF8)
  • 1118.035: Fixed decoding of LF_POINTER in CodeView and MSVC ILStore (CxxIL) type tables if the described type is a pointer to a class member
  • 1119.036: Changed the names of some keys in the configuration file for portability in future versions
  • 111B.039: Fixed display of CodeView type description in MSVC ILStore (CxxIL) tables, if debug information is moved to PDB
  • 111C.046: Fixed error displaying the incorrect name in the description of a CodeView type referenced by another type or symbol (in rare cases)
  • 1201.071: Accelerated access to sections and their data in OBJ files
  • 1205.081: Added support for ExtendedObj files (a.k.a. BIGOBJ, obj files with more than 0xFEFF sections)
  • 1207.094: For some types of CodeView debug information, a more detailed description is available (for example, for LF_POINTER, LF_MODIFIER, LF_ARRAY and LF_BITFIELD, the description of the type to which they refer and some properties are displayed)
  • 120C.110: Clarified interpretation of data from Rich signature
  • 121B.116: The program license was changed from MIT to Freeware (the text of the License Agreement is located in the "Readme" file)
  • 1303.122: Fixed a bug with parsing version information from the resources section in some cases
  • 1304.123: Fixed error getting a member name for LIB archives created by BSD-compatible toolkit
  • 1304.124: Support for ARM64EC in OBJ files

0.2.0.370 (2021-01-04)

PEAnatomist.exe SHA256: 8E6D8EF4D5691A8FFC22377C45FC00E3CE90FD7F47E1F8D2CDBA914885477BEF

  • Minor optimization and cleaning of list sorting code
  • Background color of resource properties dialog and hexview changed to standard for the used control
  • Cleaning headers, unifying declared data types, dividing code into independent modules
  • Fix display error for the symbols CV_COMPILESYM and CV_COMPILESYM3
  • Update register names and CodeView symbols from VS 16.8 and 16.9Preview
  • Add display of the COFF symbol referenced by the CLR token in the COFF symbol table
  • Add display of CLR token in CodeView symbols
  • Fix error displaying RT_STRING resource as text in rare cases
  • Fix error in defining COFF-symbol of exception handler in x64 OBJ-files
  • The used data types from CoreCLR 5 have been updated
  • Fix a crash when displaying the contents of the metadata tables of some obfuscated or compressed .NET files
  • Change .NET metadata streams description - stream RVA is displayed now
  • Fix matching RVA to offset for some alignment and section parameter combinations in PE files compiled by MinGW
  • Fix displaying a DelayImport table with incorrect content (regression starting 0.1.8)
  • Fix matching RVA to offset in case of forced loading of PE without sections
  • Add .NET Vtable Fixups display
  • Fix a rare error with displaying the name of some Codeview types in the pivot table (an incorrect name could be displayed if in fact it was of zero length)
  • Add decoding of MSVC ILStore symbol table (.cil$gl) in OBJ files (x86, x64, ARMThumb, ARM64) for VS16.8
  • Change the appearance of the main window in the absence of a loaded file
  • Add description for selected symbol in the MSVC ILStore symbol table
  • Add correction of indexes in the MSVC ILStore table of types in case of using PCH
  • Add description of types by their index in all supported MSVC ILStore tables
  • Add description of MSVC ILStore symbols referenced by selected symbol from table .cil$gl
  • Add parsing of CHPE configuration header and DynamicDataRelocations table for hybrid x64-over-ARM64 images (arm64x) from InsiderPreview 21277
  • Add x64 ExceptionsData table for hybrid x64-over-ARM64 images (arm64x)
  • Add parsing of ARM64 unwind codes for SIMD registers
  • Fix detection of the ARM64 unwind chain
  • New view of the settings dialog, division of settings into new categories
  • Add formatting settings for text copied to the clipboard from program tables
  • Fix error reading CodeView C13 subsections in some cases (most often it appeared on CodeView created by early versions of tools from VS2002 and VS2003)
  • Add search settings: remembering the last query and saving the selected starting position of the search
  • Add search options for text: match only from the beginning of a string, inversion of search results (i.e. search for strings where the desired text is absent)
  • Fix error displaying the "Parent Offset" parameter in the CodeView symbols S_DEFRANGE_REGISTER_REL and S_DEFRANGE_REGISTER_REL_INDIR
  • Fix error of reading MSVC ILStore type table when there are nested tables
  • Add support for decoding MSVC ILStore symbol table for all public versions of VisualStudio (7-16.9Preview2)
  • Add the ability to select all found lines for text search
  • Prevent unclosed search dialog from being used after destroying its associated ListView
  • Configuration file format has been changed to text view

Releases list