ATTENTION: If a copy of the program was obtained from another source, please make sure that the SHA256 hash value for the .exe file is the same as that specified in Readme.txt file and on changelog page. Differences in these values indicate third-party interference. It is recommended to avoid of launching and using a modified copy of the program.
Download (118 KB)
Version: 0.1.14 (2020-04-28) :: What's new? :: MIT License :: VirusTotal report
Values of hash functions for ZIP-package:
This tool was designed to be used with:
- Windows XP SP3 or higher (both x86 and x64
- ReactOS 0.4 or higher
- Any third-party dependencies are absent.
- COFF Object
- Objects Library
PE Image Architectures
- Intel x86
- ARM7 Thumb
- Intel IA64
- CHPE (x86 on ARM8-64)
Headers and data structures parsing
- PE: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
- PE: Table of COFF symbols
- PE: Sections table, supporting long section names (via symbols table) and entropy calculating
- PE: Import table (supports MS-styled names demangling)
- PE: Bound Import Table
- PE: Delayed Import Table
- PE: Export Table with additional info
- PE: Resource Table with additional info about different resource types and detailed view for all types
- PE: Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
- PE: Brief info about PE Authenticode Signature
- PE: LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
- PE: Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
- PE: TLS config and callbacks table with additional information about some fields
- PE: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
- PE: COM Descriptor directory pasring: headers, tables and metadata info available. Some of NGEN and ReadyToRun headers are also included
- PE: Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
- PE: IAT table contents
- PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
- OBJ: IMAGE_FILE_HEADER, ANON_OBJECT_HEADER, ANON_OBJECT_HEADER_V2, IMPORT_OBJECT_HEADER
- OBJ: COFF symbol table with decoding @comp.id and @feat.00, as well as auxiliary symbols
- OBJ: Section table and relocations for the selected section
- LIB: List of archive members
- LIB: The first and second (if available) linker members
- LIB: Summary table of import elements IMPORT_OBJECT_HEADER, if any
In addition, it is available
- FLC - file location calculator
- Display settings and sorting by any column of the list
- Localization of the program interface (while Russian and English options are available) via external DLL file
- Explorer's context menu integration
- Decoding strings of national Unicode symbols (cyrillic form CP1251 is available now)
Limitations and known bugs
- Hexadecimal View is limited to 4 kilobytes from the starting address
- RT_GROUP_ICON and RT_GROUP_CURSOR resource types dumping saves header only without icons and cursors
- ANSI and UNICODE strings detecting is limited to 112 bytes
- Lists are sorting not in natural order
- The timestamp from the file header is not decoded if PE image is builded as Reproducible.
- When determining whether a VA, RVA or file offset belongs to a particular section, the section name is supplemented with its access attributes [R], [W], [X] or their combination, as well as the label [VM] if the data for the specified address is not initialized.
Displays the contents of the basic PE headers: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER (IMAGE_OPTIONAL_HEADER64) and the directories list. A description or detailed characteristics is given for some fields.
List of sections of the PE file with entropy calculation, support for long section names from the table of COFF symbols.
COFF Symbols Table contents.
Import Table contains two lists. First list enumerates libraries and second list shows imported functions. Last one displays functions name, hint, RVA of IAT, RVA of INT and contents at the addresses pointed to by RVAs. MS-styled name demangling is also available.
There are two lists, first one representing the header of the Export Table with additional information about some fields. Second list contains exported symbols information. Additionally, the section name of the exported symbol, hint and ordinal are displayed. Library-forwarding is supported too.
Resource Table shows PE resources. The list is grouped by the resource types. Resource contents description is available for several resource types. Resource dump and view are available too.
It's an example of RT_VERSION resource view. Hexadecimal view is supported for all resource types.
Bound import Table
Bound Import Table libraries list.
Delay Import Table
Import Table contains two lists. First list enumerates libraries and second list shows imported functions. Last one displays functions name, hint, RVA of IAT, RVA of INT, RVA of bound import, RVA of unload and contents at the addresses pointed to by these RVAs.
Base Relocations Table
Base Relocation Table shows settings of virtual addresses that should be changed when ImageBase changes. Each target virtual address is analyzed and then proposes interpretation of contents.
There are detection of:
- imported functions ("I:")
- imported functions thunk("IT:")
- delay imported functions ("DI:")
- delay imported functions thunk("DIT:")
- delayed import descriptor address("DID:")
- exported functions ("E:")
- addresses from LoadConfig Directory ("SEH Handler", "CFG Check Function", "CFG Dispatch Function", "RFG Failure Routine", "RFG Verify Stack Function", "Security Cookie", "GFIDs Table")
- global pointer value, if provided by the target architecture ("Global Pointer")
If the interpretation is undefined, a hexadecimal form of 12 bytes is displayed, except cases of uninitilized data.
Short description of PE Authenticode signature properties
Load Config Directory
LoadConfig Directory is a set of separate tabs for header (supported all header structure versions up to SDK 18362) with information about some fields and for nested data structures.
List of permitted exception handlers. Only for x86.
Set of functions in the application that are valid targets for indirect calls, additional state flags are supported (Call suppressed, Export suppressed).
Decode GFID table to build a CFG Bitmap and display it as HEX-View
Contents of Guard Address Taken IAT Entry Table with a values description.
Set of long jumps that are protected by CFG.
Header for CHPE mode. Display of IAT for emulated architecture available.
Contents of Dynamic Value Reloc Table, which required by Retpoline technology. There are the same lists as the Base Relocations Table. Only the first version of data is supported (i.e. no prologues and epilogues config).
Config data for a PE images, which can be executed in the memory enclaves (Intel SGX).
Contents of Volatile Metadata Table.
Debug information. All debug types from 0x01 to 0x14 are supported.
COFF group information.
Counters of C++ compiler features using.
Hash value for Reproducible image build.
Frame Pointer Omission debug information.
IMAGE_OPTIONAL_HEADER.DllCharacteristics extended values. There is only one known value: CET Compatible, that point to ControlFlow Enforcement Technology (CET) Shadow Stack supporting.
Debug information for Sample-based Profile Guided Optimization (not documented)
TLS config and callbacks
TLS config and callbacks list.
Exceptions Data Table
Architecture-dependent Exceptions Data Table and unwind info. x64, ARM7, ARM7 Thumb, ARM64, IA64 are supported.
Function begin addresses for ARM7 Thumb shown as is - incremented by one. The same behavior is for CoreCLR functions begin.
Unwind Codes are decoded for x64, ARM7 Thumb, ARM64 and IA64.
Also, several language-specific handler data are decoded for all architectures. There are C Scope, C++ FuncInfo (MSVC++), C++ EH4 (MSVC++, optimized version) and C++ DWARF LSDA (GCC-like compilers) data structures.
Hexadecimal view of unwind data is available for all architectures, except ARM7.
x64 Unwind Codes, both known versions of codes are supported. Negative value of offset is displayed for epilogues as mark of offset from function end.
ARM Thumb Unwind Codes and Epilogues list.
ARM64 Unwind Codes and Epilogues list.
ARM (non-Thumb mode) exceptions data. Unwind codes are absent.
IA64 Unwind Codes. All record formats are supported, except X1-X4. P4 (spill_mask) format is supported, but not displayed.
Chain of exceptions data for x64.
List of C try/catch blocks.
Info about C++ try/catch blocks. Three lists are filled with state map, try/catch blocks handlers and unwind map. FuncInfo header is not displayed.
Info about C++ EH4 (optimized) try/catch blocks. Four lists are filled with state map, try/catch states, try/catch handlers and unwind map. FuncInfo4 header is not displayed.
Info about GCC-like try/catch blocks. First list displays try/catch blocks, handler and additional action mark. The second list shows unwind actions chain and catch-block type filter.
Hexadecimal View of selected unwind info.
.NET Headers and Metadata
A contents of .NET headers: IMAGE_COR20_HEADER, CORCOMPILE_HEADER or READYTORUN_HEADER with additional information about some fields
Analysis of metadata tables with interpretation of some fields (the amount of interpreted data will increase).
ReadyToRun compiled exception handling information.
List of slots dynamically populated during the program launch or runtime of ReadyToRun code (helpers, strings, etc.). Signature decoding is not available yet.
Mapping of RVA of method in the CIL form to its compiled ReadyToRun view.
Rich Signature is decoded as @comp.id symbol, tool using counter, tool name, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs.
A contents of IAT table, if it has pointed it PE Directories table. Imported function module and name available.
Searches and decodes contents of a VB5/6 application several basic structures. There are project information, COM Registration data, Object Table header and objects list, DLLCall dynamic imports list.
LIB Members list
Library members list.
LIB linker members
First and second linker members of the library.
LIB Import Library Entries
Summary table of import library entries.
OBJ Sections table
Table of sections and relocations of an object file.
OBJ Symbols table
Symbols table of an object file.