PE Anatomist

ATTENTION: If a copy of the program was obtained from another source, please make sure that the SHA256 hash value for the .exe file is the same as that specified in Readme.txt file and on changelog page. Differences in these values indicate third-party interference. It is recommended to avoid of launching and using a modified copy of the program.

Download (154 KB)
Version: 0.1.18 (2020-10-21) :: What's new? :: MIT License :: VirusTotal report
Values of hash functions for ZIP-package:
MD5: E6A17F1B8BC3818F72831E41519F7B4E
SHA1: AD6019C4353107B3FB6E59EAC904519BB0A35F4D
SHA256: DEE738EAEE269D4556F140413C06DD4CFFECADC9F38EC7931537CD5D2549F31D

This tool was designed to be used with:

  • Windows XP SP3 or higher (both x86 and x64
  • ReactOS 0.4 or higher

Dependencies

  • Any third-party dependencies are absent.

File Formats

  • PE32
  • PE32+
  • COFF Object
  • Objects Library

PE Image Architectures

  • Intel x86
  • AMD64
  • ARM7
  • ARM7 Thumb
  • ARM8-64
  • Intel IA64
  • CHPE (x86 on ARM8-64)

Headers and data structures parsing

  • PE: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
  • PE: Table of COFF symbols
  • PE: Sections table, supporting long section names (via symbols table) and entropy calculating
  • PE: Import table (supports MS-styled names demangling)
  • PE: Bound Import Table
  • PE: Delayed Import Table
  • PE: Export Table with additional info
  • PE: Resource Table with additional info about different resource types and detailed view for all types
  • PE: Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
  • PE: Brief info about PE Authenticode Signature
  • PE: LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing and additional information about some fields
  • PE: Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • PE: TLS config and callbacks table with additional information about some fields
  • PE: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • PE: COM Descriptor directory pasring: headers, tables and metadata info available. Some of NGEN and ReadyToRun headers are also included
  • PE: Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • PE: IAT table contents
  • PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
  • OBJ: IMAGE_FILE_HEADER, ANON_OBJECT_HEADER, ANON_OBJECT_HEADER_V2, IMPORT_OBJECT_HEADER
  • OBJ: COFF symbol table with decoding @comp.id and @feat.00, as well as auxiliary symbols
  • OBJ: Section table and relocations for the selected section
  • OBJ: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64
  • OBJ: Functions xFG-hash values table
  • OBJ: Table of CodeView Debug Symbols
  • OBJ: Table of CodeView Types
  • OBJ: Table of MSVC IL Types
  • LIB: List of archive members
  • LIB: The first and second (if available) linker members
  • LIB: Summary table of import elements IMPORT_OBJECT_HEADER, if any

In addition, it is available

  • FLC - file location calculator
  • Display settings and sorting by any column of the list
  • Localization of the program interface (while Russian and English options are available) via external DLL file
  • Explorer's context menu integration
  • Decoding strings of national Unicode symbols (cyrillic form CP1251 is available now)
  • Resolving of host for ApiSet libraries in import tables according to system data or data from external ApiSetSchema
  • Loading a file mapped into a section, for example from the KnownDlls directory
  • Search in all tables: full-text and by values from separate columns

Limitations and known bugs

  • Hexadecimal View is limited to 4 kilobytes from the starting address
  • RT_GROUP_ICON and RT_GROUP_CURSOR resource types dumping saves header only without icons and cursors
  • Lists are sorting not in natural order

Features

Some properties

  • The timestamp from the file header is not decoded if PE image is builded as Reproducible.
  • When determining whether a VA, RVA or file offset belongs to a particular section, the section name is supplemented with its access attributes [R], [W], [X] or their combination, as well as the label [VM] if the data for the specified address is not initialized.

Headers

Displays the contents of the basic PE headers: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER (IMAGE_OPTIONAL_HEADER64) and the directories list. A description or detailed characteristics is given for some fields.
Screenshot

Sections

List of sections of the PE file with entropy calculation, support for long section names from the table of COFF symbols.
Screenshot

COFF Symbols

COFF Symbols Table contents.
Screenshot

Import Table

Import Table contains two lists. First list enumerates libraries and second list shows imported functions. Last one displays functions name, hint, RVA of IAT, RVA of INT and contents at the addresses pointed to by RVAs. MS-styled name demangling is also available.
Screenshot

Export Table

There are two lists, first one representing the header of the Export Table with additional information about some fields. Second list contains exported symbols information. Additionally, the section name of the exported symbol, hint and ordinal are displayed. Library-forwarding is supported too.
Screenshot

Resource Directory

Resource Table shows PE resources. The list is grouped by the resource types. Resource contents description is available for several resource types. Resource dump and view are available too.
Screenshot

It is also available to view detailed information about all structures within the resource section.
Screenshot

It's an example of RT_VERSION resource view. Hexadecimal view is supported for all resource types.
Screenshot

Bound import Table

Bound Import Table libraries list.
Screenshot

Delay Import Table

Import Table contains two lists. First list enumerates libraries and second list shows imported functions. Last one displays functions name, hint, RVA of IAT, RVA of INT, RVA of bound import, RVA of unload and contents at the addresses pointed to by these RVAs.
Screenshot

Base Relocations Table

Base Relocation Table shows settings of virtual addresses that should be changed when ImageBase changes. Each target virtual address is analyzed and then proposes interpretation of contents.
There are detection of:

  • imported functions ("I:")
  • imported functions thunk("IT:")
  • delay imported functions ("DI:")
  • delay imported functions thunk("DIT:")
  • delayed import descriptor address("DID:")
  • exported functions ("E:")
  • addresses from LoadConfig Directory ("SEH Handler", "CFG Check Function", "CFG Dispatch Function", "RFG Failure Routine", "RFG Verify Stack Function", "Security Cookie", "GFIDs Table")
  • global pointer value, if provided by the target architecture ("Global Pointer")
Detecting of ANSI ("A:") and UNICODE (UTF-16) ("U:") string are supported too. National symbols recognition is available as well, but it limited by cyrillic symbols from CP1251 now.
If the interpretation is undefined, a hexadecimal form of 12 bytes is displayed, except cases of uninitilized data.
Screenshot

Determining of target address and interpretation are available to x86, x64, ARM Thumb, ARM64, IA64 architectures.
Screenshot x64 :: Screenshot ARM :: Screenshot IA64

PE Authenticode

Short description of PE Authenticode signature properties
Screenshot

Load Config Directory

LoadConfig Directory is a set of separate tabs for header (supported all header structure versions up to SDK 19041) with information about some fields and for nested data structures.
Screenshot

List of permitted exception handlers. Only for x86.
Screenshot

Set of functions in the application that are valid targets for indirect calls, additional state flags are supported (Call suppressed, Export suppressed).
Screenshot

Decode GFID table to build a CFG Bitmap and display it as HEX-View
Screenshot

Contents of Guard Address Taken IAT Entry Table with a values description.
Screenshot

Set of long jumps that are protected by CFG.
Screenshot

Header for CHPE mode. Display of IAT for emulated architecture available.
Screenshot

Contents of Dynamic Value Reloc Table, which required by Retpoline technology. There are the same lists as the Base Relocations Table. Only the first version of data is supported (i.e. no prologues and epilogues config).
Screenshot

Config data for a PE images, which can be executed in the memory enclaves (Intel SGX).
Screenshot

Contents of Volatile Metadata Table.
Screenshot

Debug Directory

Debug information. All debug types from 0x01 to 0x14 are supported.
Screenshot

COFF group information.
Screenshot

Counters of C++ compiler features using.
Screenshot

Hash value for Reproducible image build.
Screenshot

Frame Pointer Omission debug information.
Screenshot

IMAGE_OPTIONAL_HEADER.DllCharacteristics extended values. There is only one known value: CET Compatible, that point to ControlFlow Enforcement Technology (CET) Shadow Stack supporting.
Screenshot

Debug information for Sample-based Profile Guided Optimization (not documented)
Screenshot

TLS config and callbacks

TLS config and callbacks list.
Screenshot

Exceptions Data Table

Architecture-dependent Exceptions Data Table and unwind info. x64, ARM7, ARM7 Thumb, ARM64, IA64 are supported.
Function begin addresses for ARM7 Thumb shown as is - incremented by one. The same behavior is for CoreCLR functions begin.
Unwind Codes are decoded for x64, ARM7 Thumb, ARM64 and IA64.
Also, several language-specific handler data are decoded for all architectures. There are C Scope, C++ FuncInfo (MSVC++), C++ EH4 (MSVC++, optimized version) and C++ DWARF LSDA (GCC-like compilers) data structures.
Hexadecimal view of unwind data is available for all architectures, except ARM7.
Screenshot

x64 Unwind Codes, both known versions of codes are supported. Negative value of offset is displayed for epilogues as mark of offset from function end.
Screenshot

ARM Thumb Unwind Codes and Epilogues list.
Screenshot

ARM64 Unwind Codes and Epilogues list.
Screenshot

ARM (non-Thumb mode) exceptions data. Unwind codes are absent.
Screenshot

IA64 Unwind Codes. All record formats are supported, except X1-X4. P4 (spill_mask) format is supported, but not displayed.
Screenshot

Chain of exceptions data for x64.
Screenshot

List of C try/catch blocks.
Screenshot

Info about C++ try/catch blocks. Three lists are filled with state map, try/catch blocks handlers and unwind map. FuncInfo header is not displayed.
Screenshot

Info about C++ EH4 (optimized) try/catch blocks. Four lists are filled with state map, try/catch states, try/catch handlers and unwind map. FuncInfo4 header is not displayed.
Screenshot

Info about GCC-like try/catch blocks. First list displays try/catch blocks, handler and additional action mark. The second list shows unwind actions chain and catch-block type filter.
Screenshot

Hexadecimal View of selected unwind info.
Screenshot

.NET Headers and Metadata

A contents of .NET headers: IMAGE_COR20_HEADER, CORCOMPILE_HEADER or READYTORUN_HEADER with additional information about some fields
Screenshot

Analysis of metadata tables with interpretation of some fields (the amount of interpreted data will increase).
Screenshot

ReadyToRun compiled exception handling information.
Screenshot

List of slots dynamically populated during the program launch or runtime of ReadyToRun code (helpers, strings, etc.). Signature decoding is not available yet.
Screenshot

Mapping of RVA of method in the CIL form to its compiled ReadyToRun view.
Screenshot

Rich Signature

Rich Signature is decoded as @comp.id symbol, tool using counter, tool name, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs.
Screenshot

IAT table

A contents of IAT table, if it has pointed it PE Directories table. Imported function module and name available.
Screenshot

VB5-6 Stuctures

Searches and decodes contents of a VB5/6 application several basic structures. There are project information, COM Registration data, Object Table header and objects list, DLLCall dynamic imports list.
Screenshot

LIB Members list

Library members list.
Screenshot

LIB linker members

First and second linker members of the library.
Screenshot

LIB Import Library Entries

Summary table of import library entries.
Screenshot

OBJ Sections table

Table of sections and relocations of an object file.
Screenshot

OBJ Symbols table

Symbols table of an object file.
Screenshot

CodeView Debug Information

Subsections and their placement in the CodeView information file.

CodeView Debug Symbols

List of all symbols in CodeView7 format. Decoded information about the selected record is also available.
Скриншот

CodeView Types

List of all types in CodeView7 format. Decoded information about the selected record is also available.
Скриншот

MSVC Intermediate Language (C IL) Types

List of data types inside OBJ files compiled by MSVC with the / GL flag (optimization of the whole program) in ILStore format.
Скриншот