Overview : PEAnatomist

File Formats

PE32
PE32+
COFF Object File
MSVC IntermediateLanguage AnonCOFF Object File (MSVC CxxIL)
ExtendedObj (BIGobj)
Objects Library

PE Image Architectures

Intel x86
AMD64
ARM7
ARM7 Thumb
ARM8-64
Intel IA64
Hybrid (CHPE, ARM64X, ARM64EC)

A little of supported headers and data structures

PE: IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
PE: Table of COFF symbols
PE: Sections table, supporting long section names (via symbols table) and entropy calculating
PE: Import table (supports MS-styled names demangling)
PE: Bound Import Table
PE: Delayed Import Table
PE: Export Table with additional info
PE: Resource Table with additional info about different resource types and detailed view for all types
PE: Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI and UNICODE strings.
PE: Brief info about PE Authenticode Signature
PE: LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, CFG LongJumps, CHPE Metadata, ARM64X Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata, CFG EH Continuations tables parsing and additional information about some fields
PE: Hybrid PE (ARM64X) Export, Import, DelayImport tables
PE: Debug Directory. It parses contents of CODEVIEW, POGO, BBT, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
PE: TLS config and callbacks table with additional information about some fields
PE: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
PE: COM Descriptor directory pasring: headers, tables and metadata info available. Some of NGEN and ReadyToRun headers are also included
PE: Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
PE: IAT table contents
PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
PE: Detecting an ANSI and Unicode encoded strings
PE: Plotting entropy
OBJ: IMAGE_FILE_HEADER, ANON_OBJECT_HEADER, ANON_OBJECT_HEADER_V2, IMPORT_OBJECT_HEADER
OBJ: COFF symbol table with decoding @comp.id and @feat.00, as well as auxiliary symbols
OBJ: Section table and relocations for the selected section
OBJ: Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are support, as well as chain of unwind data for x64
OBJ: Functions xFG-hash values table
OBJ: Volatile Metadata information decoding
OBJ: Table of CodeView Debug Symbols
OBJ: Table of CodeView Types
OBJ: Table of MSVC CxxIL Types (.cil$db)
OBJ: Table of MSVC CxxIL Global Symbols (.cil$gl)
OBJ: Table of MSVC CxxIL Local Symbols (.cil$sy)
LIB: List of archive members
LIB: The first and second (if available) linker members
LIB: Summary table of import elements IMPORT_OBJECT_HEADER, if any
LIB: /ECSYMBOLS/ and /XFGHASHMAP/ members

Screenshots

TBD

To be developed...

Contacts

Currently, you can write to the author of the program only using forums ru-board.com and forum.exetools.com.
There are no other official ways.

Attention!

Please make sure the SHA256 hash of the .exe file matches the one specified in the Readme file inside of a ZIP and on the changelog page in case the program was obtained from another source. Differences in these values indicate third-party interference. It is recommended to avoid of using a modified copy of the program.

© 2019-2023 RamMerLabs. All rights reserved | Design: HTML5 UP The original work has been modified.