download PE Anatomist 0.2.0

  • by

Author: RamMerLabs
Date: 01/05/2021 11:27 AM
Size: 173 KB
License: Freeware
Requires: 10|8|7|XP
Downloads: 2557 times

PE Anatomist permits you to explore the majority of data structures within a PE file as well as making some analytics.

PE Anatomist is a lightweight software designed to give you a view of all the known structures inside of PE files. The Portable Executable format is utilized for 32 or 64 Bit executables, object code, DLLs, etc. These structures include headers, sections, COFF symbols, imports, exports, resources, bound imports, delayed imports, base relocations, PE Authenticode signatures, debug, load config directory, rich signatures, TLS, exceptions data, and .NET.

Headers and Data Structures Parsing:

  • IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
  • Table of COFF symbols
  • Sections table, supporting long section names (via symbols table) and entropy calculating
  • Import table (supports MS-styled names demangling)
  • Bound Import Table
  • Delayed Import Table
  • Export Table with additional info
  • Resource Table with additional info about different resource types and detailed view for all types
  • Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI, and UNICODE strings.
  • Brief info about PE Authenticode Signature
  • LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing, and additional information about some fields
  • Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
  • TLS config and callbacks table with additional information about some fields
  • Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are supported, as well as the chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
  • Partial .NET directory parsing: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
  • Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
  • IAT table contents
  • VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, and object table
  • FLC – file location calculator
  • Display settings and sorting by any column of the list
  • Localization of the program interface (while Russian and English options are available) via external DLL file
  • Explorer’s context menu integration
  • Decoding strings of national Unicode symbols (Cyrillic form CP1251 is available now)

download PE Anatomist 0.2.0

Leave a Reply

Your email address will not be published. Required fields are marked *