PE Anatomist 0.2.0

Published by

PE Anatomist permits you to explore the majority of data structures within a PE file as well as making some analytics.
PE Anatomist permits you to explore the majority of data structures within a PE file as well as making some analytics.

PE Anatomist is a lightweight software designed to give you a view of all the known structures inside of PE files. The Portable Executable format is utilized for 32 or 64 Bit executables, object code, DLLs, etc. These structures include headers, sections, COFF symbols, imports, exports, resources, bound imports, delayed imports, base relocations, PE Authenticode signatures, debug, load config directory, rich signatures, TLS, exceptions data, and .NET.

Headers and Data Structures Parsing:

IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_OPTIONAL_HEADER64 and the DataDirectories List with additional information about some fields
Table of COFF symbols
Sections table, supporting long section names (via symbols table) and entropy calculating
Import table (supports MS-styled names demangling)
Bound Import Table
Delayed Import Table
Export Table with additional info
Resource Table with additional info about different resource types and detailed view for all types
Base Relocation Table. Target address determining and interpretation available for all supporting architectures. It detects imports, delayed imports, exports, tables from loadconfig directory, ANSI, and UNICODE strings.
Brief info about PE Authenticode Signature
LoadConfig Directory with SEH, GFID, decoded CFG bitmap, GIAT, Guard LongJumps, CHPE Metadata, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables parsing, and additional information about some fields
Debug Directory. It parses contents of CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS, SPGO debug types
TLS config and callbacks table with additional information about some fields
Exceptions Data Table. x64 (including version 2 with EPILOG unwind codes), arm, arm64, ia64 architectures are supported, as well as the chain of unwind data for x64, language-specific handler data (C Scope, C++ FuncInfo, C++ EH4, C++ DWARF LSDA) and hexadecimal view of unwind data
Partial .NET directory parsing: IMAGE_COR20_HEADER, CORCOMPILE_HEADER, READYTORUN_HEADER with additional information about some fields
Decode Rich signature indicating the tool used, the action being taken, the full version of the tool, and the version of VisualStudio to which the tool belongs
IAT table contents
VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, and object table

FLC - file location calculator
Display settings and sorting by any column of the list
Localization of the program interface (while Russian and English options are available) via external DLL file
Explorer's context menu integration
Decoding strings of national Unicode symbols (Cyrillic form CP1251 is available now)


  Download