March 13th, 2012· added support for drag&drop under w7,vista on 64bit OS's; there is a bug with "x86" in IShellLink::GetPath for 32bit app running on 64bit OS
· found some import's names with the lenght greater than 500 chars! see adobe CS5, the imports from the boost libs
· fixed the buffers to support such situations
· fixed a security issue, related to the size of import/export functions' names "The vulnerability is caused due to a boundary error when parsing the names of functions exported by an analysed portable executable. This can be exploited to cause a stack-based buffer overflow by tricking a user into processing a specially crafted ".dll" or ".exe" file."
· fixed 3 bugs reported by snailz; unhandled situations when no pe file was loaded
· it seems that TLS dir size is ignored by windows, so let Stud_Pe buttons enabled on 0 size image data dirs
· bugfix in hexeditor; when exploring large pe sections/data (MB), at the end of the VScoll, the program was stuck in an endless paint
March 2nd, 2012· switched the project from vc6 to VC8; just for your information about 60 Errors and 600 warnings after project conversion; take care, those secure crt fixups drived me crazy, errors may have slept through:); if so, please report and I'll try to fix them;
· unfortunatelly VC8 breaks the w95 compatibility (shlwapi.dll appears at imports due to mfc AddToRecentFileList which links that dll, not known to w95 os; aslo IsDebuggerPresent not present in w95 but linked by vc8 ...and who knows which other functins);
· fixed a gpf reported on program exit;
March 2nd, 2012· added Basic Headers tree View to theHexeditor's History; it was causing some problems if not added;
· option to mark more than one block of data inside hexeditor;
· hexeditor supports now editing ascii column; also selection is reflected in ascii column; with this another todo job ended :)
March 2nd, 2012· added some colours to the disassembler window;
· you can jump into calls/jmps in disassembler window (added also a history back-fwd); jmp on double mouse click works only for files loaded into Stud_PE; if you try this on chunks of mem viewed from procs list it won't jmp; also, in this case it will disassemble as 32bit inst since I don't know how Procs list acts under 64bit OS; mostly it won't work since LPVOID of Read/WriteProcmem are 8 bytes on 64bit OS.
· Dump/Edit process memory regions; from Tab Procs you can view memory regions of a certain running process; you can hex/view it and edit it there; Patch Mem will write it directly into the process' memory; this should work on 32bit OS.
March 2nd, 2012· the small dissassambler from hexeditor works now for 64bit(PE+) files too;
· fixed dissappeared options Tab, and a bug with the ImageBase static ctrl :P
· added an option to disable autoscan for file signatures; if you are not interested in this feature why waste some CPU time;
· add new import works now for 64bit(PE+) files too;
· removed the worning with virtual sizes in Sections Tab->Analyze since it doesn't do anything good;
· On Tab Sections, menu Analyze, it will search if any entry from Optional Header Data Directory points to selected section;
· "ExtraDat" shown in Sections will be market as "Certificate" if OptionalHeaderDataDirectory[4] points to it. If you delete this Certificate Section, be sure to null also the RVA and size in OptionalHeaderDataDirectory[4];
· addImport, add section, TLS viewer, works now for 64bit apps;
· Jmp to VA in hexeditor supports up to 8bytes selection if a PE+ file is loaded;
· added some copy&paste menu functionality to edit controls showing header's data;
March 2nd, 2012· Added support for 64 bit PE files (PE+ format); although it isn't finished you can do with it most of the things which works on 32bit pe files; what do I need to fix for x64? tls,addimports,jmp va, perhaps a small dissassambler for rightclick menu in hexview to support x64 architecture; and other things which I couldn't test since I'm still on a 32bit machine :)
· Added map file parser for "Virtual to Raw offset convertor"; if you open a PE sample.exe and the sample.map exist in the same dir, you will see the function/var in which address points; it should work for vc6-vc8 linker generated map files;
June 25th, 2008· Fixed a bug with imported functions name lenght;
· Added external signature verifier; writed a note about signatures;
· Fixed RVA2RAW for UPACK which has EP inside PE HEADER; now imports are shown fine;
· Added basic disassembler from hexeditor right click menu;
· Fixed showing which export is in fact a forwarder to other dll; like HeapAlloc in kernel.dll;
· Added process memory dumper/viewer; right click on the process you want to inspect; you can
· use dissasambler (from right click menu inside the hexeditor) to see how the code looks at
· certain VA; the difference from other (dumpers LordPE, ProcDump, PETools) is that it can dump/view code blocks protected with PAGE_GUARD or NOACCESS flags.
Find us on Google+
