Softpedia >Windows >Programming >Debuggers/Decompilers/Disassemblers >PE Anatomist >  Changelog

PE Anatomist Changelog

What's new in PE Anatomist 0.2.12915.2200

May 16, 2024
  • 12530.0115: Fixed error parsing CxxIL symbols if AddressSanitizer was enabled when building the OBJ file
  • 12530.1706: Fixed an error displaying the value of the S_DEFRANGE_CONSTVAL_ON_ENTRY symbol
  • 12620.1535: Added parsing of tables with CodeView data in PDB: DEBUG_S_FILECHKSMS, DEBUG_S_CROSSSCOPEIMPORTS, DEBUG_S_CROSSSCOPEEXPORTS
  • 12705.2002: The file loading mechanism has been changed: access through projection and direct file reading are combined
  • 12706.1628: Fixed OOB reading of some PE files with IMAGE_LOAD_CONFIG_DIRECTORY smaller than 72 bytes (regress from version 0.2.12223.1950)
  • 12708.1702: Fixed bug in listing ModI streams in PDB if the number of modules exceeds 32767
  • 12708.1754: The ability to work with PDB files of any size (including those exceeding 4 GB) allowed by the MSFv7 format has been implemented (filling tables with CodeView types and symbols is limited to the number of ~32 million records)
  • 12713.1716: Integration with the Windows Explorer context menu has been expanded to display the application icon in the menu
  • 12714.1719: Added support for IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER symbol in the DVRT table
  • 12803.0038: The "Relocations" tab layout for PE files has been changed: all entries are summarized in a common table
  • 12803.1848: Fixed a possible OOB write when decoding fixup signatures from the R2R section READYTORUN_SECTION_IMPORT_SECTIONS
  • 12816.2229: Added limited support for CEE (COM+ Execution Engine) and CEF (Common Executable Format) architectures in OBJ files
  • 12828.1906: Viewing the contents of PE file resources has been moved from a separate dialog to a built-in one
  • 12904.1403: The display of the RT_VERSION resource has been changed to a text view with a block hierarchy
  • 12907.1953: Fixed a number of errors in converting RT_MESSAGETABLE and RT_STRING resources to text form
  • 12908.1325: Fixed an error reading at an invalid address, which could lead to a program crash in rare cases on corrupted data (regress from version 0.2.12503.2200)
  • 12908.2138: Fixed an error displaying the string name of PE resource subdirectories for non-standard data placement inside the resource section

New in PE Anatomist 0.2.12517.1445 (Jan 17, 2024)

  • Fixed an error converting RVA from the OMAP_TO_SRC and OMAP_FROM_SRC tables in DBG files
  • Fixed error in generating method signatures for VisualBasic5/6 if a built-in control is used as a data type
  • Fixed an error displaying S_ENVBLOCK property values

New in PE Anatomist 0.2.12503.2200 (Jan 4, 2024)

  • 12302.1157: Fixed several minor errors in working with PDB in MSF version 2 (JG) format
  • 12303.2001: Added recognition of VisualBasic 5/6 specific headers for DEC Alpha
  • 12308.2010: Added unconditional jump detection (LDAH+LDL+JMP, LDA+SLL+LDAH+LDQ+JMP) in the relocating addresses target description for DEC Alpha and Alpha64
  • 12309.0034: Added ExceptionsData table parsing for DEC Alpha and Alpha64 in PE
  • 12313.1837: Added handling of exception unwinding information for DEC Alpha and Alpha64 in PE
  • 12422.2103: Significantly expanded support for Visual Basic 5/6-specific headers and structures in PE
  • 12423.1536: An optional output of the offset of the structure field relative to its beginning has been added instead of the offset in the file
  • 12429.1725: Added a settings of displaying some data from Visual Basic 5/6 structures

New in PE Anatomist 0.2.12223.1950 (Oct 23, 2023)

  • Removed unnecessary error message about overwriting existing files when extracting resources in PE and archive contents in LIB
  • Fixed an inaccuracy in the description of RVA indicating an unconditional branch if the first instruction of the branch target is preceded by a REX prefix (x64)
  • The detection of an unconditional transition (B and ADRP+LDR+BR) was added in the description of the relocation target address for ARM64
  • The description for RVA is supplemented by information from the unwind tables (dtor and Catch Handler) of SEHScope, CxxFH3, CxxFH4 for X64, ARM, ARM64, IA64, ARM64X, as well as CxxFH3 from IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable for X86
  • The description for RVA is supplemented by addresses of methods and fields from the Dotnet MethodDef and FieldRVA metadata tables, as well as addresses of entry points from IMAGE_OPTIONAL_HEADER and IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR with the COMIMAGE_FLAGS_NATIVE_ENTRYPOINT flag
  • Added decoding of Fixup-signatures in READYTORUN_SECTION_IMPORT_SECTIONS
  • The description for RVA is supplemented by the addresses of import entries from READYTORUN_SECTION_IMPORT_SECTIONS, addresses of methods from READYTORUN_SECTION_METHODDEF_ENTRYPOINTS and exception handlers addresses from READYTORUN_SECTION_EXCEPTION_INFO
  • Added analysis of READYTORUN_SECTION_INSTANCE_METHOD_ENTRYPOINTS
  • The description for RVA is supplemented by addresses of methods from READYTORUN_SECTION_INSTANCE_METHOD_ENTRYPOINTS
  • Fixed the detection of unconditional jumps for the code of different CPU architectures in hybrid PE ARM64X and ARM64EC
  • Reading values from the IAT tables (IMAGE_CHPE_METADATA_X86.CompilerIATPointer и IMAGE_ARM64EC_METADATA.AuxiliaryIAT) of hybrid PE outside the section was eliminated
  • Fixed the error of listing functions in the import table for emulated architecture in hybrid PE-files (ARM64X) in some cases
  • The description for RVA is supplemented by addresses of the IAT cell initializers from the IMAGE_ARM64EC_METADATA.AuxiliaryIAT table of hybrid PE (ARM64X)
  • The size of the block for calculating entropy is aligned to 0x10

New in PE Anatomist 0.2.12104.1940 (Sep 4, 2023)

  • Added support for long section names in PE and OBJ for the case when the size of the COFF string table exceeds 9999999 bytes
  • Fixed possible OOB reading during description preparation for some CodeView symbols in PDB
  • Fixed processor architecture description error in Codeview symbol S_HYBRIDRANGE

New in PE Anatomist 0.2.11931.2211 (Jul 31, 2023)

  • 11912.1510: Fixed flag description error in Ready2Run header
  • 11914.1616: Fixed error loading some PDB files with a very large number of pages
  • 11914.2116: Fixed bug with reading values from the hash table of named streams in PDB stream in some cases
  • 11917.2245: Fixed PDB stream header parsing error for PDBImpvVC98 version
  • 11921.0019: Added support for MS PDB (Program Database) debug information files in MSF version 2 (JG) format
  • 11922.0107: Fixed read-out-of-bounds error during conversion of presized strings in Codeview C7 and C11
  • 11926.2009: Slightly speeded up indexing of Codeview type entries in the IPI table in PDB

New in PE Anatomist 0.2.11909.2000 (Jul 9, 2023)

  • 11602.1736: Fixed loading some PE with overlay
  • 11615.1532: Fixed a minor error for the HEX-form target interpretation of the relocated VA in the relocations table for ARM Thumb
  • 11620.1921: Fixed error counting IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE records in the DVRT table
  • 11627.1847: Description of RVA in PE is supplemented with information about method addresses from the dotNet VTableFixups table
  • 11711.1500: Fixed CORCOMPILE_VERSION_INFO header parsing error for dotNet versions 4.52-4.7 for ARM Thumb
  • 11715.1842: Added support for debug information files in DBG format (Stripped Debug information) displaying the following debug information structures: COFF, CODEVIEW, FPO, EXCEPTION, FIXUP, OMAP_TO_SRC, OMAP_FROM_SRC
  • 11715.2101: Added display of debug information IMAGE_DEBUG_TYPE_FIXUP in PE files
  • 11718.1842: Fixed display of COFF symbol section name for indexes of non-existent sections in the COFF symbol table for PE, OBJ and DBG
  • 11804.0216: A significant part of the code responsible for working with the Codeview format has been rewritten
  • 11805.0118: The parsing of debuging information about the symbols and data types in CodeView C11 (and partially C7) (NB09 and NB11) in DBG files has been added
  • 11805.2011: Added parsing of debuging information about symbols and data types in CodeView C11 (and partially C7) in OBJ files, including CxxIL .cil$DB and .cil$pch
  • 11805.2102: The error of determining the section number in the description of CodeView symbols in BIGOBJ has been eliminated
  • 11809.1550: UTF8 coding of names of symbols and data types in CodeView C13 is taken into account
  • 11826.1704: Added support IMAGE_REL_BASED_HIGH3ADJ (DEC Alpha64) and a description for the corresponding target address
  • 11906.0035: Added support for MS PDB (Program Database) debug info files in MSF version 7 (DS) with the most of the internal structures

New in PE Anatomist 0.2.11511.1500 (Mar 12, 2023)

  • 11421.2151: Fixed CORCOMPILE_VERSION_INFO header parsing error for pre-release versions of dotNet 4.5x
  • 11424.2009: Fixed VolatileMetadata parsing in OBJ files for non-ComDat sections
  • 11426.1706: Fixed a minor error in defining the RVA of the EH function in the IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable table
  • 11503.2140: Updated IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS flag values (WinBuild 25309)
  • 11508.2051: Added generation and parsing of export (ported from 0.3.10130.2242), import and lazy import tables for emulated architecture in hybrid PE files (ARM64X)
  • 11509.1914: Fixed error copying to clipboard values from "RVA overriding functions" column in DVRT FunctionOverride table
  • 11510.2023: Added description for RVA of corresponding fields from export (prefix hE), import (prefix hI, hIT) and deferred import (hDI, hDIT) tables for emulated architecture in hybrid PE files (ARM64X)
  • 11511.1343: Exported function redirection information moved to a separate column in the export table

New in PE Anatomist 0.2.11401.000 (Feb 1, 2023)

  • 11327.0029: Fixed bug with listing records in dotNet VTableFixups table
  • 11330.1923: Fixed handling of WM_CANCELMODE in some dialogs
  • 11331.2034: Fixed determining of Cpp EH RVA in IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable table in some cases

New in PE Anatomist 0.2.11322.0120 (Jan 22, 2023)

  • 11322.0056: Fixed a crash when processing the export table header (0.2.11320.1732 regression)

New in PE Anatomist 0.2.11320.1732 (Jan 20, 2023)

  • 11307.1257: Fixed lack of response to ListView search hotkeys in PE resources and UnwindInfo tables for x64 and ARM64
  • 11307.1722: Fixed a possible out-of-bounds read when defining a COMDAT-associated section in OBJ files
  • 11311.1535: Corrected RVA description error in the first version DVRT table for IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE and IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE symbols
  • 11311.1803: Added early DVRT parsing (without RFG, IMAGE_LOAD_CONFIG_DIRECTORY.DynamicValueRelocTable, WinBuild before 14965)
  • 11311.2120: Added analysis of DVRT of the second version
  • 11314.2122: Added CORCOMPILE_HEADER header parsing for the following dotNet NGEN versions that have differences in the specified structure: 1.0, 1.2, 2.0, 2.0Sp2, 4.0, 4.5, 4.52, 4.6, 4.7
  • 11315.2148: Added parsing of the CORCOMPILE_VERSION_INFO header for the following dotNet NGEN versions that have differences in the specified structure: 1.0, 1.1, 1.2, 2.0, 2.0Sp2, 4.0, 4.52
  • 11317.0045: Added parsing of dotNet metadata tables from CORCOMPILE_HEADER and READYTORUN_HEADER headers

New in PE Anatomist 0.2.11303.2054 (Jan 3, 2023)

  • Added the ability to backward search in the ListView.

New in PE Anatomist 0.2.11302.1901 (Jan 2, 2023)

  • 1114.1307: The inaccuracy in the analysis of the Ready2Run header 4.0 and newer is eliminated - the option for NativeAOT was erroneously displayed
  • 11121.2018: Fixed error of reading the contents of the dotNet metadata tables for some distorted PE
  • 11121.2142: Fixed an error in determining the COFF symbol of exception handler for ARM Thumb and ARM64 OBJ-files, if data for more than one function have been grouped in one xdata section
  • 11127.2148: The description of the version numbers of tools from some pre-released VS2002-VS2013 in the Rich signature has been updated and specified
  • 11204.0101: Added recognition of GS-compatible exception handlers for ARM7
  • 11204.0135: Fixed the analysis of unwind data for ARM7 in the case of zero-length functions
  • 11204.0147: Fixed error describing functions in the exceptions table for ARM7
  • 11204.1730: Fixed an error of reading the addresses of the Catch-blocks in the CxxFrameHandler3 handler for ARM7 and IA64
  • 11207.1736: Added a column with a COMDAT-associated section in the OBJ-file section table
  • 11208.1902: Added a column with the section number of the relocated symbol in the section relocations table for OBJ
  • 11208.2042: Added VolatileMetadata tab for OBJ files
  • 11212.2113: Added definition of the name of the corresponding function COFF symbol instead of label (MSVC) or section (Cygwin) COFF symbols in the exceptions table for OBJ
  • 11216.2143: Updated view of the tab with an unwind information of CxxFH3 in PE for x64, ARM7, ARM Thumb, ARM64 and IA64
  • 11217.1647: Added search dialog responsiveness to decimal and hexadecimal (prefixed with 0x) forms of searched non-text values
  • 11220.2111: Added separate list of dotNet metadata streams
  • 11220.2346: Added separate list of Ready2Run header sections
  • 11221.0002: Added file offset column to specified structure field for lists displaying some PE headers
  • 11226.0135: Added recognition of a number of Cpp exception handlers in the IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable for x86
  • 11227.1950: Added parsing of FuncInfo3 structures for matching entries in the IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable
  • 11302.1422: ListView sorting algorithm changed to MergeSort instead of QuickSort

New in PE Anatomist 0.2.11108.2330 (Nov 8, 2022)

  • Fixed an error in determining RVA of the PE COFF-symbol table entries made by VS4-6 and some versions of GNU toolsets

New in PE Anatomist 0.2.170712.2124 (Jul 12, 2022)

  • A rare error of out-of-border reading was eliminated during recognition of the exception handler kind in some PE files
  • The error of out-of-border access in some distorted PE has been eliminated for the IMAGE_DIRECTORY_ENTRY_DEBUG parsing
  • The error of out-of-border access in some distorted PE has been eliminated for the dotnet metadata header handling

New in PE Anatomist 0.2.9.5 Final Build Fix 1 (Apr 2, 2022)

  • 230F.004: Fixed entropy graph drawing error on Windows 7 and newer

New in PE Anatomist 0.2.7.129 (Jan 4, 2022)

  • B16.009: Fixed bug in RVA description for delayed import
  • 1B1A.010: Fixed bug with scaling delta value in IMAGE_DYNAMIC_RELOCATION_ARM64X
  • 1C01.011: Removed handling of irrelevant command line parameter "-pe"
  • 1C01.012: An instance of the program will not start after a message about an unknown file format if it is loaded from the command line
  • 1C01.016: Eliminate starting a new instance of the application in the case of an unknown file format on the command line if the limitation for one instance is enabled
  • 1C04.041: Slightly updated appearance of the entropy graph
  • 1C04.049: Fixed a number of inaccuracies in the drawing of the entropy graph and the tooltip contents
  • 1C04.050: Accelerated search with selection of all found lines in some cases
  • 1C08.066: Added calculation of entropy by "sliding window" with configurable block overlap for the graph
  • 1C08.067: Fixed behavior during TabStop navigation on some tabs of the program settings dialog
  • 1C09.068: Fixed IMAGE_LOAD_CONFIG_DIRECTORY parsing error on some files created by linker from VS2002 pre-release versions
  • 1C0A.073: Fixed RT_VERSION parsing error for resources created by some versions of RC/CVTRES from VS98-2003
  • 1C13.078: Added optional display of the second line on the entropy graph with values calculated without block overlap, if the corresponding mode is enabled
  • 1C15.083: Fixed error in processing the exception table for emulated architecture code in hybrid PE (ARM64EC)
  • 1C15.085: Added collection of information about exception handlers (x64, ARM64) for describing RVA in emulated architecture code in hybrid PE (ARM64EC, ARM64X)
  • 1C15.093: Added a page describing WoW thunks in hybrid PE (ARM64EC, ARM64X)
  • 1C1A.101: All selected lines retain their state after sorting virtual lists, previously only the first of the selected lines was
  • 1C1D.120: Added multiple saving to file for resources from PE and records from LIB
  • 1C1E.125: Fixed a minor error in resolving an Apiset host in very rare cases (if the data for resolving in an external library was corrupted)
  • 2101.128: Fixed error reading .NET metadata in some PE due to incorrect address alignment

New in PE Anatomist 0.2.6.126 (Nov 8, 2021)

  • 181C.002: Fixed a bug with splitting long records from the ListView header into multiple lines when copying to the clipboard with column justify
  • 190B.010: Fixed parsing of delayed import table for some compressed PE files
  • 190B.011: Fixed token description error in .NET VTableFixups table
  • 190F.012: Register names and CodeView symbols (S_HYBRIDRANGE) from VS 16.11 and 17.0Preview4 have been updated
  • 1910.016: Changed display order of Rich-signature records
  • 1910.018: Clarified interpretation of some build numbers from Rich signature (WCE Platform Builder)
  • 1A05.045: Corrected sorting of ExceptionsData tables for ARM Thumb and ARM64 in PE and OBJ, slightly accelerated sorting of other tables
  • 1A0D.060: Expanded dataset for describing CoffGroups in the IMAGE_DEBUG_TYPE_POGO table
  • 1A10.070: Fixed a bug with parsing the import table for some modified PE (Mal: Kelios)
  • 1A11.073: Fixed a bug with detecting invalid resources in compressed PE
  • 1A15.086: Fixed a bug with displaying the name of the FramePointer register in the S_FRAMEPROC CodeView symbols for ARM64 and ARM64EC
  • 1A1D.097: Slightly simplified the procedure for enumerating PE resources
  • 1A1E.102: Fixed OOB reading of .NET VTableFixups table in some cases
  • 1B06.121: Numerous minor fixes and minor optimizations
  • 1B08.125: Updated the CodeView symbol (S_SOURCELINK) from VS 17.1Preview1 and the IMAGE_LOAD_CONFIG_DIRECTORY structure (22478+)

New in PE Anatomist 0.2.5.267 (Aug 25, 2021)

  • 161B.008: Added display of the full path to records in LIB files, long paths are limited to the file name and the initial part of the path
  • 161B.013: Added parsing of ECSYMBOLS record in LIB files (ARM64EC specific symbols)
  • 161C.015: Fixed bug with saving LIB file entries with invalid characters in the default filename
  • 161C.016: Updated some ARM64EC related structures from WDK 22000
  • 1708.038: Added description of IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION elements with index 0x7FFFF in the DynamicData Relocationss
  • 170F.069: Slightly sped up ListView sorting
  • 170F.070: Fixed sorting of the READYTORUN_IMPORT_SECTION list (for R2R and NGEN)
  • 1713.088: The number of recent files became customizable
  • 1714.091: Fixed IP2StateMap enumeration error for MSVC __CxxFrameHandler4 (regression in 0.2.3)
  • 1717.100: Added support for Cxx20Modules in MSVC ILStore (CxxIL) parser and display of corresponding global symbols
  • 171B.106: Hiding a sorted column resets the ListView sort
  • 171C.113: Added optional loading of the last opened file, unless otherwise specified when starting the program
  • 171E.116: Added a submenu for copying individual columns to the clipboard if the ListView context menu was called from the keyboard
  • 171F.124: Added list sorting submenu to ListView context menu
  • 171F.127: Fixed a positioning error of the ListView context menu keyboard-called for the non-visible row
  • 1801.128: Fixed calculation of the allocated memory size for copying to the clipboard from ListView in case of adding a list header
  • 1801.129: Fixed line-by-line copying of the contents of the LoadConfig GFID table to the clipboard if the "XFG-hash" column is populated
  • 1803.142: Fixed error validating ListView settings, which could lead to the inability to display a hidden column
  • 1805.157: The error of copying a separate ListView column to the clipboard, leading to program crash due to possible buffer overflow, has been fixed
  • 1806.160: Fixed a bug with displaying the list of COFF symbols in PE and OBJ in the presence of long symbol names (more than 1000 characters)
  • 1808.175: Added a dialog for configuring ListView columns (show/hide, order) instead of the header context menu
  • 1808.182: Added the ListView header context menu for copying an entire column regardless of the selected rows
  • 1808.183: ListView header context menu command processing moved to WM_MENUCOMMAND
  • 1809.193: Added control of the columns order from the keyboard (CTRL + DOWN/UP/HOME/END) and using drag-n-drop in the ListView column settings dialog
  • 180B.198: Fixed error displaying additional COFF symbols for COMDAT sections in OBJ files if there is a second additional symbol
  • 180F.207: Significantly speeded up the construction of the ExceptionsData table in OBJ files
  • 1811.209: Fixed a bug with displaying long section names in the section table of OBJ files
  • 1811.211: Fixed a bug with indexing COMDAT sections with long names in OBJ files (the data in the ExceptionsData table could not be fully enumerated)
  • 1812.215: Added check of Reproducible PE file timestamp for hash value
  • 1813.220: Added the ability to search only in the selected rows of the ListView to search in several iterations by a set of criteria
  • 1813.223: Fixed the error of incomplete copying of rows from the ListView to the clipboard if the content of at least one cell was longer than 1000 characters
  • 1813.230: Small optimization of memory consumption while copying rows from ListView to clipboard with column justify
  • 1817.261: Added configurable splitting of long ListView cells into multiple lines when copying to the clipboard with column justify

New in PE Anatomist 0.2.4.76 (Jun 8, 2021)

  • 150F.001: Added unwinding code for ARM64 Pointer Authentication extension instructions (InsiderPreview 21382)
  • 1511.003: Added a column with the unwind chain depth in the x64 ExceptionsData table (hidden by default)
  • 1511.004: Fixed a bug with enabling ListView columns hidden by default after restarting the program (regression from version 0.2.0)
  • 1516.013: Fixed crash during parsing of corrupted COFF symbol table in PE files
  • 1517.015: Fixed the old error of displaying the "Security" tab for PE files in some cases
  • 1518.016: Fixed error in validation of program window position settings if opposite sides of the window go beyond the desktop (regression from version 0.2.0)
  • 151B.021: Added entropy plotting
  • 151B.025: Added entropy calculation settings for plotting and plot display settings
  • 1601.032: Added a hint about the fileoffset and the corresponding section under the cursor on the entropy plot
  • 1604.033: The last active tab of the settings dialog is restored after reopening
  • 1608.040: Added optional labels for section boundaries on the entropy plot

New in PE Anatomist 0.2.3.76 (May 9, 2021)

  • 1319.000: Fixed the Statusbar value of the focused line for an empty ListView in certain situations
  • 131A.001: The possible freeze of the program after the search resumed, if the contents of the list have been changed
  • 131B.007: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for x64
  • 131B.008: Fixed displaying the type index in the CodeView types table in OBJ files if PCH is used (regression of version 0.2.2)
  • 140B.011: Optimized display of status information from ListView for very large lists
  • 140B.014: Added display of additional Function (.bf, .ef) and FunctionSym symbols in the COFF symbol table of OBJ files
  • 140C.015: Fixed erroneous display of INT value in CFG IAT table if import is performed by ordinal (regression of version 0.2.2)
  • 140D.017: Added XFGHASHMAP parsing in LIB files
  • 140F.022: Added collection of information about exception handlers (x64, ARM, ARM Thumb, ARM64, IA64) and COFF symbols for describing RVA in PE files
  • 1410.025: Accelerated display of COFF symbol table in PE files, added display of some additional symbol records
  • 1411.029: A 'Column' drop-down list in a searching dialog is disabled if only fulltext search is available (i.e. only one search option)
  • 1413.031: Added export of GFID bitmap to file
  • 1415.032: Fixed a bug with parsing the resource table in PE files if IMAGE_RESOURCE_DATA_ENTRY is placed at the end of the table
  • 1416.038: Added optional display of full paths in the recent files list, long paths are limited to the file name and the initial part of the path
  • 1416.039: Changed the format of the main window title, the name of the loaded file is displayed first now
  • 1417.045: Eliminated redundant work with the menu when loading files and generating a list of recent files
  • 1418.046: Added OS shell notification about file associations changing
  • 1419.049: Added optional tooltip with description of RVA calculated in FLC (disabled by default)
  • 141A.053: Added definition of the function beginning and its description on the LoadConfig GuardEHContinuations tab for ARM64 (InsiderPreview 21364)
  • 141B.055: Fixed error displaying multiple values of the "Translation" key in RT_VERSION resources
  • 141B.057: Added a column with functions description in the ExceptionsData table for all supported architectures (for x64, ARM Thumb and ARM64, some columns are now hidden by default)
  • 1505.059: Fixed error displaying SEH Scope on the ExceptionsData page for ARM7/ARM LE in some cases
  • 1507.060: Added a separate tab for the ARM64 unwind chain on the ExceptionsData page
  • 1507.072: Added recognition of some types of exception handlers for all supported architectures
  • 1507.073: Added a column with the type of exception handlers in the ExceptionsData table, the column with the handler's RVA is hidden by default
  • 1508.074: Fixed a rare error filling information from the export table for the RVA description

New in PE Anatomist 0.2.2.58 (Mar 25, 2021)

  • 1305.000: Fixed display of the CodeView type name in the description if the type index is not specified
  • 1307.001: Fixed error displaying manifest text from PE resources in rare cases
  • 1307.003: Added support for IA64, MIPS and Hitachi SH4 architectures in the CxxIL parser
  • 1308.006: Fixed CxxIL parsing error for MSVC from VS2008Beta1
  • 1309.007: Fixed infinite parsing of IMAGE_DIRECTORY_ENTRY_BASERELOC table in rare cases
  • 1309.008: Fixed error of IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG display for some files created by linker versions below 6.0
  • 1309.010: Fixed possible erroneous OBJ file recognition (regression of version 0.2.1)
  • 130D.019: Cleaning and optimization of the parser for the ARM Thumb and ARM64 unwind codes
  • 130F.022: Added a textual description of the epilogue execution condition for ARM Thumb unwind codes
  • 130F.023: Fixed error displaying the epilogue execution condition for ARM Thumb unwind codes if the epilogue is specified as the only one (flag E)
  • 130F.028: Added calculation of the epilogue beginning for the ARM Thumb and ARM64 unwind codes, if the epilogue is specified as the only one (flag E)
  • 1311.029: Fixed light error in defining VS2017-2019 minor version in Rich signature (regression version 0.2.1)
  • 1311.030: Fixed error displaying values from IMAGE_DELAYLOAD_DESCRIPTOR.UnloadInformationTableRVA in the delayed import table
  • 1312.044: Fixed the mechanism for filling information for the description of RVA in PE, added detection of new information
  • 1312.045: Accelerated display of the GFID table
  • 1313.046: Simplified procedure for loading some files
  • 1315.051: The storage of information for the description of RVA in PE files has been transferred to a hash table, the search time for the description for RVA has been significantly reduced
  • 1318.053: Ctrl+Insert can be used along with Ctrl+C to copy information from the ListView to the clipboard
  • 1318.057: The set of status information from the ListView has been expanded, there are: focused row number, total count of rows, count of selected rows

New in PE Anatomist 0.2.1.125 (Mar 5, 2021)

  • 110B.009: Significant improvement to the MSVC ILStore (CxxIL) symbols parser and increased compatibility with different VS versions
  • 1111.027: Decoding of local symbols table (.cil$sy) of MSVC ILStore (CxxIL) format in OBJ files
  • 1117.033: Displaying the line number of the beginning of the function in the source file in the description of symbols MSVC ILStore (CxxIL)
  • 1117.034: Fixed display of source file names in MSVC ILStore (CxxIL) symbols descriptions for VS 2002 and 2003 versions (encoding is not UTF8)
  • 1118.035: Fixed decoding of LF_POINTER in CodeView and MSVC ILStore (CxxIL) type tables if the described type is a pointer to a class member
  • 1119.036: Changed the names of some keys in the configuration file for portability in future versions
  • 111B.039: Fixed display of CodeView type description in MSVC ILStore (CxxIL) tables, if debug information is moved to PDB
  • 111C.046: Fixed error displaying the incorrect name in the description of a CodeView type referenced by another type or symbol (in rare cases)
  • 1201.071: Accelerated access to sections and their data in OBJ files
  • 1205.081: Added support for ExtendedObj files (a.k.a. BIGOBJ, obj files with more than 0xFEFF sections)
  • 1207.094: For some types of CodeView debug information, a more detailed description is available (for example, for LF_POINTER, LF_MODIFIER, LF_ARRAY and LF_BITFIELD, the description of the type to which they refer and some properties are displayed)
  • 120C.110: Clarified interpretation of data from Rich signature
  • 121B.116: The program license was changed from MIT to Freeware (the text of the License Agreement is located in the "Readme" file)
  • 1303.122: Fixed a bug with parsing version information from the resources section in some cases
  • 1304.123: Fixed error getting a member name for LIB archives created by BSD-compatible toolkit
  • 1304.124: Support for ARM64EC in OBJ files

New in PE Anatomist 0.2.0.370 (Jan 4, 2021)

  • Changed configuration file format
  • New search capabilities
  • New settings dialog and settings categories
  • Hybrid PE arm64x support from InsiderPreview 21277
  • Parser of MSVC ILStore symbols (.cil$gl)

New in PE Anatomist 0.1.18.142 (Oct 22, 2020)

  • Fixed error displaying data from ~GUID in .NET metadata tables
  • Added description of flags for entries in .NET metadata tables
  • Fixed bug with positioning child windows on multi-monitor configurations
  • Added creation of a minidump in case of an unhandled exception
  • Updated @feat.00 flag description
  • Changed description text for several IDs in Rich Signature
  • Rewrote a part of the code to enumerate the 'Section' objects
  • Added a column to the ExceptionsData X64 table to display the size of the stack allocation
  • Added a request to start a new copy of the program when the restriction on starting the only instance of the program is enabled and running copy does not respond
  • ExceptionsData X64 chain table format changed to more verbose
  • Fixed error in determining the allocation size for UWOP_ALLOC_LARGE (1)
  • Added a page for xFG hash values for OBJ files
  • Added ExceptionsData x64, ARM64 and ARM for OBJ files
  • Fixed a bug with working with sections in OBJ files in the presence of BSS with a certain set of parameters
  • Fixed a bug with parsing unwind codes for ARM and ARM64 (in PE and OBJ files), which could appear on small files or in presence of a large number of epilogues in a function
  • Cleaning up and slight optimization of the IA64 unwind codes parser
  • Added a description of the section and an offset in it to the COFF symbol, which is referenced by the CodeView symbol in the corresponding forms of debug information
  • Added options to search any value less or greater than the specified
  • Added setting of the initial search position based on: the last found line, the selected line, or forced from the beginning of the list
  • Added full-text search in all columns of the list (minimum query length - 2 characters, search is case insensitive only for ANSI characters)
  • Added the ability to search in any list
  • Fixed a bug with displaying the type name from TypeDef in the .NET metadata token description in rare cases (only the method name was displayed, without the type name)

New in PE Anatomist 0.1.17.83 (Sep 11, 2020)

  • Added recognition of the target from a MSI shortcut
  • Fixed a bug with displaying some dialogs from the resources
  • Updated set of CET policy flags and LOAD_CONFIG_DIRECTORY structure from SDK 20201
  • Added display of xFG-hash value in the GFID list
  • Added descriptions of several section groups on the "POGO" page in IMAGE_DEBUG_DIRECTORY
  • Accelerated display of found strings in PE files
  • Added an optional restriction to start the only instance of the program
  • Added a menu for launching a copy of the program with the currently open file
  • Added the ability to open a file from the clipboard
  • Fixed loss of a character in line recognition if a long line was split into several
  • Added string detection settings: recognition threshold and ignoring of strings without a trailing zero
  • Added a dialog for selecting a Section object and opening a mapped file
  • Introduced a limitation of one instance of the resource properties dialog per entry
  • Optimization and clean up of a part of the code for working with ListView

New in PE Anatomist 0.1.16.205 (Jun 27, 2020)

  • Slight optimization
  • Fixed an error in determining of a register names in the CodeView symbols description in very rare cases
  • Added the ability to copy entire columns to the clipboard with multiple row selection
  • Added display settings for the FLC panel and status panel
  • The error of scaling the size of the cells of the status bar is fixed
  • Splitter controls have been added in most of tabs
  • Added host resolving for ApiSet libraries in import tables
  • Added selection of an external DLL for determining the ApiSet host in the program settings
  • A partial search has been added to the ExceptionsData table (experimental function)

New in PE Anatomist 0.1.15.344 (May 31, 2020)

  • Fixed the error in determining the minor version of VS 2017-2019 when decoding the Rich signature (regression 0.1.13 and 0.1.14)
  • Fixed decoding of RT_STRING resources in the presence of incorrect data
  • Added tab with detailed description of PE resource headers
  • Resource tab redone to list without grouping by resource type
  • Fixed sorting of the list of resources
  • The procedure for parsing the resource directory has been changed, new criteria for data correctness have been added
  • Fixed processing of the settings file during the first launch of the program
  • Corrected the behavior of the COFF character parser in the presence of incorrect info about long symbol names
  • Fixed the bug of constructing the context menu for listview in virtual mode
  • Fixed saving the selected file type filter in the "Open file" dialog
  • Fixed incorrect recognition of UTF16 lines in rare cases
  • Added page of detected ANSI and UTF16 lines in PE file
  • Added CodeView Debug Info parsing for OBJ files
  • Added CodeView Debug Symbols parsing for OBJ files
  • Added parsing of CodeView Types for OBJ files
  • Added parsing of new CodeView Debug Symbol records up to S_REGREL32_INDIR_ENCTMP inclusive
  • Added parsing of new CodeView Type leafs up to and including LF_INTERFACE2
  • Added parsing of type information in OBJ files compiled by MSVC with the /GL flag or others in MS ILStore format

New in PE Anatomist 0.1.14.26 (Apr 28, 2020)

  • Fixed a bug that caused the program to crash when viewing the file header of PE files built by Borland Delphi
  • Minor optimization of internal data structures
  • Added the ability to extract members from LIB files
  • Added file close menu

New in PE Anatomist 0.1.13.332 (Apr 26, 2020)

  • Fixed error sorting some lists with a signed-long integers
  • Fixed error displaying the table ExceptionsData in the presence of incorrect data
  • Fixed error displaying the name of the section in the RVA description in some cases
  • Added new description lines for section groups on the POGO page in IMAGE_DEBUG_DIRECTORY
  • Optimization and refactoring of a significant part of the code
  • Added new fields to LOAD_CONFIG_DIRECTORY from SDK 19041 - GuardEHContinuations, and undocumented ones - eXtended CFG (xFG)
  • Added GuardEHContinuations list page
  • Added new feature flags in the GFID list
  • Fixed bug with incorrect line ending when copying to clipboard
  • Fixed error parsing the table of COFF symbols if an incorrect address is specified
  • The icon of the main program window no longer changes to the icon of the file being processed
  • Fixed IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT parsing
  • Added support for OBJ file and LIB file formats
  • Added support for non-COFF OBJ files
  • Added parsing a symbol table for OBJ files
  • AAdded page for summary information about import library entries in LIB files
  • Added parsing of table of sections and relocations of OBJ files
  • The number of file extensions for integration into the Explorer context menu has been increased
  • Fixed bug with integration into the shell context menu if the file extension was not previously registered in the system

New in PE Anatomist 0.1.12.73 (Apr 26, 2020)

  • A context menu integration bug fixed
  • The behavior of the program when loading a new file with open resource properties window is fixed
  • Fixed error displaying descriptions of some characters in the Dyn.Value Relocations table
  • Fixed error parsing ExceptionsData table for ARM Thumb: incorrect information about stored registers in compressed form of UnwindInfo
  • Natural sorting added for several more lists
  • Fixed error populating the Catch Handlers list for UnwindInfo.EHData.CPP_EH4
  • Fixed a bug leading to the slow execution of the "Select All" operation on large lists
  • Some lists with a large number of elements are switched to virtual mode
  • Added navigation through the associated UNWIND_INFO elements of the ExceptionData list for x64

New in PE Anatomist 0.1.11.155 (Jan 30, 2020)

  • [#] Fixed bug when parsing the old version of the deferred import table
  • [#] Small optimization of a number-to-string converter
  • [+] Added parsing of Native Import Sections table (ReadyToRun, NGEN)
  • [+] Added parsing of the MethodDef EntryPoints table (ReadyToRun)
  • [#] Minor optimization of settings storage structure
  • [#] Slight list sorting optimization
  • [#] Fixed copying large lists to the clipboard (more than 100,000 lines)
  • [#] Fixed loading error after drag-n-drop shortcut of the investigated file to the program file
  • [+] Updated program settings dialog
  • [+] Added some new settings
  • [#] FLC optimization
  • [#] The mechanism for parsing .NET metadata tables has been redesigned for quick access to any fields, rows, tables
  • [+] Added description of .NET metadata token in some tables

New in PE Anatomist 0.1.3.2 (Oct 21, 2019)

  • x64 ExceptionsData Table parsing bug fixed

New in PE Anatomist 0.1.2.57 (Oct 21, 2019)

  • Taskbar file icon display fixed
  • Crash on unsupported files fixed
  • Files load errors display added
  • Internal data size optimization
  • ExceptionsData Table parsing speed optimization