[HN Gopher] PE Anatomist - Explore data structures in portable e...
___________________________________________________________________
PE Anatomist - Explore data structures in portable executable files
Author : URfejk
Score : 67 points
Date : 2021-01-05 15:11 UTC (7 hours ago)
(HTM) web link (rammerlabs.alidml.ru)
(TXT) w3m dump (rammerlabs.alidml.ru)
| elipsey wrote:
| "There are currently no plans to publish the source code either.
| Those who are hungry can use any disassembly tool, there is
| nothing supernatural in the program code."[1]
|
| this seems kind of strange. does MIT lic. permit that the source
| code be withheld?
|
| https://rammerlabs.alidml.ru/faq-eng.html
| jandrese wrote:
| This attitude doesn't encourage me to use the product. It's so
| unnecessarily hostile that I expect they are going to have some
| kind of drama in the future and cause headaches for the users.
|
| I'm guessing if the product is popular they want to have the
| ability to monetize it in the future.
| atVelocet wrote:
| Great! I find such tools useful for analysis and they come in
| handy sometimes.
|
| Sad that this tool also is not open source but better then
| nothing. So Thanks to the author!
| felixr wrote:
| How is it different from say for example https://mzrst.com/ or
| http://www.pe-explorer.com/.
|
| Is it being open-source the USP?
| ExcavateGrandMa wrote:
| How about scanning binaries instead archive? just sayin'...
|
| well it seems an useful tool for windows enthusiasts.
|
| Russian programmers are generally very accurate on programming ;)
| rectang wrote:
| "PE" in this context stands for "Portable Executable". (For those
| not in the know, such as myself.)
| hordeallergy wrote:
| There's a clue in the title.
| rectang wrote:
| It's possible that I missed that, but I believe the HN poster
| silently updated the title. The word "executable" does not
| appear anywhere in the HTML of the target page.
|
| ( _sigh_ at how acronyms are the source for endless insider
| snark.)
| czbond wrote:
| Thank you - I was wondering what a "Private Equity" file might
| look like...
| sumtechguy wrote:
| I would say an excel spreadsheet :)
|
| The way a PE file is defined is interesting. They managed to
| cram a completely different file format into the DOS 'MZ'
| format. Including the NE and LE formats. I think the NE one
| had a bunch of sub targets (OS/2, win32s, etc).
|
| https://wiki.osdev.org/PE https://wiki.osdev.org/NE
|
| It is quite the nesting doll of executable formats. If I
| remember correctly PE also holds .NET in some way as another
| sub format.
| ape4 wrote:
| What are some cool things that are possible? - extract resources
| I guess. Is this Russian program trust worthy.
| vngzs wrote:
| I suppose it's probably possible for this thing to download and
| run some malware, but the VirusTotal results are clean[0].
|
| [0]:
| https://www.virustotal.com/gui/url/826fca3edb8d883bb9710cabb...
| rurban wrote:
| There are similar open source programs doing the same or more.
|
| Ghidra probably the most powerful. The PE structures are
| public, every compiler, binutil or decompiler has it.
| malwrar wrote:
| These sorts of PE info dumping tools are only really useful for
| debugging any code you write that tries to parse and/or write
| PE files. Most reverse engineering use cases already have
| purpose made tools created for them and directly interrogating
| the PE headers isn't typically necessary.
|
| In my experience, messing with PE files is useful in a few
| areas: - Compiler Development (PE files tell
| Windows how to load your code into memory, what resources they
| need/provide, and how to execute your code, etc) -
| Reverse Engineering (Extracting the above info, plus locating
| executable files in memory and dumping them back to disk if
| they're e.g. packed) - Game Cheating/Malware (You can
| simulate the PE loading process to turn e.g. a DLL into what
| basically amounts to shellcode, allowing you to skip putting
| your stuff on disk, to make your payloads harder to locate in
| memory, and to write custom obfuscation as part of the loading
| process)
|
| There might be more uses I'm not thinking of, but those are the
| three I have experience with. It's a handy bit of trivia to
| know if you like dicking around w/ systems-level stuff in
| Windows for sure.
|
| Probably doesn't need to be said, but just in case PE is how
| Windows formats .exe, .dll, .sys, etc executable files.
| RealityVoid wrote:
| > Probably doesn't need to be said, but just in case PE is
| how Windows formats .exe, .dll, .sys, etc executable files.
|
| It's basically the counterpart of ELF (Executable and
| Linkable Format) files, but on Windows.
| Hickfang wrote:
| > What are some cool things that are possible? - extract
| resources I guess. Is this Russian program trust worthy.
|
| Yes, it's guaranteed to have been backdoored by the NSA.
___________________________________________________________________
(page generated 2021-01-05 23:01 UTC)