2022-09-07 1.75 -security update: debug directory enumeration could crash when processing a malformed input file
2022-06-16 1.74 -added handler to prevent console colors from being left in a colored state upon CTRL-C or CTRL-BREAK
2020-09-12 1.73 -bugfix: crash on XP when decoding timestamps: MSVCRT does not export _gmtime32() as on Win7 and up; we now also check
for gmtime() and _gmtime() exports
2020-08-27 1.72 -bugfix: some 64-bit values would be displayed as "*I64X"; this was due to some of my formatted CRT replacement
routines erroneously calling the insecure and badly broken USER32.wvsprintfA() instead of MSVCRT._vsnprintf()
-we now pad the 32/64-bit load bases for consistency
2020-08-12 1.71 -more IMAGE_DEBUG_TYPE_XXX definitions added from Win10 SDK; the following are now recognized in the Debug Directory output:
IMAGE_DEBUG_TYPE_VC_FEATURE
IMAGE_DEBUG_TYPE_POGO
IMAGE_DEBUG_TYPE_ILTCG
IMAGE_DEBUG_TYPE_MPX
IMAGE_DEBUG_TYPE_REPRO
-Load Config directory output renamed member "Reserved1" to "DependentLoadFlags"
-removed MSVC runtime dependency
2020-02-02 1.70 -bugfix: PE64 section header would display twice if section's PointerToRawData was zero
-rich header: added logic to attempt detection of newer unknown VS2015 and VS2017 builds
-added some [old] section characteristics: MEM_SYSHEAP, LNK_OTHER, TYPE_NO_PAD
-added some new win10 sdk PE flags:
-dll characteristics: HIGH_ENTROPY_VA, APPCONTAINER, GUARD_CF
-subsystems: XBOX_CODE_CATALOG
2019-05-02 1.65 -added load config directory support for Win32 and Win64 binaries (and -f cmdline option)
-added SafeSEH and /GS security checks detection (Win32 only)
2019-04-28 1.61 -added TLS directory support for Win64 binaries
2019-04-27 1.60 -added TLS directory support for Win32 binaries (and -tls cmdline option)
2018-04-18 1.58 -added signatures for VS.NET 7.0 BETA1 (6.15.9030) and BETA2 (7.00.9254)
-added detection for VS.NET BETAs and latest 7.1 to detect MASM tool directly via the MS "Rich" tool ids;
I still need to fill in the the rest of the toolids for other Visual Studio versions
2018-01-04 1.57 -exports dump now emits 2 additional columns: file-offset and section-name
-MS "Rich Header" detection: added some newer MSVC build numbers VS12.0=31101; VS14.0=23026,24218; VS14.1=25019
-minor adjustments to cmdline help string
2017-10-05 1.55 -new resource tree dump option (-c) to display tree and associated data blobs for embedded resources
-WOW64 file redirection disabled on 64-bit versions of Windows; since pelook is a 32-bit app, this
means when you want to analyze a 64-bit module in the SYSTEM32 directory, you won't get an analysis
of the corresponding 32-bit module in the SYSWOW64 directory because windows performed default
redirection behind-the-scenes.
-support for minimal ELF file detection
-import table output now display newline separator when path mode is combined with quiet mode;
import path resolution errors now consistent: red text unless newline separators active (see above)
in which we have room to display error message
-timestamp raw values now display
2017-07-17 1.51 -we now support rare instances in some Borland-built executables where a handful of delay-import
references are pointers instead of RVAs contrary to the PE/COFF spec; this previously prevented
the dump of the affected delay-imports sections.
2017-06-22 1.50 -BUGFIX: pointer->file offset conversion now show result using address color (previously was caption color)
-BUGFIX: edge case bug where it was remotely possible for exports dump to have skipped displaying a name
for a function if there was also no name at another unrelated specific position.
-modified some "Rich" signatures
2017-04-21 1.49 -bugfix: when MS "Rich" header present but no recognized build is found, there was no
linefeed after "detected toolset(s)" caption causing the next field (timestamp) to be on
the same line; we now output "<none>" in this case along with a linefeed.
-change to section memory map (-s) table:
DSIZE column (a.k.a. VirtualSize) moved to be adjacent to MEMORY SIZE instead of FILE SIZE
for consistency with PE specification and uninitialized sections [or uninitialized data at
the end of sections]; I originally displayed DSIZE in the FILE range as it almost always
represented the size of file data *BEFORE* being rounded up to the file alignment (which
is SizeOfRawData). But in cases of uninitialized data sections that take up no space in
the file or uninitialized data piggy-backing at the end of initialized file data (modern
linkers do this to save space rather than creating a separate .BSS sections like they did
in the old days) which also don't take up respective file space, it doesn't represent data
originating from the file. Furthermore, the Windows loader always uses this value as the
starting point (prior to rounding) to determine the final memory size in all cases. This
value can still be used to determine size of data in the PE image file before being
zero-padded, its just now next to the MEMORY SIZE.
2017-04-18 1.48 -added fancy printable-ASCII display of e_lfanew target of up to 4 bytes in DOS-header mode
(if printable and within range of file), just in case an unknown signature is present.
2017-04-07 1.47 -imported modules now display "BOUND" next to module name when import or delay imports tables lists a
(UNRELEASED) module with a nonzero timestamp; this does not affect BOUND-TO column which will always
display whatever data happens to reside in that IAT reside regardless of the timestamp indicator.
-improved plain DOS EXE detection
-now display raw member values and stub/program info in DOS header display (-d)
-DOS header display (-d) is enabled automatically for 16-bit executables and instead of the "16-bit executables
unsupported" message (which is no longer true - at least to the extent of the DOS header), we now display
"END OF 16-BIT DISPLAY"
2017-03-27 1.45 -cmdline option -rh (MS "Rich" Header) now additionally displays detected toolset if not displayed with headers
-removed MS "Rich" "HEADER OK" check for odd entries as the flexible parser (a while back) was changed to
avoid trimming padding in prevention of getting odd DWORD entry count; may add a similar check in the future
to verify "Rich" key matches its unique checksum
-toolset detection for MS "Rich" Header now displays all unique recognized toolset versions with priority
given to immediate linker and compiler(s) versus those used by linked libraries; otherwise interpretation
of what is displayed is left to the user.
-added MS "Rich" detection for Visual Basic 6.0 toolset (and all service packs)
-cmdline parser now equally accepts '/' characters in addition to '-' for options
2017-03-26 1.44 -we now fail gracefully when parsing early-90's era PE32 base relocation tables as they are in a different format
(UNRELEASED) -fixed Matt Pietrek's Borland debug info detection hack to test the first entry against a Borland type; early
Microsoft linked executables were being detected as Borland and thus the entry count was interpreted improperly
-cmdline parser now additionally accepts '/' as a switch character
-lack of a version resource is not displayed a second time anytime concisely displayed as "<none>" along with the
rest of the headers
2017-03-07 1.43 -IAT-DATA column in imports and delay-imports tables changed to BOUND-TO to more clearly indicate bound function address
(UNRELEASED) -BOUND-TO column behavior changed to only display bound function address when it is NOT a copy of the RVA to function's name;
in other words, the column only displays if the function address is indeed bound within the image
-added @feat.00 symbol and corresponding flag decoding for OBJ files
2017-03-02 1.42 -added more Unicode and English codepages to version translation
(UNRELEASED) -now alternately look for reversed lang-codepage version path for older Win32 applications
2017-02-18 1.41 -"Rich" header now displays block summary (offset, size, entry count) and some debugging info added to debug version
(UNRELEASED) -VS 2015 build 23824 added; VC6 SP5 detection now distinguishes between plain and with Processor Pack
-concise header list of sections now delimited by commas instead of frontslashes
2017-02-08 1.40 -Microsoft "Rich" header changes:
# finalized parser and Microsoft toolset detection logic based on empirical evidence
# support for Visual C++ 6.0 detection (plain,SP3,SP4,SP5,SP6) and MASM detection for public 6.13, 6.14.
and 6.15 versions; NOTE: MASM 6.12 could not be detected using MS "Rich" info as previously thought;
future versions of MASM are detected by the Visual C++ toolset release as the build number have been
merged into the same product
# no longer display header values list by default (must use new option -rh)
# header values now displayed in forward order rather than in reverse for consistency with other tools
# zero-padding entries are now eliminated
# when displaying OBJ file headers, we now search for and display the @comp.id value
-Microsoft LINK and Borland TLINK/ILINK linker-type detection added to header display
-Debug Directory now recognizes non-MS debug types, such as Borland and can display minimal information such
as the signature
-new "IAT-DATA" column for 32 and 64-bit import address and delay-load table dumps to show "bound" values
prior to being
normally overridden by loader at runtime
-PE64 support for dumping exception function table (.pdata)
2017-01-17 1.35 -added support for parsing of Microsoft link "Rich" header to extract toolset build number
-added -rh option for verbose display of MS "Rich" header
-added minimal detection for modern versions of MSVC (>=7.0) and MASM (>=6.12) built executables;
detection is based from algorithm in a Detect It Easy 1.01 script (http://www.ntinfo.biz) which
utilizes the MS "Rich" toolset build number, sometimes in combination with the MajorLinkerVersion
-consistent display of detected 16-bit modules (i.e. support colors)
-revert back to display full version resource by default
2017-01-16 1.30 -added (-p option) to resolve and display import module paths with -h and -i display modes, similar to Depends-tool F9 option;
search priority: modulepath, pelook location, current directory, system directory, windows directory, directories in PATH environment
-added (-o and -os options) to show entrypoint code bytes
-added entrypoint disassembly options (-a, -da) for support and detection of disasmdump tool
2017-01-12 1.20 -color support added
-imports dump (-i option) now supports listing of delay-load DLL names and functions
-headers display now always displays concise statuses of the following:
exports section, MS debugging info, CLR info, version resource, base relocations
-headers display now lists corresponding file offsets for code entry point and CLR metadata pointers
-display of full version resource now no longer cmdline default (when no options specified)
-bugfix: exports dump no longer adds base address to "padding functions" (array entries whose address is zero)
-bugfix: now properly display multiple language embedded version resource blocks
2016-12-29 1.15 -exports dump (-e option) now detects and displays DLL "forwarder" names
-fixed minor spacing bug in export table formatting
2016-12-12 1.10 -added -r option to display PE relocations
-cleaned up and added consistent output to imports/exports dumps (such as when there are no entries)
-now correctly display exported functions without ordinal/names
-import table added column to list iat_thunk_slot pointer where loader stores resolved function address at runtime
-minor bugfix with imported functions ordinal base not being added to function array index in instances where function has no ordinal/name
-added -l option to control timestamp output to local time zone versus GMT/unaltered
-added -d option (DOS stub info)
-standardized version and version resource dump output as well as embedded version resource
2016-12-05 1.0 initial public release
