v0.3.8

FEATURE

• New options for shellcode detection ( /shellc ):
  • detect by patterns (previous mode): available with /shellc P
  • detect by stats (new mode): available with /shellc S
  • possibility to mix both modes: options /shellc B (both) or /shellc A (any)
• Detection of obfuscated memory regions ( /obfusc )
• Caching of detected shellcodes (guarantee that the dumped shellcode is the same as detected shellcode - no second read)

See also: HollowsHunter v0.3.8 & MalUnpack v0.9.8 with the latest PE-sieve

v0.3.6

FEATURE

• improved integration with other languages (Python, Golang: #112), improvements in the API
• in ThreadScan: calculate the entropy of the detected area:
  • decreased number of false positives (filtering by entropy)
  • added a new section to the ThreadScanReport: stats
• in dump report: set "is_shellcode" : 1 only if the code pattern was matched (to distinguish cases when i.e. the shellcode was encrypted and detected by thread scan)

BUGFIX

• fixed a bug in libPEconv (buffer boundary check: cabdd46)
• fixed crash if the output filter was set ( #113 - missing check if the dump report was generated )
• fixed backward compatibility with Windows XP ( #42 )
• decreased number of false positives when searching for PE files in non-executable memory

REFACT

• faster search for code signatures: skip padding from the scan

See also: HollowsHunter v0.3.6 & MalUnpack v0.9.7 with the latest PE-sieve

v0.3.5

📖 README.md

FEATURE

• Added API function: PESieve_scan_ex - allowing to retrieve scan and dump JSON reports directly into the supplied memory buffer ( Issue #105 )
• Allow to scan own workingset ( Issue #104 )
• Added one more shellcode pattern ( Issue #108 )
• Added version information to resources

BUGFIX

• Fixed getting stuck on scanning for PE artifacts (in some rare cases)
• Fixed checking mapped modules against the image on disk (fixed issue with the remote module not being copied)
• Fixed false positive - MUI files detected as implanted, when using 32bit scanner on 64bit system (FS redirection issue)
• Other small fixes

See also: HollowsHunter v0.3.5 & MalUnpack v0.9.6 with the latest PE-sieve

v0.3.4

📖 README.md

FEATURE

• In /mignore - removed buffer limit (Details: #99). WARNING: API change)
• New param: /threads, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution. (Read more here)

See also: HollowsHunter v0.3.4 with the latest PE-sieve

v0.3.3

📖 README.md

BUGFIX

• Fully redesigned IAT scan, providing much better precision (Issues: #98, #92, #77)
• Fixed processing PEs with relocation table containing empty records (hasherezade/libpeconv#30)
• Fixed false positives in some of the code scans

FEATURE

• Added optional caching (Issue #94)
• Improved auto-detection of import reconstruction mode (/imp A) : set R0, R1 modes depending on the sizes of found IATs of particular types
• Do not exclude .NET modules from code scan. Improved filtering of the changes typical for .NET.
• Changed reporting of IAT hooks to the format consistent with inline hooks reports ( more details here )

See also: HollowsHunter v0.3.3 & MalUnpack v0.9.1 with the latest PE-sieve

v0.3.2

📖 README.md

BUGFIX

• Fixed memory leak ( Issue #95 )
• Trim invalid sections while reconstructing the payload ( Issue #96 )
• Fixed overeager imports reconstruction ( Issue #97 )
• Improved auto-detection of import reconstruction mode

FEATURE

• Added new modes of import reconstruction (/imp) : R0-R2 : from restrictive to aggressive ( more info here )
• Report if the process reflection was used in a scan
• Automatically turn on /refl mode if scan of inaccessible data requested ( /data 4, /data 5)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.2

v0.3.1.3

📖 README.md

BUGFIX

• Fixed invalid condition check on scanning data (Issue #93)
• In imp rec auto mode (/imp 1): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89)
• Improved detection if a PE is in a virtual or raw mode - fixed an issue in dumping of some PEs
• Improvements in code scan (Issue #15)
• Improved reporting of unreachable modules

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1.3

v0.3.1

FEATURE

• Changes in presenting application parameters. Refactored to use ParamKit library
• Recognize Virtual Table hooks ( Issue #88 )

BUGFIX

• Improve recognizing when to rebuild import table from scratch ( Issue #89 )
• Improve detecting when to realign the payload ( Issue #90 )
• Do not include calls to own exports in the Import Table reconstruction ( Issue #91 )

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1

v0.3.0

FEATURE

• supported force-read of inaccessible pages (PAGE_NOACCESS) when running in the reflection mode (/refl):
  • automatic if the inaccessible page is within the PE module
  • on-demand if the inaccessible page is somewhere else in the workingset (depending on the selected /data mode)
• added more options for scanning non-executable pages (/data)
• added one more mode of IAT hooks scan (/iat), allowing to filter out hooks that lead to any system DLL
• in hook resolving function: recognize and parse one more jump type
• in shellcode detection: added one more pattern

BUGFIX

• Fixed error in printing JSON reports of some of the scan types (missing headers)

REFACT

• refactoring and optimization of the function resolving hooks
• removed not needed flags for process reflection creation (optimization)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.0

v0.2.9.8

FEATURE

• added a new pattern for detecting 64-bit shellcodes
• added return codes informing about the result of the run
• removed unused parameter : /mfilter
• in JSON: added an indicator if the replaced module was linked to the PEB

BUGFIX

• Fixed error in dumping some of the PEs (issue caused by the invalid ImageSize calculated: Issue #85)