Releases: hasherezade/pe-sieve
v0.3.9
REFACT
- Refactored to use a new pattern matching engine (SigFinder) for shellcode detection. Improved performance.
FEATURE
- Added new parameter
/pattern <file>
allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. Ifpattern
file was defined, a .tag file for the found patterns will be generated, with the extension.pattern.tag
- New fields in the
scan_report.json
:- Save the PE-sieve version with which the scan was performed (
scanner_version
) - In
workingset_scan
section: addedpatterns
section with information about found patterns:total_matched
(count of all patterns matched, including the hardcoded ones)custom_matched
(count of patterns matched from the set defined by the user inpattern
file)
- Save the PE-sieve version with which the scan was performed (
- New fields in the
dump_report.json
:- If
pattern.tag
file was generated, the name of this file will be added in thepattern_tags_file
field of the relevant module.
- If
See also: HollowsHunter v0.3.9 & MalUnpack v0.9.9 with the latest PE-sieve
v0.3.8
FEATURE
- New options for shellcode detection (
/shellc
):- detect by patterns (previous mode): available with
/shellc P
- detect by stats (new mode): available with
/shellc S
- possibility to mix both modes: options
/shellc B
(both) or/shellc A
(any)
- detect by patterns (previous mode): available with
- Detection of obfuscated memory regions (
/obfusc
) - Caching of detected shellcodes (guarantee that the dumped shellcode is the same as detected shellcode - no second read)
See also: HollowsHunter v0.3.8 & MalUnpack v0.9.8 with the latest PE-sieve
v0.3.6
FEATURE
- improved integration with other languages (Python, Golang: #112), improvements in the API
- in ThreadScan: calculate the entropy of the detected area:
- decreased number of false positives (filtering by entropy)
- added a new section to the ThreadScanReport:
stats
- in dump report: set
"is_shellcode" : 1
only if the code pattern was matched (to distinguish cases when i.e. the shellcode was encrypted and detected by thread scan)
BUGFIX
- fixed a bug in libPEconv (buffer boundary check: cabdd46)
- fixed crash if the output filter was set ( #113 - missing check if the dump report was generated )
- fixed backward compatibility with Windows XP ( #42 )
- decreased number of false positives when searching for PE files in non-executable memory
REFACT
- faster search for code signatures: skip padding from the scan
See also: HollowsHunter v0.3.6 & MalUnpack v0.9.7 with the latest PE-sieve
v0.3.5
FEATURE
- Added API function:
PESieve_scan_ex
- allowing to retrieve scan and dump JSON reports directly into the supplied memory buffer ( Issue #105 ) - Allow to scan own workingset ( Issue #104 )
- Added one more shellcode pattern ( Issue #108 )
- Added version information to resources
BUGFIX
- Fixed getting stuck on scanning for PE artifacts (in some rare cases)
- Fixed checking mapped modules against the image on disk (fixed issue with the remote module not being copied)
- Fixed false positive - MUI files detected as implanted, when using 32bit scanner on 64bit system (FS redirection issue)
- Other small fixes
See also: HollowsHunter v0.3.5 & MalUnpack v0.9.6 with the latest PE-sieve
v0.3.4
FEATURE
- In
/mignore
- removed buffer limit (Details: #99). WARNING: API change) - New param:
/threads
, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution. (Read more here)
See also: HollowsHunter v0.3.4 with the latest PE-sieve
v0.3.3
BUGFIX
- Fully redesigned IAT scan, providing much better precision (Issues: #98, #92, #77)
- Fixed processing PEs with relocation table containing empty records (hasherezade/libpeconv#30)
- Fixed false positives in some of the code scans
FEATURE
- Added optional caching (Issue #94)
- Improved auto-detection of import reconstruction mode (
/imp A
) : setR0
,R1
modes depending on the sizes of found IATs of particular types - Do not exclude .NET modules from code scan. Improved filtering of the changes typical for .NET.
- Changed reporting of IAT hooks to the format consistent with inline hooks reports ( more details here )
See also: HollowsHunter v0.3.3 & MalUnpack v0.9.1 with the latest PE-sieve
v0.3.2
BUGFIX
- Fixed memory leak ( Issue #95 )
- Trim invalid sections while reconstructing the payload ( Issue #96 )
- Fixed overeager imports reconstruction ( Issue #97 )
- Improved auto-detection of import reconstruction mode
FEATURE
- Added new modes of import reconstruction (
/imp
) :R0
-R2
: from restrictive to aggressive ( more info here ) - Report if the process reflection was used in a scan
- Automatically turn on
/refl
mode if scan of inaccessible data requested (/data 4
,/data 5
)
See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.2
v0.3.1.3
BUGFIX
- Fixed invalid condition check on scanning data (Issue #93)
- In imp rec auto mode (
/imp 1
): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89) - Improved detection if a PE is in a virtual or raw mode - fixed an issue in dumping of some PEs
- Improvements in code scan (Issue #15)
- Improved reporting of unreachable modules
See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1.3
v0.3.1
FEATURE
- Changes in presenting application parameters. Refactored to use ParamKit library
- Recognize Virtual Table hooks ( Issue #88 )
BUGFIX
- Improve recognizing when to rebuild import table from scratch ( Issue #89 )
- Improve detecting when to realign the payload ( Issue #90 )
- Do not include calls to own exports in the Import Table reconstruction ( Issue #91 )
See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1
v0.3.0
FEATURE
- supported force-read of inaccessible pages (
PAGE_NOACCESS
) when running in the reflection mode (/refl
):- automatic if the inaccessible page is within the PE module
- on-demand if the inaccessible page is somewhere else in the workingset (depending on the selected
/data
mode)
- added more options for scanning non-executable pages (
/data
) - added one more mode of IAT hooks scan (
/iat
), allowing to filter out hooks that lead to any system DLL - in hook resolving function: recognize and parse one more jump type
- in shellcode detection: added one more pattern
BUGFIX
- Fixed error in printing JSON reports of some of the scan types (missing headers)
REFACT
- refactoring and optimization of the function resolving hooks
- removed not needed flags for process reflection creation (optimization)
See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.0