v0.1.6

FEATURE

• Identify the hook target: report what is the module where the hook leads to (#23)
• Add a possibility to set the root directory of the dumps (option /dir)
• Sections that are fully unpacked in memory are reported differently than patched (#22)
• Inform if invalid parameter was supplied

BUGFIX

• fixed crashing on some malformed samples (#21, #24)
• fixed inaccuracies in import recovery
• fixed an error in detection of PE artefacts (#25)
• fixed information displayed when the access to a process was denied (more relevant information)

v0.1.5

FEATURE

• various modes of payload dumping (virtual, raw, remapped)
• automatic detection of a dump mode that is the most suitable for the payload/packer type, enabling more accurate reconstruction of payloads
• cleaner interface: grouped displayed parameters

BUGFIX

• fixed JSON report (sections number should be displayed as decimal)
• fixed not working output mode 'report only' - it was not creating the dump directory and not saving the reports
• fixed inaccurate in detection of sections' headers (in artefacts scan)

v0.1.4.3

BUGFIX

• fixed missing detection of some of the manually loaded implants

v0.1.4

Faster & more accurate

REFACTORING & OPTIMIZATION

• refactored workingset scan to improve performance
• refactored code scan to improve accuracy of detecting hooks & patches

FEATURE

• reconstructing payloads with partially corrupt headers
• recognizing the payload's extension (dll or exe)
• improved JSON formatting
• scan all the sections that are executable in memory (even if they are not marked executable in headers) - improved detection and dumping of the packed sections
• improved reporting of Process Doppelgänging

v0.1.2

BUGFIX

• Fixed NT paths conversion
• Improved imports recovering

FEATURE

• Added info if the suspicious module is a .NET
• Cleaned report (hidden unused fields)

v0.1

BUGFIX

• fixed JSON report (unescaped backslashes - Issue #13 )
• fixed false positives in mapping scan (when the name of the mapped file does not match the image file)
• fixed duplicated reporting (code section mistakenly detected as shellcode - Issue #12 )

FEATURE

• improved hook detection: parsing short jumps

v0.0.9.9.9

BUGFIX

• fixed bug in parsing paths in format \\?\[...]

FEATURES

• more detailed detection of Process Doppelganging: checking if the mapped image matches the module image
• more detailed info about hooks: reporting the name of the hooked function
• added shellcode detection and dumping (can be enabled by a parameter)
• added icon and changed theme
• added backward compatibility with older versions of Windows (including Windows XP 32bit)

v0.0.9.9.8

BUGFIX:

• fixed application crashing on the attempt to recover imports of files with corrupt import table
• fixed inaccurate parsing of some of the hooks
• fixed false positives on the scan of mapped memory regions

OPTIMIZATION

• redesigned the workingset scan in order to boost performance and accuracy: now it works about 5-6 times faster than before

FEATURE

• print the path of the main module in the scan report (JSON)
• more accurate imports recovery, i.e. supported recovering imports also in the cases when the DLL name was completely erased

v0.0.9.9.7

BUGFIX:

• fixed false positives:
  • headers scan: filtered out .NET modules
  • working set scan: treat as suspicious only manually mapped modules that can be executed

FEATURES:

• improved precision of working set scan, including:
  • detection of implanted PE files not aligned to the beginning of the memory page
• recognizing basic hooks and fetching their targets (information included in the .tag file)

v0.0.9.9

BUGFIX:

• fixed memory leak

FEATURES:

• extended and refactored scanning of the working set
• extended reporting (more details about suspicious indicators)