Releases: hasherezade/pe-sieve
Releases · hasherezade/pe-sieve
v0.2.6.1
BUGFIX
- Fixed crashes on printing json report (when run with
/jsonparameter ) - Fixed bug in coping input arguments
v0.2.6
FEATURE
- New parameter:
/iatallowing to scan for IAT Hooking (Issue #57) - Report about functions that could not be recovered (in case of import fixing)
BUGFIX
- Silence out (more) logs in the
quietmode - Updated libPeConv with bugfixes
- Do not start scanning if info requested (params:
/versionor/help) - Fixed JSON format in
dump_report.json(removed redundant comma)
v0.2.5
FEATURE
- Added dump reports (
dump_report.json) - Renamed scan report (from
report.jsontoscan_report.json) - Added parameter:
/mignore <modules>- to exclude defined list of modules form the scan
BUGFIX
- Fixed bug in libPeConv causing incomplete import recovery
- Added more patterns to recognize shellcodes
- Fixed false positive in path comparison (expand relative paths before comparing)
- Silence out logs in the
quietmode
Internal refactoring.
v0.2.4
FEATURE
- Detect Module Overloading (Issue #47 )
- Allow for supplying PID in a hexadecimal form (Issue #49)
- In a report: present the allocation type in form of a string (i.e. "MEM_IMAGE") instead of number
BUGFIX
- Added fixing Entry Points of .NET modules (Issue #48 )
- Fixed a bug causing false positives during patches detection (invalid identification of non-executable sections as executable)
- Fixed a bug causing not dumping of some of the detected modules (invalid offset calculation during dump: Issue #45)
- Improved detection of PEs embedded in a shellcode (Issue #44 )
- More precise validation of found PE artefacts
v0.2.3
v0.2.2
FEATURE
- Report about PEs with modified headers separately (do not treat them as replaced). Show details about what part of the PE header was modified.
BUGFIX
- Fixed: imports for remapped modules were not rebuilded.
- Fixed: imports for 64bit shellcodes were not recognized. (The shellcode bitness should be recognized before searching its imports.)
- Improved accuracy of searching beginning of the implanted module
- Fixed: invalid limits for workingset scan (causing the highest pages remaining unscanned)
- Fixed: unneccessery changes in the alignments of the implanted PE (Issue #39)
v0.2.1
BUGFIX
- Fixed a bug in libpeconv causing crashes during import recovery
- Added missing boundary check during searching PE artefacts
- Detect sections that are non-executable in the header, but set executable during execution (Issue #36)
- Do not try to recover Import Table, if the detected PE is in a raw format
FEATURE
- Improved accuracy in rebuilding Import Table (split IAT series that cannot be covered as a whole)
- Scan non-executable memory pages if DEP for the process is disabled. The feature is enabled by paramerer
/data. (Issue #37)
v0.2
FEATURE
- More flexibility in reconstruction of Import Table (added new options to the
/impparameter)- Including: reconstructing Import Table from the scratch (Issue #34)
- Import reconstruction can be applied on all the detected PEs (not only on the implanted ones)
- Reconstructing partially overwritten sections characteristics in the implanted PE
- Dumping PE implants that could not be reconstructed with an extension
.corrupt_dll/corrupt_exe - Added build date to the banner
REFACTORING
- Refactored PE dumping and import recovery
v0.1.8
FEATURE
- Path of each suspicious module added to the JSON report
BUGFIX
