MBot

📖 README.md Using: PE-sieve v0.3.9 https://github.com/hasherezade/pe-sieve/releases/tag/v0.3.9 FEATURE Added new parameter /pattern <file> allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag https://private-user-images.githubusercontent.com/3115348/307557991-a3061a64-04cb-439b-b9fb-3b02dae04dd7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDg4MjE2NDYsIm5iZiI6MTcwODgyMTM0NiwicGF0aCI6Ii8zMTE1MzQ4LzMwNzU1Nzk5MS1hMzA2MWE2NC0wNGNiLTQzOWItYjlmYi0zYjAyZGFlMDRkZDcucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDIyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDAyMjVUMDAzNTQ2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MDliNTFiMzkwMGNkMDlmMWNmYjQ5MzQ1MmQzZmYzN2JlZmVkMTZjMjk0ZTg4ZjlhYzY4ODliMzY2ZGRmZTkyNiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.MWDw2_hlRgE92YjaPH-W3UQqZTyHCz9UX6R5I75V4Aw Download

REFACT Refactored to use a new pattern matching engine (SigFinder) for shellcode detection. Improved performance. FEATURE Added new parameter /pattern <file> allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag New fields in the scan_report.json: Save the PE-sieve version with which the scan was performed (scanner_version) In workingset_scan section: added patterns section with information about found patterns: total_matched (count of all patterns matched, including the hardcoded ones) custom_matched (count of patterns matched from the set defined by the user in pattern file) New fields in the dump_report.json: If pattern.tag file was generated, the name of this file will be added in the pattern_tags_file field of the relevant module. See also: HollowsHunter v0.3.9 with the latest PE-sieve https://private-user-images.githubusercontent.com/3115348/307557883-0f697b0f-2a9b-47eb-ac23-82bc619dc670.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDg4MjE2NDUsIm5iZiI6MTcwODgyMTM0NSwicGF0aCI6Ii8zMTE1MzQ4LzMwNzU1Nzg4My0wZjY5N2IwZi0yYTliLTQ3ZWItYWMyMy04MmJjNjE5ZGM2NzAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDIyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDAyMjVUMDAzNTQ1WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YjliYjFkYzJkZWJmYWYxZTllMzJhMWMxMWJkMWViMjQzMTcxNDk2NjE0YmUxOTc4NDlhMzM5ZjlmYzRmZjA1NCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.eF6AqHInwJGoaA-au9DqDOgjWWmFnqpkEw6-6Q_hHQo Download

This is the first development build after the Windows Package Manager 1.7 build for Windows 10(1809+) and Windows 11. This build will be released to Windows Insider Dev builds and Windows Package Manager Insiders. Experimental features are enabled in this release. Run winget features to see which experimental features are enabled or disabled. Add the following to your settings (winget settings) file to enable the experimental features. "experimentalFeatures": { "directMSI": true, "configuration03": true, "resume": true, }, What's Changed Update WinGet Download spec with accurate PS cmdlet help by @ryfu-msft in #4182 Add Troubleshooting Step for CDN by @Trenly in #4188 CodeCoverage pipeline for submission to onefuzz. by @ryfu-msft in #4177 Update fuzzing code coverage pipeline id by @ryfu-msft in #4191 Increment version to 1.8 by @ryfu-msft in #4192 Full Changelog: v1.7.10514...v1.8.532-preview Download

A hackable malware sandbox for the 21st Century Download

This release represents our first Windows Package Manager 1.7 release candidate build for Windows 10 (1809+), and Windows 11. Experimental features have been disabled in this release. Features The winget repair command is now available and can be used to repair a package that is having issues. Winget can enable Windows Features as a package dependency. Winget now supports rebooting your machine if the installer return code indicates that a reboot is required. You can do this by passing the --allow-reboot flag. WinGet configuration can accept a URL rather than only a local file. Performance improvements to be more network efficient with the CDN along with better flows to handle scenarios with elevation requirements. Support for Entra Id authentication (formerly Azure Active Directory) for private REST sources. Note: The REST source reference implementation still needs to be updated. What's Changed Remove Invoke-CommandInDesktopPackage use by @JohnMcPMS in #3658 Improve packaged source updating by @JohnMcPMS in #3657 Add a bit of randomness to the wait time after source update failure by @JohnMcPMS in #3661 Reduce the size of the index by @JohnMcPMS in #3666 Log Com invocation startup telemetry and delay auto update time when invoked from explorer by @yao-msft in #3665 Enable COM API access to correlate with the tracking database only by @JohnMcPMS in #3670 Fix localized strings output by @mdanish-kh in #3673 Improve the version header detection and logging by @JohnMcPMS in #3680 Revert 3670 by @JohnMcPMS in #3700 Enable COM API access to correlate with the tracking database only by @JohnMcPMS in #3703 Use correct caller name in Com startup telemetry event by @yao-msft in #3711 Platform source should not be blocked by policy check by @yao-msft in #3725 Update docs for upgrade command by @KK-Designs in #3639 Honor 429 Retry-After by @msftrubengu in #3718 Make manifest retrieval choice more dynamic by @JohnMcPMS in #3738 Allow --accept-source-agreements with local manifests by @Trenly in #3573 Invoke ShellExecute on dism.exe for enabling Windows Features by @ryfu-msft in #3659 Allow --include-unknown with install by @Trenly in #3752 Broadcast WM_SETTINGCHANGE on change of path by @Trenly in #3751 Add resume command and support saving the argument state. by @ryfu-msft in #3508 Allow higher versions to satisfy the VCLibs dependency in Repair by @JohnMcPMS in #3763 Use package version as potential last update timestamp by @JohnMcPMS in #3759 Add missing condition for using toolset v143 when building JsonCppLib for arm by @florelis in #3773 Move SQLite base code by @JohnMcPMS in #3790 Fix non-test hook code for Windows Feature by @JohnMcPMS in #3789 Skip dependency evaluation with --skip-dependencies by @mdanish-kh in #3784 Download and install Workflow patches for skip dependencies by @yao-msft in #3794 Add experimental feature for initiating reboot for single package installs by @ryfu-msft in #3631 Microsoft.WinGet.Client Any CPU by @msftrubengu in #3622 Inform user if a module requires elevation by @msftrubengu in #3758 Add missing manifest fields by @hackean-msft in #3757 Configuration Schema 0.3 by @JohnMcPMS in #3779 Extend Configuration COM API for export by @florelis in #3787 Fix binskim issues by @ryfu-msft in #3815 Performance improvements by @JohnMcPMS in #3808 Fix OOP config helper by @JohnMcPMS in #3873 Revert manifest schemas to json draft-07 by @ryfu-msft in #3875 Allow Microsoft.WinGet.Client to run in any PowerShell session running as system by @msftrubengu in #3816 Fix signaling the app shutdown event running as admin by @msftrubengu in #3874 Configuration schema property descriptions added by @alexravenna in #3499 The initial yaml schema manifest for version 1.7.0 by @Madhusudhan-MSFT in #3876 Move to latest cppwinrt package across all projects by @JohnMcPMS in #3868 Add suggested dictionaries for spellchecking and remove unneeded words by @florelis in #3885 Remove unneeded words from spellchecking by @florelis in #3890 Update docs for winget commands by @KK-Designs in #3909 Ignore deprecation warning by @JohnMcPMS in #3905 Fix pipeline build error by @florelis in #3937 Add support for double-clicking on .wingetdev files for applying configuration by @florelis in #3860 Add a script to bootstrap running Pester tests by @JohnMcPMS in #3899 Add WingetDSC E2E tests by @ryfu-msft in #3939 Improve repair by @msftrubengu in #3886 Enable cmdlets for Windows PowerShell by @msftrubengu in #3951 Register restart for resume by @ryfu-msft in #3858 Allow user settings to control logging channels by @JohnMcPMS in #3955 Add package id, name, and source to install/update/uninstall result for PowerShell cmdlet by @ryfu-msft in #3954 Update Store Certs by @yao-msft in #3968 Introduce strong and weak comparisons between installers by @JohnMcPMS in #3956 Include framework packages during installed packages enumeration by @yao-msft in #3975 Allow winget configure from https location and extend winget configure validate for winget resource units by @yao-msft in #3833 Update comment around MotW application by @florelis in #3979 Restrict on agreement text only by @yao-msft in #3998 Create similarissues.yml by @craigloewen-msft in #4035 Update similarIssues.yml to not show 'fail' when no similar issues found by @craigloewen-msft in #4042 Similar issues workflow explicit permission by @msftrubengu in #4040 Update WinGetUtilInterop project by @msftrubengu in #4045 Repair switch support for V1.7 YAML manifest by @Madhusudhan-MSFT in #4041 Update dependency on System.Data.SqlClient by @florelis in #4083 Use std::variant in ManifestYamlPopulator by @msftrubengu in #4081 Show only agreement related info during install by @Trenly in #3999 Support group processing of configurations by @JohnMcPMS in #4059 Improve progress handling for group processor by @JohnMcPMS in #4121 Shadow Manifest by @msftrubengu in #4104 Remove debug flags to unblock utils nuget release (#4030) by @msftrubengu in #4127 Revert "Remove debug flags to unblock utils nuget release (#4030)" by @msftrubengu in #4128 Support Microsoft Entra Id authentication for rest source by @yao-msft in #4123 Retarget to netstandard2.1 (#4130) by @msftrubengu in #4132 Make windows feature and reboot features stable by @ryfu-msft in #4137 Update links in Roadmap by @Trenly in #4142 Refactor pinning evaluation by @JohnMcPMS in #4151 Winget client rest source parsing for 1.7 manifest by @yao-msft in #4155 Add 1.7 manifest fields to WingetUtilsInterop by @yao-msft in #4157 Update fuzzer and integrate with OneFuzz by @ryfu-msft in #4135 Add additional switches for Inno Setup based installers by @SpecterShell in #3562 Create #658 - WinGet Download.md by @RDMacLachlan in #2953 Log configuration input hash in configuration summary telemetry by @yao-msft in #4173 Implement Export-WinGetPackage powershell cmdlet for winget download by @ryfu-msft in #3977 winget repair cli implementation by @Madhusudhan-MSFT in #4168 Fix typo in '#658 - WinGet Download.md' Spec File by @og-mrk in #4179 New Contributors @KK-Designs made their first contribution in #3639 @alexravenna made their first contribution in #3499 @craigloewen-msft made their first contribution in #4035 @og-mrk made their first contribution in #4179 Full Changelog: v1.6.2631...v1.7.10514 Download

See https://frida.re/news/ for details. Download

submodules: Bump outdated Download

Release 0.61.0 Download

Unreferenced strings are allowed if their identifier start with _ (#1941) New command-line option --disable-console-logs for disabling the output of the console module (#1915) New command-line option --strict-escape that raises warnings on unknown escape sequences (#1880). Improve performance by avoiding the execution of rule conditions that can't match (#1927) Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921). Expose function RVA in pe.export_details(#1882). BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team! BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951). BUGFIX: Fix memory alignment issues (#1930). BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933). BUGFIX: Some rules not matching when --fast-scan is used (4de3d57) BUGFIX: Properly list memory regions while scanning processes in Mac OS. (#2033) BUGFIX: RFC5652 countersignatures are now correctly parsed in pe module (#2034) BUGFIX: Fix potential DoS due to crashes in authenticode parser with malformed files (#2034). Credits to Bahaa Naamneh! BUGFIX: Fix SIGSEGV in magic module when libmagic returns null pointer (3342aa0) BUGFIX: Prevent infinite recursion while following symlinks (923368e) Thanks to: @mgoffin, @wxsBSD, @cblichmann, @secDre4mer, @vthib, @regeciovad, @kylereedmsft, @TommYDeeee, @humpalum, @metthal Download

This release fixes a circular import error. Download

This is the v7.0.0 release of capa which was mainly worked on during the Google Summer of Code (GSoC) 2023. A huge shoutout to our GSoC contributors @colton-gabertan and @yelhamer for their amazing work. Also, a big thanks to the other contributors: @aaronatp, @Aayush-Goel-04, @bkojusner, @doomedraven, @ruppde, @larchchen, @JCoonradt, and @xusheng6. New Features add Ghidra backend #1770 #1767 @colton-gabertan @mike-hunhoff add Ghidra UI integration #1734 @colton-gabertan @mike-hunhoff add dynamic analysis via CAPE sandbox reports #48 #1535 @yelhamer add call scope #771 @yelhamer add thread scope #1517 @yelhamer add process scope #1517 @yelhamer rules: change meta.scope to meta.scopes @yelhamer protobuf: add Metadata.flavor @williballenthin binja: add support for forwarded exports #1646 @xusheng6 binja: add support for symtab names #1504 @xusheng6 add com class/interface features #322 @Aayush-Goel-04 dotnet: emit enclosing class information for nested classes #1780 #1913 @bkojusner @mike-hunhoff Breaking Changes remove the SCOPE_* constants in favor of the Scope enum #1764 @williballenthin protobuf: deprecate RuleMetadata.scope in favor of RuleMetadata.scopes @williballenthin protobuf: deprecate Metadata.analysis in favor of Metadata.analysis2 that is dynamic analysis aware @williballenthin update freeze format to v3, adding support for dynamic analysis @williballenthin extractor: ignore DLL name for api features #1815 @mr-tz main: introduce wrapping routines within main for working with CLI args #1813 @williballenthin move functions from capa.main to new capa.loader namespace #1821 @williballenthin proto: add package declaration #1960 @larchchen New Rules (41) nursery/get-ntoskrnl-base-address @mr-tz host-interaction/network/connectivity/set-tcp-connection-state @johnk3r nursery/capture-process-snapshot-data @mr-tz collection/network/capture-packets-using-sharppcap jakub.jozwiak@mandiant.com nursery/communicate-with-kernel-module-via-netlink-socket-on-linux michael.hunhoff@mandiant.com nursery/get-current-pid-on-linux michael.hunhoff@mandiant.com nursery/get-file-system-information-on-linux michael.hunhoff@mandiant.com nursery/get-password-database-entry-on-linux michael.hunhoff@mandiant.com nursery/mark-thread-detached-on-linux michael.hunhoff@mandiant.com nursery/persist-via-gnome-autostart-on-linux michael.hunhoff@mandiant.com nursery/set-thread-name-on-linux michael.hunhoff@mandiant.com load-code/dotnet/load-windows-common-language-runtime michael.hunhoff@mandiant.com blas.kojusner@mandiant.com jakub.jozwiak@mandiant.com nursery/log-keystrokes-via-input-method-manager @mr-tz nursery/encrypt-data-using-rc4-via-systemfunction032 richard.weiss@mandiant.com nursery/add-value-to-global-atom-table @mr-tz nursery/enumerate-processes-that-use-resource @Ana06 host-interaction/process/inject/allocate-or-change-rwx-memory @mr-tz lib/allocate-or-change-rw-memory 0x534a@mailbox.org @mr-tz lib/change-memory-protection @mr-tz anti-analysis/anti-av/patch-antimalware-scan-interface-function jakub.jozwiak@mandiant.com executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment sara.rincon@mandiant.com internal/limitation/file/internal-dotnet-single-file-deployment-limitation sara.rincon@mandiant.com data-manipulation/encoding/encode-data-using-add-xor-sub-operations jakub.jozwiak@mandiant.com nursery/access-camera-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/capture-microphone-audio-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/capture-screenshot-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/check-for-incoming-call-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/check-for-outgoing-call-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/compiled-with-xamarin michael.hunhoff@mandiant.com nursery/get-os-version-in-dotnet-on-android michael.hunhoff@mandiant.com data-manipulation/compression/create-cabinet-on-windows michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com data-manipulation/compression/extract-cabinet-on-windows jakub.jozwiak@mandiant.com lib/create-file-decompression-interface-context-on-windows jakub.jozwiak@mandiant.com nursery/enumerate-files-in-dotnet moritz.raabe@mandiant.com anushka.virgaonkar@mandiant.com nursery/get-mac-address-in-dotnet moritz.raabe@mandiant.com michael.hunhoff@mandiant.com echernofsky@google.com nursery/get-current-process-command-line william.ballenthin@mandiant.com nursery/get-current-process-file-path william.ballenthin@mandiant.com nursery/hook-routines-via-dlsym-rtld_next william.ballenthin@mandiant.com nursery/linked-against-hp-socket still@teamt5.org host-interaction/process/inject/process-ghostly-hollowing sara.rincon@mandiant.com Bug Fixes ghidra: fix ints_to_bytes performance #1761 @mike-hunhoff binja: improve function call site detection @xusheng6 binja: use binaryninja.load to open files @xusheng6 binja: bump binja version to 3.5 #1789 @xusheng6 elf: better detect ELF OS via GCC .ident directives #1928 @williballenthin elf: better detect ELF OS via Android dependencies #1947 @williballenthin fix setuptools package discovery #1886 @gmacon @mr-tz remove unnecessary scripts/vivisect-py2-vs-py3.sh file #1949 @JCoonradt capa explorer IDA Pro plugin various integration updates and minor bug fixes Development update ATT&CK/MBC data for linting #1932 @mr-tz Developer Notes With this new release, many classes and concepts have been split up into static (mostly identical to the prior implementations) and dynamic ones. For example, the legacy FeatureExtractor class has been renamed to StaticFeatureExtractor and the DynamicFeatureExtractor has been added. Starting from version 7.0, we have moved the component responsible for feature extractor from main to a new capabilities' module. Now, users wishing to utilize capa’s feature extraction abilities should use that module instead of importing the relevant logic from the main file. For sandbox-based feature extractors, we are using Pydantic models. Contributions of more models for other sandboxes are very welcome! With this release we've reorganized the logic found in main() to localize logic and ease readability and ease changes and integrations. The new "main routines" are expected to be used only within main functions, either capa main or related scripts. These functions should not be invoked from library code. Beyond copying code around, we've refined the handling of the input file/format/backend. The logic for picking the format and backend is more consistent. We've documented that the input file is not necessarily the sample itself (cape/freeze/etc.) inputs are not actually the sample. Raw diffs capa v6.1.0...v7.0.0 capa-rules v6.1.0...v7.0.0 Download

v1.20.10303.0 Download

v1.19.10302.0 Download

v1.18.10301.0 Download

What's New Change History Installation Guide SHA-256: a0bc9450aa3a231096b13a823c66311b9f84cb9cec4624393221cfed40ef6924 Download

v1.20.10293.0 Download

v1.19.10292.0 Download

v1.18.10291.0 Download

Official GNU Binutils 2.42 Release Download

v7.0.0-beta This is the beta release of capa v7.0 which was mainly worked on during the Google Summer of Code (GSoC) 2023. A huge shoutout to @colton-gabertan and @yelhamer for their amazing work. Also a big thanks to the other contributors: @aaronatp, @Aayush-Goel-04, @bkojusner, @doomedraven, @ruppde, and @xusheng6. New Features add Ghidra backend #1770 #1767 @colton-gabertan @mike-hunhoff add dynamic analysis via CAPE sandbox reports #48 #1535 @yelhamer add call scope #771 @yelhamer add thread scope #1517 @yelhamer add process scope #1517 @yelhamer rules: change meta.scope to meta.scopes @yelhamer protobuf: add Metadata.flavor @williballenthin binja: add support for forwarded exports #1646 @xusheng6 binja: add support for symtab names #1504 @xusheng6 add com class/interface features #322 @Aayush-Goel-04 dotnet: emit enclosing class information for nested classes #1780 #1913 @bkojusner @mike-hunhoff Breaking Changes remove the SCOPE_* constants in favor of the Scope enum #1764 @williballenthin protobuf: deprecate RuleMetadata.scope in favor of RuleMetadata.scopes @williballenthin protobuf: deprecate Metadata.analysis in favor of Metadata.analysis2 that is dynamic analysis aware @williballenthin update freeze format to v3, adding support for dynamic analysis @williballenthin extractor: ignore DLL name for api features #1815 @mr-tz New Rules (41) nursery/get-ntoskrnl-base-address @mr-tz host-interaction/network/connectivity/set-tcp-connection-state @johnk3r nursery/capture-process-snapshot-data @mr-tz collection/network/capture-packets-using-sharppcap jakub.jozwiak@mandiant.com nursery/communicate-with-kernel-module-via-netlink-socket-on-linux michael.hunhoff@mandiant.com nursery/get-current-pid-on-linux michael.hunhoff@mandiant.com nursery/get-file-system-information-on-linux michael.hunhoff@mandiant.com nursery/get-password-database-entry-on-linux michael.hunhoff@mandiant.com nursery/mark-thread-detached-on-linux michael.hunhoff@mandiant.com nursery/persist-via-gnome-autostart-on-linux michael.hunhoff@mandiant.com nursery/set-thread-name-on-linux michael.hunhoff@mandiant.com load-code/dotnet/load-windows-common-language-runtime michael.hunhoff@mandiant.com blas.kojusner@mandiant.com jakub.jozwiak@mandiant.com nursery/log-keystrokes-via-input-method-manager @mr-tz nursery/encrypt-data-using-rc4-via-systemfunction032 richard.weiss@mandiant.com nursery/add-value-to-global-atom-table @mr-tz nursery/enumerate-processes-that-use-resource @Ana06 host-interaction/process/inject/allocate-or-change-rwx-memory @mr-tz lib/allocate-or-change-rw-memory 0x534a@mailbox.org @mr-tz lib/change-memory-protection @mr-tz anti-analysis/anti-av/patch-antimalware-scan-interface-function jakub.jozwiak@mandiant.com executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment sara.rincon@mandiant.com internal/limitation/file/internal-dotnet-single-file-deployment-limitation sara.rincon@mandiant.com data-manipulation/encoding/encode-data-using-add-xor-sub-operations jakub.jozwiak@mandiant.com nursery/access-camera-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/capture-microphone-audio-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/capture-screenshot-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/check-for-incoming-call-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/check-for-outgoing-call-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/compiled-with-xamarin michael.hunhoff@mandiant.com nursery/get-os-version-in-dotnet-on-android michael.hunhoff@mandiant.com data-manipulation/compression/create-cabinet-on-windows michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com data-manipulation/compression/extract-cabinet-on-windows jakub.jozwiak@mandiant.com lib/create-file-decompression-interface-context-on-windows jakub.jozwiak@mandiant.com nursery/enumerate-files-in-dotnet moritz.raabe@mandiant.com anushka.virgaonkar@mandiant.com nursery/get-mac-address-in-dotnet moritz.raabe@mandiant.com michael.hunhoff@mandiant.com echernofsky@google.com nursery/get-current-process-command-line william.ballenthin@mandiant.com nursery/get-current-process-file-path william.ballenthin@mandiant.com nursery/hook-routines-via-dlsym-rtld_next william.ballenthin@mandiant.com nursery/linked-against-hp-socket still@teamt5.org host-interaction/process/inject/process-ghostly-hollowing sara.rincon@mandiant.com Bug Fixes ghidra: fix ints_to_bytes performance #1761 @mike-hunhoff binja: improve function call site detection @xusheng6 binja: use binaryninja.load to open files @xusheng6 binja: bump binja version to 3.5 #1789 @xusheng6 elf: better detect ELF OS via GCC .ident directives #1928 @williballenthin fix setuptools package discovery #1886 @gmacon @mr-tz Development update ATT&CK/MBC data for linting #1932 @mr-tz Developer Notes With this new release, many classes and concepts have been split up into static (mostly identical to the prior implementations) and dynamic ones. For example, the legacy FeatureExtractor class has been renamed to StaticFeatureExtractor and the DynamicFeatureExtractor has been added. Starting from version 7.0, we have moved the component responsible for feature extractor from main to a new capabilities' module. Now, users wishing to utilize capa’s feature extraction abilities should use that module instead of importing the relevant logic from the main file. For sandbox-based feature extractors, we are using Pydantic models. Contributions of more models for other sandboxes are very welcome! Raw diffs capa v6.1.0...v7.0.0-beta capa-rules v6.1.0...v7.0.0-beta Download

Changelog: 2024.01 - Evergreen Response What's Changed in Evergreen Response install curl coverage.yml by @therealdreg in #997 gef-remote: Fix issue with remote path having a space by @Grazfather in #998 Tiny cleanup by @Grazfather in #994 Let GefSetting write hooks see value by @Grazfather in #1000 Fix gdb.execute not quoting paths by @Grazfather in #999 Do not quote paths when running 'source' by @Grazfather in #1005 show basename in source: split line by @bartman in #1017 [Installers] Use latest tag, not main by @hugsy in #1007 Reorder reset_arch: param forced, elf header, gdb conf by @josx in #1004 Run validate CI step with Python 3.11 by @Grazfather in #1022 [target-remote] Basic support for the target remote command by @ValekoZ in #1020 Coverage workflow should only be triggered by pull_request by @hugsy in #1023 Dump memory usage when listing arenas, and add summary option in heap chunks command. by @r12f in #1024 Memory map provider by @Grazfather in #1003 Fix clear-screen timing when showing context by @r12f in #1026 Add min-size and max-size filter to heap chunks command by @r12f in #1025 Add c++ symbol support in xinfo. by @r12f in #1028 Add config to override libc version. by @r12f in #1027 Add option to resolve type when dumping heap summary. by @r12f in #1030 Rename _target to debug_target for building test cases. by @r12f in #1031 gef.sh: Fix which: command not found by @osalbahr in #1032 [docs] document conditional context panes by @Ordoviz in #1035 support 64 bit retval for stub by @Angelo942 in #1034 Add count option in heap chunks command to limit the number of chunks to process / output. by @r12f in #1029 correct parsing in gdb_get_location_from_symbol by @Angelo942 in #1037 Migrate tests to RPyC by @hugsy in #1040 Remove old context_times script + tuneup by @Grazfather in #1042 Update rpyc example in docs/testing.md by @hugsy in #1041 Contributors Author Number of commits Angelo942 2 Bart Trojanowski 1 crazy hugsy 4 Dreg 1 Grazfather 8 José Luis Di Biase 1 Lennard Hofmann 1 Osama Albahrani 1 Riff 8 ValekoZ 1 New Contributors 🎉 @bartman made their first contribution in #1017 @josx made their first contribution in #1004 @ValekoZ made their first contribution in #1020 @r12f made their first contribution in #1024 @osalbahr made their first contribution in #1032 @Ordoviz made their first contribution in #1035 @Angelo942 made their first contribution in #1034 Closed Issues 9 issues closed ( 1036 • 1033 • 1018 • 1016 • 1014 • 1011 • 1010 • 1009 • 1008 ) Closed Pull Requests 21 PRs closed ( 1042 • 1041 • 1040 • 1037 • 1035 • 1034 • 1032 • 1031 • 1030 • 1029 • 1028 • 1027 • 1026 • 1025 • 1024 • 1023 • 1022 • 1020 • 1019 • 1017 • 1013 ) Commit details 28 commits since 2023.08 Commit log 2023-08-21 d6ce056 • Dreg • Install curl coverage.yml (#997) 2023-08-25 bba5f1c • Grazfather • gef-remote: Fix issue with remote path having a space (#998) 2023-08-26 46fba8b • Grazfather • Tiny cleanup (#994) 2023-08-26 6a6e2a0 • Grazfather • Let GefSetting write hooks see value (#1000) 2023-09-09 1247fe4 • Grazfather • Fix gdb.execute not quoting paths (#999) 2023-09-11 5927df4 • Grazfather • Do not quote paths when running 'source' (#1005) 2023-11-28 788f56b • Bart Trojanowski • show basename in source: split line (#1017) 2023-11-28 0f6255e • crazy hugsy • [Installers] Use latest tag, not main (#1007) 2023-11-29 295cbf7 • José Luis Di Biase • Reorder reset_arch: parameter forced, elf header, gdb conf (#1004) 2023-12-13 15b09cf • Grazfather • Run validate CI step with Python 3.11 (#1022) 2023-12-16 f7a2105 • ValekoZ • [target-remote] Basic support for the target remote command (#1020) 2023-12-16 0eb7f5c • crazy hugsy • Coverage workflow should only be triggered by pull_request (#1023) 2023-12-18 17c496c • Riff • Dump memory usage when listing arenas, and add summary option (#1024) 2023-12-18 4f20983 • Grazfather • Memory map provider (#1003) 2023-12-20 f0d2818 • Riff • Fix clear-screen timing when showing context (#1026) 2023-12-20 fbda021 • Riff • Add min-size and max-size filter to heap chunks command (#1025) 2023-12-20 023b1a9 • Riff • Add c++ symbol support in xinfo. (#1028) 2023-12-22 663d4a2 • Riff • Add config to override libc version. (#1027) 2023-12-22 e629f02 • Riff • Add option to resolve type when dumping heap summary. (#1030) 2023-12-22 53c769c • Riff • Rename _target to debug_target for building test cases. (#1031) 2023-12-26 951872b • Osama Albahrani • [gef.sh] Replaced which with command (#1032) 2023-12-30 5cc4ef2 • Lennard Hofmann • [docs] document conditional context panes (#1035) 2023-12-30 a2704c9 • Angelo942 • Support 64 bit return value for stub (#1034) 2024-01-02 d4b849e • Riff • Add count option in heap chunks command to limit the number of chunks to process / output. (#1029) 2024-01-04 deeab2f • Angelo942 • Set correct parsing to gdb_get_location_from_symbol (#1037) 2024-01-09 bcaabff • crazy hugsy • Migrate tests to RPyC (#1040) 2024-01-10 8395f0b • Grazfather • Remove old context_times script + tuneup (#1042) 2024-01-10 b56bf9d • crazy hugsy • Update rpyc example in docs/testing.md (#1041) File diff .github/workflows/coverage.yml | 72 ++- .github/workflows/generate-docs.yml | 1 + .github/workflows/validate.yml | 2 + .pylintrc | 20 +- docs/api.md | 3 +- docs/commands/context.md | 20 + docs/commands/gef-remote.md | 6 +- docs/commands/heap.md | 47 ++ docs/testing.md | 69 ++- gef.py | 741 ++++++++++++++++---------- scripts/gef-extras.sh | 6 +- scripts/gef.sh | 11 +- scripts/generate-coverage-docs.sh | 2 +- scripts/remote_debug.py | 36 ++ tests/api/deprecated.py | 30 +- tests/api/gef_arch.py | 45 +- tests/api/gef_disasemble.py | 30 -- tests/api/gef_disassemble.py | 51 ++ tests/api/gef_heap.py | 45 +- tests/api/gef_session.py | 98 ++-- tests/api/misc.py | 169 ++++-- tests/base.py | 108 ++++ tests/binaries/Makefile | 6 + tests/binaries/class.cpp | 29 + tests/commands/aliases.py | 54 +- tests/commands/aslr.py | 57 +- tests/commands/canary.py | 43 +- tests/commands/checksec.py | 53 +- tests/commands/context.py | 4 +- tests/commands/dereference.py | 74 +-- tests/commands/edit_flags.py | 68 +-- tests/commands/elf_info.py | 8 +- tests/commands/entry_break.py | 18 +- tests/commands/format_string_helper.py | 27 +- tests/commands/functions.py | 11 +- tests/commands/gef.py | 96 ++-- tests/commands/gef_remote.py | 74 ++- tests/commands/got.py | 26 +- tests/commands/heap.py | 314 +++++++---- tests/commands/heap_analysis.py | 24 +- tests/commands/hexdump.py | 23 +- tests/commands/highlight.py | 23 +- tests/commands/hijack_fd.py | 8 +- tests/commands/ksymaddr.py | 19 - tests/commands/memory.py | 118 ++-- tests/commands/name_break.py | 19 +- tests/commands/nop.py | 408 +++++++------- tests/commands/patch.py | 92 ++-- tests/commands/pattern.py | 83 +-- tests/commands/pcustom.py | 132 +++-- tests/commands/pie.py | 46 +- tests/commands/print_format.py | 61 ++- tests/commands/process_search.py | 52 +- tests/commands/process_status.py | 17 +- tests/commands/registers.py | 32 +- tests/commands/reset_cache.py | 11 +- tests/commands/scan.py | 24 +- tests/commands/search_pattern.py | 37 +- tests/commands/shellcode.py | 28 +- tests/commands/skipi.py | 67 ++- tests/commands/smart_eval.py | 14 +- tests/commands/stub.py | 49 +- tests/commands/theme.py | 20 +- tests/commands/trace_run.py | 19 +- tests/commands/version.py | 10 +- tests/commands/vmmap.py | 21 +- tests/commands/xfiles.py | 17 +- tests/commands/xinfo.py | 34 +- tests/commands/xor_memory.py | 26 +- tests/config/__init__.py | 89 +++- tests/functions/elf_sections.py | 97 ++-- tests/perf/benchmark.py | 50 +- tests/perf/context_times.sh | 75 --- tests/regressions/gdbserver_connection.py | 14 +- tests/regressions/registers_register_order.py | 90 +++- tests/requirements.txt | 1 + tests/utils.py | 303 ++++------- 77 files changed, 2888 insertions(+), 1939 deletions(-) Full Changelog: 2023.08...2024.01 Download

please refer to the Changelog WARNING: The release will be live within an hour! Download

submodules: Bump outdated Download

v4.2.2 Download

Please see the file CHANGELOG for a detailed list of changes. Asset / File Description / Host OS die_sourcecode_3.09.tar.gz Source code tarball Detect_It_Easy-3.09-x86_64.AppImage Portable version for Linux How to run die_3.09_Debian_10_amd64.deb Installer for Debian 10 die_3.09_Debian_11_amd64.deb Installer for Debian 11 die_3.09_Debian_12_amd64.deb Installer for Debian 12 die_3.09_Ubuntu_14.04_amd64.deb Installer for Ubuntu 14.04 die_3.09_Ubuntu_16.04_amd64.deb Installer for Ubuntu 16.04 die_3.09_Ubuntu_18.04_amd64.deb Installer for Ubuntu 18.04 die_3.09_Ubuntu_20.04_amd64.deb Installer for Ubuntu 20.04 die_3.09_Ubuntu_22.04_amd64.deb Installer for Ubuntu 22.04 die_3.09_Ubuntu_22.10_amd64.deb Installer for Ubuntu 22.10 die_3.09_Ubuntu_23.04_amd64.deb Installer for Ubuntu 23.04 die_3.09_Ubuntu_23.10_amd64.deb Installer for Ubuntu 23.10 die_3.09_Kali_2023.4_amd64 Installer for Kali 2023.4 die_3.09_Parrot_5.3_amd64.deb Installer for Ubuntu 23.10 die_3.09_portable_Ubuntu_20.04_amd64.tar.gz Portable version for Ubuntu 20.04 detect-it-easy-3.09-1-x86_64.pkg.tar.zst Installer for Arch Linux die_mac_3.09_x86_64.pkg Installer for macOS die_mac_qt6_3.09_arm64.pkg Installer for macOS Qt6 M1 processor die_mac_portable_3.09_x86_64.zip Portable version for macOS die_win32_portable_3.09_x86.zip Portable version for x86 Win32 (Win7-Win11) die_win64_portable_3.09_x64.zip Portable version for x64 Win64 (Win7-Win11) die_winxp_portable_3.09_x86.zip Portable version for Windows XP (WinXP-Win11) Experimental versions - There may be bugs in the GUI Asset / File Description / Host OS die_win64_qt6_portable_3.09_x64.zip Portable version for x64 Win64 Qt6 (Win10-Win11) Download