MBot

submodules: Bump outdated Download

capa v6.1.0 is a bug fix release, most notably fixing unhandled exceptions in the capa explorer IDA Pro plugin. @Aayush-Goel-04 put a lot of effort into improving code quality and adding a script for rule authors. The script shows which features are present in a sample but not referenced by any existing rule. You could use this script to find opportunities for new rules. Speaking of new rules, we have eight additions, coming from Ronnie, Jakub, Moritz, Ervin, and still@teamt5.org! New Features ELF: implement import and export name extractor #1607 #1608 @Aayush-Goel-04 bump pydantic from 1.10.9 to 2.1.1 #1582 @Aayush-Goel-04 develop script to highlight features not used during matching #331 @Aayush-Goel-04 New Rules (8) executable/pe/export/forwarded-export ronnie.salomonsen@mandiant.com host-interaction/bootloader/get-uefi-variable jakub.jozwiak@mandiant.com host-interaction/bootloader/set-uefi-variable jakub.jozwiak@mandiant.com nursery/enumerate-device-drivers-on-linux @mr-tz anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch ervin.ocampo@mandiant.com linking/static/sqlite3/linked-against-cppsqlite3 still@teamt5.org linking/static/sqlite3/linked-against-sqlite3 still@teamt5.org Modified rules (9) anti-analysis/anti-forensic/self-deletion/self-delete.yml collection/browser/gather-chrome-based-browser-login-information.yml collection/browser/gather-firefox-profile-information.yml data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml host-interaction/process/inject/free-user-process-memory.yml lib/get-os-version.yml nursery/deserialize-json-in-dotnet.yml nursery/serialize-json-in-dotnet.yml persistence/authentication-process/act-as-credential-manager-dll.yml Renamed rules (1) persistence/create-shortcut-via-ishelllink.yml (was nursery/create-shortcut-via-ishelllink.yml) Bug Fixes rules: fix forwarded export characteristic #1656 @RonnieSalomonsen Binary Ninja: Fix stack string detection #1473 @xusheng6 linter: skip native API check for NtProtectVirtualMemory #1675 @williballenthin OS: detect Android ELF files #1705 @williballenthin ELF: fix parsing of symtab #1704 @williballenthin result document: don't use deprecated pydantic functions #1718 @williballenthin pytest: don't mark IDA tests as pytest tests #1719 @williballenthin capa explorer IDA Pro plugin fix unhandled exception when resolving rule path #1693 @mike-hunhoff Raw diffs capa v6.0.0...v6.1.0 capa-rules v6.0.0...v6.1.0 Download

Changelog: 2023.08 - Disguised Wedding Important Note GEF and GEF-Extras have both moved to using the main branch as the default. Therefore if you contribute to the code, make sure your PRs are made against the main branch. Highlights of Disguised Wedding Fix typo in docs by @bkrl in #949 Remove outdated sentence in docs by @bkrl in #948 [docs] Regenerating api/gef.md by @hugsy in #951 add nopi command it patchs full instructions by @therealdreg in #959 nop: Fix off-by-one in unmap check by @Grazfather in #960 Wrap docs by @Grazfather in #962 add skipi command by @therealdreg in #964 add site/ directory generated by mkdocs to .gitignore by @therealdreg in #968 add new nop command features by @therealdreg in #967 nop: Add force req when not already --f by @Grazfather in #970 Small cleanup - sets by @Grazfather in #972 Restore autosave_breakpoints_file behavior by @hugsy in #969 Fix hardcoded NOP instructions for ARM/AARCH64 by @hugsy in #971 reformat README by @Grazfather in #976 Minor additions to the documentation by @hugsy in #975 [Docs] Added linting for markdown files by @hugsy in #977 fix issue link by @therealdreg in #979 under license mit -> under mit license by @therealdreg in #980 [CI] Upgrade notification actions by @hugsy in #981 Restore main as the default branch by @hugsy in #983 Switch dev refs to main by @hugsy in #982 Setup pre-commit for GEF by @hugsy in #984 add debugging instructions by @therealdreg in #985 add forbidden words checks to coverage action by @therealdreg in #991 [CI] Use pull_request_target for coverage trigger by @hugsy in #990 Fix context regs regression that broke reg order by @Grazfather in #993 Added docs to debug using VSCode by @hugsy in #995 Contributors Author Number of commits hugsy 13 Dreg 8 Grazfather 6 Alexander Zhang 2 New Contributors @bkrl made their first contribution in #949 Closed Issues 5 issues closed ( 986 • 978 • 974 • 973 • 965 ) Closed Pull Requests 25 PRs closed ( 995 • 993 • 992 • 991 • 990 • 989 • 988 • 987 • 985 • 984 • 983 • 982 • 981 • 980 • 979 • 977 • 976 • 975 • 972 • 971 • 970 • 969 • 968 • 967 • 966 ) Commit details 44 commits since 2023.06 Commit log 2023-04-22 a6f4cc1 • Alexander Zhang • Fix typo in docs (#949) 2023-04-24 ac73217 • crazy hugsy • [ci] coverage use dedicated token 2023-04-25 102288f • Alexander Zhang • Update sentence about Python version in docs (#948) 2023-05-27 91f4d70 • crazy hugsy • [docs] Regenerating api/gef.md (#951) 2023-05-29 0fd751e • crazy hugsy • Update README.md 2023-07-13 74e8626 • Dreg • Update nop command to patch entire instructions (#959) 2023-07-13 ca7418c • Grazfather • nop: Fix off-by-one in unmap check (#960) 2023-07-18 7fd94ab • Grazfather • Wrap docs (#962) 2023-07-19 577ad02 • Dreg • Add skipi command to skip N instructions (#964) 2023-07-21 b2d3edc • crazy hugsy • Update coverage.yml 2023-07-21 b0f4fa9 • Dreg • add site/ directory generated by mkdocs to .gitignore (#968) 2023-07-21 99c59a9 • Dreg • adjust the behavior (and options) for the nop command (#967) 2023-07-21 9170ac0 • Grazfather • nop: Add force req when not already --f (#970) 2023-07-22 81ee52d • Grazfather • Small cleanup - sets (#972) 2023-07-22 e529fbc • crazy hugsy • Restore autosave_breakpoints_file behavior (#969) 2023-07-22 0461d6f • crazy hugsy • Fix hardcoded NOP instructions for ARM/AARCH64 (#971) 2023-07-30 27a29d9 • Grazfather • Reformat README (#976) 2023-07-31 b57e174 • crazy hugsy • Minor additions to the documentation (#975) 2023-08-01 5e23739 • crazy hugsy • [Docs] Added linting for markdown files (#977) 2023-08-02 ea7ed49 • Dreg • Fix link in testing docs (#979) 2023-08-02 51804c8 • Dreg • Fixed phrasing in docs (#980) 2023-08-05 a825c84 • crazy hugsy • [ci] Upgrade notification actions (#981) 2023-08-06 8f0f444 • crazy hugsy • Restore main as the default branch (#983) 2023-08-07 878cbf2 • crazy hugsy • Switch dev refs to main (#982) 2023-08-07 7c170cf • crazy hugsy • Setup pre-commit for GEF (#984) 2023-08-14 d27efd3 • Dreg • Add debugging instructions (#985) 2023-08-16 371f273 • Dreg • [CI] Add forbidden words checks to coverage action (#991) 2023-08-16 67c363d • crazy hugsy • [CI] Use pull_request_target for coverage trigger (#990) 2023-08-16 9f79363 • Grazfather • Fix context regs regression that broke reg order (#993) 2023-08-20 7856b70 • hugsy • Added docs to debug using VSCode 2023-08-20 cc3b0ca • hugsy • Fixed un-ended comment tag in pr_template md file File diff .editorconfig | 3 + .github/CONTRIBUTING.md | 33 +- .github/FUNDING.yml | 1 - .github/ISSUE_TEMPLATE/bug_report.yaml | 6 +- .github/PULL_REQUEST_TEMPLATE.md | 31 +- .github/stale.yml | 2 +- .github/workflows/coverage.yml | 68 +- .github/workflows/docs-link-check.yml | Bin 998 -> 0 bytes .github/workflows/generate-docs.yml | 1 - .../workflows/{discord-notify.yml => notify.yml} | 55 +- .github/workflows/run-tests.yml | 7 - .github/workflows/validate.yml | 31 + .gitignore | 1 + .pre-commit-config.yaml | 25 + LICENSE | 2 +- README.md | 100 +- docs/.markdownlint.yaml | 256 + docs/api.md | 131 +- docs/api/gef.md | 23212 +++++++++++++++++++ docs/commands/aliases.md | 42 +- docs/commands/aslr.md | 15 +- docs/commands/canary.md | 10 +- docs/commands/checksec.md | 12 +- docs/commands/config.md | 39 +- docs/commands/context.md | 193 +- docs/commands/dereference.md | 44 +- docs/commands/edit-flags.md | 22 +- docs/commands/elf-info.md | 11 +- docs/commands/entry-break.md | 18 +- docs/commands/eval.md | 8 +- docs/commands/format-string-helper.md | 25 +- docs/commands/functions.md | 33 +- docs/commands/gef-remote.md | 61 +- docs/commands/gef.md | 77 +- docs/commands/got.md | 16 +- docs/commands/heap-analysis-helper.md | 55 +- docs/commands/heap.md | 171 +- docs/commands/help.md | 2 +- docs/commands/hexdump.md | 29 +- docs/commands/highlight.md | 24 +- docs/commands/hijack-fd.md | 15 +- docs/commands/ksymaddr.md | 10 +- docs/commands/memory.md | 45 +- docs/commands/name-break.md | 26 +- docs/commands/nop.md | 64 +- docs/commands/patch.md | 2 +- docs/commands/pattern.md | 42 +- docs/commands/pcustom.md | 108 +- docs/commands/pie.md | 67 +- docs/commands/print-format.md | 22 +- docs/commands/process-search.md | 32 +- docs/commands/process-status.md | 8 +- docs/commands/registers.md | 13 +- docs/commands/reset-cache.md | 2 +- docs/commands/scan.md | 22 +- docs/commands/search-pattern.md | 41 +- docs/commands/shellcode.md | 9 +- docs/commands/skipi.md | 18 + docs/commands/stub.md | 29 +- docs/commands/theme.md | 30 +- docs/commands/tmux-setup.md | 37 +- docs/commands/trace-run.md | 16 +- docs/commands/version.md | 15 +- docs/commands/vmmap.md | 13 +- docs/commands/xfiles.md | 6 +- docs/commands/xinfo.md | 15 +- docs/commands/xor-memory.md | 32 +- docs/compat.md | 8 +- docs/config.md | 25 +- docs/debugging.md | 131 + docs/deprecated.md | 27 +- docs/faq.md | 179 +- docs/functions/base.md | 11 +- docs/functions/bss.md | 8 +- docs/functions/got.md | 8 +- docs/functions/heap.md | 8 +- docs/functions/stack.md | 9 +- docs/index.md | 88 +- docs/install.md | 84 +- docs/obsolete/docs/index.md | 1 - docs/screenshots.md | 23 +- docs/testing.md | 34 +- gef.py | 223 +- mkdocs.yml | 4 +- scripts/gef-extras.sh | 2 +- scripts/gef.sh | 5 - scripts/generate-api-docs.sh | 2 +- scripts/vscode_debug.py | 7 + tests/api/deprecated.py | 1 - tests/api/gef_heap.py | 1 - tests/api/misc.py | 2 +- tests/binaries/nested.c | 2 +- tests/binaries/nested2.c | 2 +- tests/commands/functions.py | 1 - tests/commands/gef.py | 1 - tests/commands/gef_remote.py | 1 - tests/commands/got.py | 1 - tests/commands/heap.py | 1 - tests/commands/heap_analysis.py | 1 - tests/commands/hexdump.py | 3 - tests/commands/name_break.py | 1 - tests/commands/nop.py | 278 +- tests/commands/pattern.py | 1 - tests/commands/pie.py | 1 - tests/commands/process_status.py | 2 - tests/commands/registers.py | 1 - tests/commands/reset_cache.py | 2 - tests/commands/scan.py | 1 - tests/commands/search_pattern.py | 6 +- tests/commands/skipi.py | 62 + tests/commands/stub.py | 2 +- tests/config/__init__.py | 1 - tests/requirements.txt | 1 + 113 files changed, 25567 insertions(+), 1307 deletions(-) Download

What's Changed fix(github workflow) depcreated set-output and docker/build-push-action by @LordNoteworthy in #412 feat (services) post-processor to include first_seen when it's absent by @LordNoteworthy in #413 feat: add loki-stack chart for log aggregation by @LordNoteworthy in #414 fix(storage): guarantee sequential write in s3 download by @LordNoteworthy in #415 fix: Set the nsq config maxInFlight to the same # of goroutines by @LordNoteworthy in #416 fix(services): increase multi-av scan timeout and nsq msg timeout by @LordNoteworthy in #417 doc: add documentation how to use compose to develop in the codebase by @LordNoteworthy in #418 feat: make pulling image contrainers more generic from private registries by @LordNoteworthy in #419 feat: externalize multi-av scan timeout by @LordNoteworthy in #420 helm: populate multiav default values for scanTimeout and logLevel by @LordNoteworthy in #421 feat: change multiav scan timeout from an int (seconds) to duration (string) by @LordNoteworthy in #427 chore(helm): fix _helpers template by @LordNoteworthy in #428 chore(helm): default values for new config entries in web apis by @LordNoteworthy in #429 fix(services): set the status for task progress by @LordNoteworthy in #431 fix(helm): webapis extra cors origins + new UI by @LordNoteworthy in #432 fix: update compose to match new UI env vars & bump go to v1.18 by @LordNoteworthy in #433 feat: Create a summary of behavior activities in sandbox by @LordNoteworthy in #435 chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.53.0 by @dependabot in #437 feat(sandbox): append process ID to system events and make events an array instead of an object by @LordNoteworthy in #438 feat(sandbox): scanning artifacs with Yara by @LordNoteworthy in #439 feat(sandbox): store process tree data by @LordNoteworthy in #441 increase gRPC msg size + fix timeout fmt + artifacts length by @LordNoteworthy in #442 feat: store big byte* API parameters to object storage by @LordNoteworthy in #443 Full Changelog: v0.4.0...v0.5.0 Download

This is the second development build after the Windows Package Manager 1.6 build for Windows 10 (1809+) and Windows 11. This build will be released to Windows Insider Dev builds and Windows Package Manager Insiders. Experimental features are enabled in this release. The experimental feature for the winget download command is now supported and included in this release. You can now specify the package installer you want to download locally. Run winget features to see which experimental features are enabled or disabled. Add the following to your settings (winget settings) file to enable the experimental features such as WinGet download: "experimentalFeatures": { "dependencies": true, "directMSI": true, "configuration": true, "windowsFeature": true, "download": true, }, Windows Package Manager also includes Winget configuration, which automatically handles the setup and configuration requirements for an ideal development environment on your Windows machine. WinGet configuration file helps with installing and managing software packages, applications, programming languages, frameworks, tools, or settings necessary for a project. Check out our session at Microsoft Build to learn how to get your machine to a ready-to-code state. A prerelease version of the Microsoft.WinGet.Client PowerShell module has been published to the PowerShell Gallery and will no longer be included as a release asset. To install the latest version of the PowerShell module, run the following command in PowerShell 7+. Install-Module -Name Microsoft.WinGet.Client The PowerShell module requires App Installer (winget) to be installed. The Repair-WinGetPackageManager cmdlet (work in progress) is designed to install or repair App Installer. What's Changed Create SUPPORT.md by @denelon in #3340 Update README.md by @denelon in #3341 Update README.md by @mdanish-kh in #3342 Fix for onboarding to GitOps.ResourceManagement by @Trenly in #3350 Onboarding to GitOps.ResourceManagement by @microsoft-github-policy-service in #3347 #2874: Fix for error git submodule status: fatal no submodule mapping… by @gigi81 in #3305 Move GitOps rules to their own files by @Trenly in #3352 Fix Component Governance alerts by @msftrubengu in #3355 Add Breaking-Change label to comment triggers by @Trenly in #3357 Respect Group Policies for sources by @florelis in #3367 Stub upgrade self by @msftrubengu in #3299 Refresh process path variable when installing package dependencies by @ryfu-msft in #3296 Network troubleshooting by @denelon in #3389 Microsoft.WinGet.Configuration samples by @msftrubengu in #3369 Support for out of process configuration clients by @JohnMcPMS in #3363 Force close sandbox server upon timeout by @yao-msft in #3392 Relax InstallationNotes max length by @yao-msft in #3397 Fix wingetutil nuget publish pipeline by @yao-msft in #3396 Improve packaged test log collection and fix crash by @JohnMcPMS in #3395 Do not attempt post install ARP correlation if PackageFamilyName is provided and present for the user by @JohnMcPMS in #3391 Support winget installing AppInstaller by @msftrubengu in #3377 configure test command "implemented" by @JohnMcPMS in #3414 Disable RTTI by @JohnMcPMS in #3422 Explicitly close file stream on FileLogger destruction by @yao-msft in #3424 Add configuration binaries to binskim scan and fix issues by @yao-msft in #3426 Build fixes by @msftrubengu in #3433 Fix using expired cert in tests by @msftrubengu in #3435 Repair-WinGetPackageManager improvements by @msftrubengu in #3423 Download command by @ryfu-msft in #3376 Add initial version of yaml manifest 1.6 by @yao-msft in #3449 Configure validate command by @JohnMcPMS in #3441 Add missing definitions to release builds by @msftrubengu in #3450 Populate missing ManifestVersion for manifest from rest source and make PackageFamilyName and installer type manifest validation warning by @yao-msft in #3460 Add file logger to the statics object creation by @JohnMcPMS in #3451 Skip stub packages for msix installer validation by @yao-msft in #3468 Upgrade 1.6 schema to 2020-12 by @Trenly in #3478 Allow --include-unknown in list --upgrade-available by @florelis in #3473 Simplify creating local index by @msftrubengu in #3445 Move functions to cmdlets for Microsoft.WinGet.Client by @msftrubengu in #3469 Generate manifest for Winget Download by @ryfu-msft in #3448 Implement DownloadCommandProhibited by @yao-msft in #3487 Fix Component Governace issue with System.Security.Cryptography.Xml by @yao-msft in #3495 Revert "Down sampling (#2950)" by @JohnMcPMS in #3511 Move Microsoft.WinGet.Client E2E test to Pester framework by @msftrubengu in #3503 Don't copy processor's output binaries by @msftrubengu in #3526 Attempt to prevent crash in TelemetryTraceLogger::InitializeInternal() by @florelis in #3527 New Contributors @microsoft-github-policy-service made their first contribution in #3347 @gigi81 made their first contribution in #3305 Full Changelog: v1.6.1573-preview...v1.6.2291-preview Download

This release is the third stable release of Windows Package Manager 1.5 for Windows 10 (1809+) and Windows 11. This release contains a minor servicing fix to revert an issue with down sampling telemetry as well as populating the manifest version for rest source manifests. The Microsoft.WinGet.Client PowerShell module has been published to the PowerShell Gallery. Experimental features have been disabled in this release. We will follow this release with another preview release build at GitHub so users can continue with experimental features available. What's Changed Revert "Down sampling (#2950)" by @JohnMcPMS in #3511 Populate missing ManifestVersion for manifest from rest source and ma… by @yao-msft in #3474 Full Changelog: release-v1.5.1881...release-v1.5.2201 Download

Please see the file NEWS for a detailed list of changes. Note: all versions are functionally equivalent, i.e. each version can handle all executable formats, so you only need the file that runs on your host OS. Security/VirusTotal links are listed in the pinned issue #437 Asset / File Description / Host OS upx-4.1.0-amd64_linux.tar.xz UPX - Linux version upx-4.1.0-arm64_linux.tar.xz UPX - Linux version upx-4.1.0-armeb_linux.tar.xz UPX - Linux version upx-4.1.0-arm_linux.tar.xz UPX - Linux version upx-4.1.0-dos.zip UPX - DOS version upx-4.1.0-i386_linux.tar.xz UPX - Linux version upx-4.1.0-mipsel_linux.tar.xz UPX - Linux version upx-4.1.0-mips_linux.tar.xz UPX - Linux version upx-4.1.0-powerpc64le_linux.tar.xz UPX - Linux version upx-4.1.0-powerpc_linux.tar.xz UPX - Linux version upx-4.1.0-src.tar.xz UPX - source code tarball upx-4.1.0-win32.zip UPX - X86 Win32 version upx-4.1.0-win64.zip UPX - X64 Win64 version Download

please refer to the Changelog Download

ILSpy 8.x is based on .NET 6.0 compared to .NET Framework 4.7.2 for the previous generations of ILSpy. All artifacts except the self-contained distribution are built framework-dependent, which means .NET 6.0.2 must be installed prior to starting ILSpy. New Language Features C# 11 checked operators C# 11 unsigned right shift operator C# 11 UTF8 string literals C# 11 numeric IntPtr C# 11 ref fields and scoped mcs 2.6.4 pinned regions Updated pattern-detection for Roslyn 4.6.0 Contributions Copy clipboard with full syntax-highlighting (#3045 by @ltrzesniewski) Fix sequence-points on expression-bodied members (#3032 by @KirillOsenkov) Fix annotations on nested type references (#3030 by @ltrzesniewski) Add clipboard-related context menu to resources tables (#3024 by @miloush) Fix decompilation of record with missing base type (#3021 by @andrewcrawley) Add support for mcs 2.6.4 pinned regions (#3015 by @ElektroKill) Improvements in CustomDebugInformation metadata table (#2799 by @fowl2) Fix ArgumentOutOfRangeException on unexpected file in GAC (#2960 by @ificator) Support for compound-assignments on pointers (by @ElektroKill) Added a search box for resource tables (by @miloush) Enhancements Default update check for dotnet tool ilspycmd (#3035). Use --disable-updatecheck in automation scenarios. VS 2022 extension ships with both x64 and ARM64 binaries (#3009) Added ARM64 binaries and ARM64 installer downloads WholeProjectDecompiler: Improve resources -> resx conversion Improve decompilation of compound-assignments involving local variables Refactor ILReader to support re-imports of basic blocks (#901) Bug fixes #2891: Populate framework_dirs with the correct values depending on the current host runtime. And many other fixes, for a full list click here. Download

… it is wrong). Download

Far too many small improvements across the last 3 years to list! Thanks to all contributors! As with previous releases, unfortunately, the automatically generated .zip and .tar.gz files that github generates don't include sub-modules. So please use the edb-debugger-1.4.0.tgz tarball that I've attached, which should have included all submodules needed for compilation. Download

Official GNU Binutils 2.41 release Download

Release 0.60.1 Download

Release 0.60.0 Download

Please see the file CHANGELOG for a detailed list of changes. Asset / File Description / Host OS die_sourcecode_3.08.tar.gz Source code tarball Detect_It_Easy-3.08-x86_64.AppImage Portable version for Linux How to run die_3.08_Debian_10_amd64.deb Installer for Debian 10 die_3.08_Debian_11_amd64.deb Installer for Debian 11 die_3.08_Debian_12_amd64.deb Installer for Debian 12 die_3.08_Ubuntu_14.04_amd64.deb Installer for Ubuntu 14.04 die_3.08_Ubuntu_16.04_amd64.deb Installer for Ubuntu 16.04 die_3.08_Ubuntu_18.04_amd64.deb Installer for Ubuntu 18.04 die_3.08_Ubuntu_20.04_amd64.deb Installer for Ubuntu 20.04 die_3.08_Ubuntu_22.04_amd64.deb Installer for Ubuntu 22.04 die_3.08_Ubuntu_22.10_amd64.deb Installer for Ubuntu 22.10 die_3.08_Ubuntu_23.04_amd64.deb Installer for Ubuntu 23.04 die_3.08_portable_Ubuntu_20.04_amd64.tar.gz Portable version for Ubuntu 20.04 detect-it-easy-3.08-1-x86_64.pkg.tar.zst Installer for Arch Linux die_mac_3.08_x86_64.pkg Installer for macOS die_mac_qt6_3.08_arm64.pkg Installer for macOS Qt6 M1 processor die_mac_portable_3.08_x86_64.zip Portable version for macOS die_win32_portable_3.08_x86.zip Portable version for x86 Win32 (Win7-Win11) die_win64_portable_3.08_x64.zip Portable version for x64 Win64 (Win7-Win11) die_winxp_portable_3.08_x86.zip Portable version for Windows XP (WinXP-Win11) Experimental versions - There may be bugs in the GUI Asset / File Description / Host OS die_win64_qt6_portable_3.08_x64.zip Portable version for x64 Win64 Qt6 (Win10-Win11) Download

v6.0.0 capa v6.0 brings many bug fixes and quality improvements, including 64 rule updates and 26 new rules. We're now publishing to PyPI via Trusted Publishing and have migrated to using a pyproject.toml file. @Aayush-Goel-04 contributed a lot of new code across many files, so please welcome them to the project, along with @anders-v @crowface28 @dkelly2e @RonnieSalomonsen and @ejfocampo as first-time rule contributors! For those that use capa as a library, we've introduced some limited breaking changes that better represent data types (versus less-structured data like dictionaries and strings). With the recent deprecation, we've also dropped support for Python 3.7. New Features add script to detect feature overlap between new and existing capa rules #1451 @Aayush-Goel-04 extract forwarded exports from PE files #1624 @williballenthin extract function and API names from ELF symtab entries @yelhamer mandiant/capa-rules#736 use fancy box drawing characters for default output #1586 @williballenthin Breaking Changes use a class to represent Metadata (not dict) #1411 @Aayush-Goel-04 @manasghandat use pathlib.Path to represent file paths #1534 @Aayush-Goel-04 Python 3.8 is now the minimum supported Python version #1578 @williballenthin Require a Contributor License Agreement (CLA) for PRs going forward #1642 @williballenthin New Rules (26) load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step @mr-tz linking/static/aplib/linked-against-aplib still@teamt5.org communication/mailslot/read-from-mailslot nick.simonian@mandiant.com nursery/hash-data-using-sha512managed-in-dotnet jonathanlepore@google.com nursery/compiled-with-exescript jonathanlepore@google.com nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet jonathanlepore@google.com host-interaction/hardware/enumerate-devices-by-category @mr-tz host-interaction/service/continue-service @mr-tz host-interaction/service/pause-service @mr-tz persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com host-interaction/gui/switch-active-desktop jakub.jozwiak@mandiant.com host-interaction/service/query-service-configuration @mr-tz anti-analysis/anti-av/patch-event-tracing-for-windows-function jakub.jozwiak@mandiant.com data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls dan.kelly@mandiant.com linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash jakub.jozwiak@mandiant.com Bug Fixes extractor: add a Binary Ninja test that asserts its version #1487 @xusheng6 extractor: update Binary Ninja stack string detection after the new constant outlining feature #1473 @xusheng6 extractor: update vivisect Arch extraction #1334 @mr-tz extractor: avoid Binary Ninja exception when analyzing certain files #1441 @xusheng6 symtab: fix struct.unpack() format for 64-bit ELF files @yelhamer symtab: safeguard against ZeroDivisionError for files containing a symtab with a null entry size @yelhamer improve ELF strtab and needed parsing @mr-tz better handle exceptional cases when parsing ELF files #1458 @Aayush-Goel-04 improved testing coverage for Binary Ninja backend #1446 @Aayush-Goel-04 add logging and print redirect to tqdm for capa main #749 @Aayush-Goel-04 extractor: fix binja installation path detection does not work with Python 3.11 tests: refine the IDA test runner script #1513 @williballenthin output: don't leave behind traces of progress bar @williballenthin import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin main: don't show spinner when emitting debug messages #1636 @williballenthin capa explorer IDA Pro plugin Development update ATT&CK/MBC data for linting #1568 @mr-tz log time taken to analyze each function #1290 @williballenthin tests: make fixture available via conftest.py #1592 @williballenthin publish via PyPI trusted publishing #1491 @williballenthin migrate to pyproject.toml #1301 @williballenthin use pre-commit to invoke linters #1579 @williballenthin Raw diffs capa v5.1.0...v6.0.0 capa-rules v5.1.0...v6.0.0 Download

Merge pull request #1651 from mandiant/williballenthin-patch-1 v6.0.0a3 Download

Merge pull request #1650 from mandiant/williballenthin-patch-1 v6.0.0a2 Download

v6.0.0 capa v6.0 brings many bug fixes and quality improvements, including 64 rule updates and 26 new rules. We're now publishing to PyPI via Trusted Publishing and have migrated to using a pyproject.toml file. @Aayush-Goel-04 contributed a lot of new code across many files, so please welcome them to the project, along with @anders-v @crowface28 @dkelly2e @RonnieSalomonsen and @ejfocampo as first-time rule contributors! For those that use capa as a library, we've introduced some limited breaking changes that better represent data types (versus less-structured data like dictionaries and strings). With the recent deprecation, we've also dropped support for Python 3.7. New Features add script to detect feature overlap between new and existing capa rules #1451 @Aayush-Goel-04 extract forwarded exports from PE files #1624 @williballenthin extract function and API names from ELF symtab entries @yelhamer mandiant/capa-rules#736 use fancy box drawing characters for default output #1586 @williballenthin Breaking Changes use a class to represent Metadata (not dict) #1411 @Aayush-Goel-04 @manasghandat use pathlib.Path to represent file paths #1534 @Aayush-Goel-04 Python 3.8 is now the minimum supported Python version #1578 @williballenthin Require a Contributor License Agreement (CLA) for PRs going forward #1642 @williballenthin New Rules (26) load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step @mr-tz linking/static/aplib/linked-against-aplib still@teamt5.org communication/mailslot/read-from-mailslot nick.simonian@mandiant.com nursery/hash-data-using-sha512managed-in-dotnet jonathanlepore@google.com nursery/compiled-with-exescript jonathanlepore@google.com nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet jonathanlepore@google.com host-interaction/hardware/enumerate-devices-by-category @mr-tz host-interaction/service/continue-service @mr-tz host-interaction/service/pause-service @mr-tz persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com host-interaction/gui/switch-active-desktop jakub.jozwiak@mandiant.com host-interaction/service/query-service-configuration @mr-tz anti-analysis/anti-av/patch-event-tracing-for-windows-function jakub.jozwiak@mandiant.com data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls dan.kelly@mandiant.com linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash jakub.jozwiak@mandiant.com Bug Fixes extractor: add a Binary Ninja test that asserts its version #1487 @xusheng6 extractor: update Binary Ninja stack string detection after the new constant outlining feature #1473 @xusheng6 extractor: update vivisect Arch extraction #1334 @mr-tz extractor: avoid Binary Ninja exception when analyzing certain files #1441 @xusheng6 symtab: fix struct.unpack() format for 64-bit ELF files @yelhamer symtab: safeguard against ZeroDivisionError for files containing a symtab with a null entry size @yelhamer improve ELF strtab and needed parsing @mr-tz better handle exceptional cases when parsing ELF files #1458 @Aayush-Goel-04 improved testing coverage for Binary Ninja backend #1446 @Aayush-Goel-04 add logging and print redirect to tqdm for capa main #749 @Aayush-Goel-04 extractor: fix binja installation path detection does not work with Python 3.11 tests: refine the IDA test runner script #1513 @williballenthin output: don't leave behind traces of progress bar @williballenthin import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin main: don't show spinner when emitting debug messages #1636 @williballenthin capa explorer IDA Pro plugin Development update ATT&CK/MBC data for linting #1568 @mr-tz log time taken to analyze each function #1290 @williballenthin tests: make fixture available via conftest.py #1592 @williballenthin publish via PyPI trusted publishing #1491 @williballenthin migrate to pyproject.toml #1301 @williballenthin use pre-commit to invoke linters #1579 @williballenthin Raw diffs capa v5.1.0...v6.0.0 capa-rules v5.1.0...v6.0.0 Download

submodules: Bump outdated Download

What's New Change History Installation Guide SHA-256: a658677a87d0be12ab65bd7962f471875b81a2dd2ea35d69cc3201555ca1bd6f Download

submodules: Bump outdated Download

This release is the second stable release of Windows Package Manager 1.5 for Windows 10 (1809+) and Windows 11. This release contains a minor servicing fix to improve the ARP correlation experience as well as increasing the maximum length of the installation notes. The Microsoft.WinGet.Client PowerShell module has been published to the PowerShell Gallery. Experimental features have been disabled in this release. We will follow this release with another preview release build at GitHub so users can continue with experimental features available. What's Changed Do not attempt post install ARP correlation if PackageFamilyName is provided and present for the user by @JohnMcPMS in #3391 Relax InstallationNotes max length by @yao-msft in #3397 Full Changelog: release-v1.5.1572...release-v1.5.1881 Download

See https://frida.re/news/ for details. Download

submodules: Bump outdated Download