MBot

submodules: Bump outdated Download

Changelog: 2023.04 - Worst Dependent Highlights of Worst Dependent The update includes various changes to the installation script, bug fixes, updates to documentation, and improvements to the search-pattern command. Some changes involve updating the GH Action runners, ARM improvement (fixing CPSR and pointer size calculation) and Safe-Linking support (for GLibc >= 2.32 compat) Code stability has been improved with an increased coverage check through test. Last, more documentation was added making it more accessible and easily searchable. Contributors Author Number of commits hugsy 85 Dreg 6 clubby789 4 Grazfather 2 theguy147 2 Ananthu 1 Boris-Chengbiao Zhou 1 D4nnyLee 1 Jonathan Salwan 1 lain3d 1 liona24 1 Roderick 1 Tramadol 1 Wadim Mueller 1 Zhi-Qiang Zhou 1 Closed Issues 19 issues closed ( 943 • 937 • 935 • 930 • 929 • 928 • 927 • 925 • 923 • 922 • 921 • 920 • 919 • 916 • 915 • 913 • 911 • 910 • 909 ) Closed Pull Requests 11 PRs closed ( 945 • 942 • 941 • 938 • 936 • 932 • 931 • 918 • 917 • 914 • 912 ) Commit details 109 commits since 2022.06 Commit log 2022-06-27 b2458d6 • hugsy • Update gef-extras.sh installation script 2022-06-27 2b72f5d • hugsy • Quick fix on __load_time_ms since Py3.6 doesn't have perf_counter_ns 2022-06-27 885d71a • hugsy • [CI] Added Ubuntu-22.02 to GH Action runners 2022-06-28 290a984 • hugsy • Fix AARCH64 CPSR and pointer size calculation (#855) 2022-06-28 dbcd859 • hugsy • Update PULL_REQUEST_TEMPLATE.md 2022-06-28 091e298 • hugsy • [pattern-search] Make sure pattern is correctly built (#858) 2022-07-02 35c115a • Dreg • --regex support for search-pattern command (#860) 2022-07-02 366237c • Dreg • Slightly improve the code of search-pattern (#862) 2022-07-02 c2f87d9 • hugsy • [CI] Adds utils.find_symbol to cleanly find PIE symbols 2022-07-02 7c0a1ee • hugsy • Merge branch 'dev' of github.com:hugsy/gef into dev 2022-07-02 08c06b8 • Dreg • Add a maximum size for preview to print-format config settings (#863) 2022-07-02 e422530 • hugsy • Move syscall-args and is-syscall to gef-extras (#861) 2022-07-02 f54a622 • Dreg • missed return init SearchPatternCommand (#864) 2022-07-04 17fa7f9 • hugsy • Fixed TinyUrl links to point to main, not master (#868) 2022-07-04 1499023 • hugsy • Added callback to register_external_content_pane to conditionally display pane (#866) 2022-07-05 819917d • Dreg • Set main as the default branch for gef-extras / gef scripts for users (#870) 2022-07-05 c530aa5 • Dreg • Add a proper argument parsing to gef-extras.sh (#872) 2022-07-09 e545378 • hugsy • Use templated YAML files for Github Issues (#875) 2022-07-09 ad1bfaf • hugsy • Glibc* class now rely on ctypes.Structure (#869) 2022-07-09 01da142 • lain3d • Fix ptrsize for ARM to not return 2 ever (#876) 2022-07-09 4d4e801 • Wadim Mueller • Riscv/ble (#874) 2022-07-10 2e0115d • hugsy • Doc update 2022-08-09 2830670 • crazy hugsy • Moved GEF_DEFAULT_BRANCH to the top of the script so the value is know when update_gef is taken 2022-09-05 41d2700 • crazy hugsy • Update bug_report.yaml 2022-09-05 942f6b9 • crazy hugsy • Update bug_report.yaml 2022-09-05 ed070ce • crazy hugsy • Update bug_report.yaml 2022-09-05 bc419e4 • crazy hugsy • Update bug_report.yaml 2022-09-05 4afae16 • crazy hugsy • Update bug_report.yaml 2022-09-12 237760d • Grazfather • Remove deprecated use of checksec() (#888) 2022-09-20 2a4afa7 • D4nnyLee • Fix typo in docs/functions/base.md (#893) 2022-09-20 8406460 • crazy hugsy • Update gef-remote.md 2022-09-29 2b52a43 • Roderick • get pty by tmux command and close pane when gdb exit (#881) 2022-10-02 1f49f8a • crazy hugsy • explicitly forcing args : argparse.Namespace as a result of parse_arguments (#856) 2022-10-10 3f3151c • crazy hugsy • Update utils.py 2022-10-10 6f7b11a • crazy hugsy • Update run-tests.yml 2022-10-11 f2050af • liona24 • Explicitly close the remote session (#896) 2022-10-12 33fe436 • crazy hugsy • print warning messages when using target remote with gef (#899) 2022-10-12 1fd0f34 • crazy hugsy • Remove the Makefile in the root folder (#898) 2022-10-12 b54508a • crazy hugsy • [docs] fixed bad python version for coverage docs 2022-10-12 c3dbbe7 • crazy hugsy • [docs] added install directive for coverage 2022-10-12 dd7f881 • crazy hugsy • [docs] coverage actions: missing packages 2022-10-12 a759262 • crazy hugsy • [docs] adding link to coverage in docs navbar 2022-10-12 3af8221 • crazy hugsy • [ci] Adding a new test to validate new code is tested 2022-10-12 5faeed2 • crazy hugsy • [ci] Adding a new test to validate new code is tested 2022-10-12 ed9c01e • crazy hugsy • [ci] better bash 2022-10-12 26083dd • crazy hugsy • [ci] removing deprecated runner ubuntu-18.04 2022-10-13 e9f3351 • Zhi-Qiang Zhou • Fix Safe-Linking (GLIBC >= 2.32) and malloc_state struct (#878) 2022-10-13 0b17993 • hugsy • [ci] increased coverage result precision 2022-10-21 a36ffbe • clubby789 • Fix filesystem paths for debugging process in containers (#897) 2022-10-21 e48e2f3 • hugsy • [ci] upgrade some actions, removed set-output directives 2022-10-22 be82d55 • crazy hugsy • [ci] dummy typo 2022-10-22 850a45d • crazy hugsy • [CI] Fixed incorrect coverage check 2022-10-25 9edd73e • crazy hugsy • Update index.md 2022-11-07 50e54e0 • crazy hugsy • [ci] restored pytest-forked in requirements for tests, removed old style envvar 2022-11-07 a1b4f00 • crazy hugsy • [ci] added a margin for the coverage reduction test 2022-11-07 65eece7 • Grazfather • reset_architecture: Return after setting arch to a specified arch (#914) 2022-11-07 b52b758 • Ananthu • Added support for GDBHISTFILE env variable (#912) 2022-11-07 c05d62a • Boris-Chengbiao Zhou • Fix test command in documentation (#908) 2022-11-07 ea8273b • Jonathan Salwan • Fix shell-storm new API (#902) 2022-11-07 ec83f44 • crazy hugsy • fixed error from #902 2022-11-07 1bf74a8 • crazy hugsy • [CI] Refusing anything below 70% of coverage 2022-11-11 8713e3f • hugsy • Merge branch 'dev' of github.com:hugsy/gef into dev 2022-11-11 af63b4d • hugsy • rewrite: generate settings documentation 2022-11-12 75c76fe • clubby789 • Add option to disable buffering (#917) 2022-11-17 63ac481 • clubby789 • Determine the actual canary location (#918) 2022-11-17 05b17d0 • crazy hugsy • [ci] add delay to gdbserver_session 2022-11-17 4e89034 • hugsy • [ci] increased delay to appease GHActions gods 2022-11-22 d1833d3 • clubby789 • Fix searching when connected to qemu-system instance (#906) 2023-01-02 174830a • crazy hugsy • Fixed doc wording 2023-03-12 9590305 • crazy hugsy • Don't error out if disassembling previous instructions fails (#931) 2023-03-19 8e3eba8 • theguy147 • fix: make sure that heap_addr is aligned (#936) 2023-03-21 0cf291d • theguy147 • fix: add capability to glibc heap commands for bruteforcing the main_arena (#932) 2023-04-04 0f477e7 • Tramadol • Add backwards memory examination for the dereference command (#942) 2023-04-15 9848239 • crazy hugsy • Minor typo in docs/generate-settings-docs.sh 2023-04-16 b1a1b2a • crazy hugsy • [CI] Make coverage generate pull request comment instead of blocking validation (#938) 2023-04-16 18e2c9c • hugsy • [docs] better formatting for settings page 2023-04-16 5040cbe • hugsy • [scripts] add an explicit error message on failures in new-release File diff .github/ISSUE_TEMPLATE/bug_report.md | 64 - .github/ISSUE_TEMPLATE/bug_report.yaml | 90 + .github/ISSUE_TEMPLATE/feature_request.md | 21 - .github/ISSUE_TEMPLATE/feature_request.yaml | 50 + .github/PULL_REQUEST_TEMPLATE.md | 26 +- .github/workflows/coverage.yml | 50 + .github/workflows/generate-docs.yml | 10 +- .github/workflows/run-tests.yml | 37 +- Makefile | 42 - README.md | 4 +- docs/api/gef.md | 22909 -------------------------- docs/commands/aliases.md | 2 +- docs/commands/aslr.md | 2 +- docs/commands/canary.md | 2 +- docs/commands/checksec.md | 2 +- docs/commands/config.md | 2 +- docs/commands/context.md | 2 +- docs/commands/dereference.md | 15 +- docs/commands/edit-flags.md | 2 +- docs/commands/elf-info.md | 2 +- docs/commands/entry-break.md | 2 +- docs/commands/eval.md | 2 +- docs/commands/format-string-helper.md | 2 +- docs/commands/functions.md | 2 +- docs/commands/gef-remote.md | 2 +- docs/commands/gef.md | 2 +- docs/commands/got.md | 6 +- docs/commands/heap-analysis-helper.md | 2 +- docs/commands/heap.md | 24 +- docs/commands/help.md | 2 +- docs/commands/hexdump.md | 2 +- docs/commands/highlight.md | 2 +- docs/commands/hijack-fd.md | 2 +- docs/commands/is-syscall.md | 18 - docs/commands/ksymaddr.md | 2 +- docs/commands/memory.md | 2 +- docs/commands/name-break.md | 2 +- docs/commands/nop.md | 2 +- docs/commands/patch.md | 2 +- docs/commands/pattern.md | 6 +- docs/commands/pcustom.md | 2 +- docs/commands/pie.md | 2 +- docs/commands/print-format.md | 2 +- docs/commands/process-search.md | 2 +- docs/commands/process-status.md | 2 +- docs/commands/registers.md | 2 +- docs/commands/reset-cache.md | 2 +- docs/commands/scan.md | 2 +- docs/commands/search-pattern.md | 11 +- docs/commands/shellcode.md | 2 +- docs/commands/stub.md | 2 +- docs/commands/syscall-args.md | 49 - docs/commands/theme.md | 2 +- docs/commands/tmux-setup.md | 2 +- docs/commands/trace-run.md | 2 +- docs/commands/version.md | 2 +- docs/commands/vmmap.md | 2 +- docs/commands/xfiles.md | 2 +- docs/commands/xinfo.md | 2 +- docs/commands/xor-memory.md | 2 +- docs/deprecated.md | 2 + docs/faq.md | 8 + docs/functions/base.md | 2 +- docs/index.md | 6 +- docs/install.md | 6 +- docs/testing.md | 29 +- gef.py | 1573 +- mkdocs.yml | 3 +- scripts/gef-extras.sh | 35 +- scripts/generate-coverage-docs.sh | 24 + scripts/generate-settings-docs.sh | 40 + scripts/new-release.py | 21 +- tests/api/gef_disasemble.py | 30 + tests/api/gef_session.py | 40 +- tests/api/misc.py | 12 + tests/binaries/mmap-known-address.c | 50 + tests/binaries/set-permission.c | 34 - tests/binaries/syscall-args.c | 50 - tests/commands/canary.py | 15 +- tests/commands/dereference.py | 46 + tests/commands/gef.py | 5 +- tests/commands/heap.py | 29 +- tests/commands/nop.py | 13 +- tests/commands/pattern.py | 37 +- tests/commands/pie.py | 16 +- tests/commands/search_pattern.py | 15 +- tests/commands/syscall_args.py | 89 - pytest.ini => tests/pytest.ini | 5 +- tests/regressions/gdbserver_connection.py | 15 + tests/requirements.txt | 2 + tests/utils.py | 44 +- 91 files changed, 1663 insertions(+), 24149 deletions(-) Download

submodules: Bump outdated Download

v1.17.11043.0 - WPF NuGet Only Download

submodules: Bump outdated Download

capa version 5.1.0 adds a Protocol Buffers (protobuf) format for result documents. Additionally, the Vector35 team contributed a new feature extractor using Binary Ninja. Other new features are a new CLI flag to override the detected operating system, functionality to read and render existing result documents, and a output color format that's easier to read. Over 25 capa rules have been added and improved. Thanks for all the support, especially to @xusheng6, @captainGeech42, @ggold7046, @manasghandat, @ooprathamm, @linpeiyu164, @yelhamer, @HongThatCong, @naikordian, @stevemk14ebr, @emtuls, @raymondlleong, @bkojusner, @joren485, and everyone else who submitted bugs and provided feedback! New Features add protobuf format for result documents #1219 @williballenthin @mr-tz extractor: add Binary Ninja feature extractor @xusheng6 new cli flag --os to override auto-detected operating system for a sample @captainGeech42 change colour/highlight to "cyan" instead of "blue" for better readability #1384 @ggold7046 add new format to parse output json back to capa #1396 @ooprathamm parse ELF symbols' names to guess OS #1403 @yelhamer New Rules (26) persistence/scheduled-tasks/schedule-task-via-at joren485 data-manipulation/prng/generate-random-numbers-via-rtlgenrandom william.ballenthin@mandiant.com communication/ip/convert-ip-address-from-string @mr-tz data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate blas.kojusner@mandiant.com executable/installer/dotnet/packaged-as-single-file-dotnet-application michael.hunhoff@mandiant.com communication/socket/create-raw-socket blas.kojusner@mandiant.com communication/http/reference-http-user-agent-string @mr-tz communication/http/get-http-content-length william.ballenthin@mandiant.com nursery/move-directory michael.hunhoff@mandiant.com nursery/get-http-request-uri william.ballenthin@mandiant.com nursery/create-zip-archive-in-dotnet michael.hunhoff@mandiant.com nursery/extract-zip-archive-in-dotnet anushka.virgaonkar@mandiant.com michael.hunhoff@mandiant.com data-manipulation/encryption/tea/decrypt-data-using-tea william.ballenthin@mandiant.com raymond.leong@mandiant.com data-manipulation/encryption/tea/encrypt-data-using-tea william.ballenthin@mandiant.com raymond.leong@mandiant.com data-manipulation/encryption/xtea/encrypt-data-using-xtea raymond.leong@mandiant.com data-manipulation/encryption/xxtea/encrypt-data-using-xxtea raymond.leong@mandiant.com nursery/hash-data-using-ripemd128 raymond.leong@mandiant.com nursery/hash-data-using-ripemd256 raymond.leong@mandiant.com nursery/hash-data-using-ripemd320 raymond.leong@mandiant.com nursery/set-web-proxy-in-dotnet michael.hunhoff@mandiant.com nursery/check-for-windows-sandbox-via-subdirectory echernofsky@google.com nursery/enumerate-pe-sections-in-dotnet @mr-tz nursery/destroy-software-breakpoint-capability echernofsky@google.com nursery/send-data-to-internet michael.hunhoff@mandiant.com nursery/compiled-with-cx_freeze @mr-tz nursery/contain-a-thread-local-storage-tls-section-in-dotnet michael.hunhoff@mandiant.com Bug Fixes extractor: removed '.dynsym' as the library name for ELF imports #1318 @stevemk14ebr extractor: fix vivisect loop detection corner case #1310 @mr-tz match: extend OS characteristic to match OS_ANY to all supported OSes #1324 @mike-hunhoff extractor: fix IDA and vivisect string and bytes features overlap and tests #1327 #1336 @xusheng6 capa explorer IDA Pro plugin fix exception when plugin loaded in IDA hosted under idat #1341 @mike-hunhoff improve embedded PE detection performance and reduce FP potential #1344 @mike-hunhoff Raw diffs capa v5.0.0...v5.1.0 capa-rules v5.0.0...v5.1.0 Download

ILSpy 8 is based on .NET 6.0 compared to .NET Framework 4.7.2 for the previous generations of ILSpy. All artifacts except the self-contained distribution are built framework-dependent, which means .NET 6.0.2 must be installed prior to starting ILSpy. Contributions More themes - Light/Dark are the original ones, R# & VS Code added (see #2906 and #2931 by @ltrzesniewski) Improve selected text highlighting (see #2938 by @Konctantin) Add support for record structs in CSharpAmbience (see #2911 by @ElektroKill) Add support for Visual Basic Yield Return state machine decompilation (see #2874 by @ElektroKill) Fix ResXResourceWriter support for MemoryStream resource element (see #2895 by @ElektroKill) Use .interfaceimpl type syntax (see #2903 by @ltrzesniewski) Fix empty parameter names in delegate declarations (see #2912 by @ElektroKill) Support disassembling ReadyToRun binaries compiled using composite mode (see #2944 by @cshung) Enhancements Move Settings to ILSpyX (see #2869) Move all code related to single instance logic to separate class (see #2871) Bug fixes Fix #2933: TwoLetterISOLanguageName is insufficient for loading localized documentation. Fix #2915: inassembly search filter is case sensitive and automatically suggests the wrong term Fix #2922: System.ArgumentOutOfRangeException when decompiling a function And many other fixes, for a full list click here. Download

What's Changed GitHub Actions by @mrexodia @Mattiwatti in #133 add Process Monitor to blacklisted processed by @rise-worlds in #142 Add compatibility for VMProtect 3.6+ by @heck-gd in #148 New Contributors @rise-worlds made their first contribution in #142 @heck-gd made their first contribution in #148 Full Changelog: snapshot-2021-08-23_13-27-50...v1.4 Download

please refer to the Changelog WARNING: The release will be live within an hour! UPDATE!! The official release has been postponed due to DockerHub issue with Github SSH Keys. See: https://hub.docker.com/repository/registry-1.docker.io/intelowlproject/intelowl/builds/3273413b-2d06-4156-8123-0099cf28d6c2 https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ Download

Fix tests while building with Bazel. Download

See https://frida.re/news/ for details. Download

[0.4.0] - 06/03/2023 Added Upload sandbox memdumps and screenshots thumbnails to obj storage #398. Upload sandbox desktop screenshots to obj storage #397. Sandbox agent health check + basic sysinfo and env data collection #395. Push sandbox payload results to the aggregator #391. MultiAV McAfee enable scan for potentially unwanted program #387. Numerous updates to support different types of messages for the aggregator #383. Add methods for the storage internal pkg to support bucket creation. Generate thumbnails for the sandbox screenshots and add health checks for VMs. Remove cluster-autoscaler form helm chart. Add documentation with the communication format used between services. Agent: collect screenshots and memdumps #380. Guess file extension and include PE signature #379. Curate PE scan results #378. Add inlets-operator and metallb charts #376. inlets-operator has been deleted later, and metallb is installed separately from the chart dependencies. Add kube-prometheus-stack CRDs and experiment with k3s for local dev. Add workflow_dispatch for helm-release and release services job. Changed [helm] Remove elastic stack that was used for logging #404. [helm] Do not include kube-prometheus-stack in main chart & remove elastic stack for logging #403. Hosting documentation/blog website in cloudflare #402. Set k8s version to the same as prod k8s version and update default user/password values in minio helm chart #392. Change protobuf message scheme to support uploading object to s3 #383. Bind k8s port forwarding services to 0.0.0.0. Bump wait-for and golang docker images. Bump yara, helm, kuberneters, exiftool, kind, kubens/kubectx and kube-capacity. Bump aws-efs-csi-driver, ingress-nginx, couchbase-operator and minio helm chart dependencies. Fixed Use wine + loadlibrary to make windows defender works again thanks to prsyahmi #386. MultiAV McAfee doesn't report other kind of malware besides trojan thanks to prsyahmi #387. Do not set the file extension/format when it is now known #381. MultiAV upgrade Avast to a newer major release. Download

A hackable malware sandbox for the 21st Century Download

please refer to the Changelog WARNING: The release will be live within an hour! Download

GDB 13.1 Release. Download

please refer to the Changelog Download

See https://frida.re/news/ for details. Download

please refer to the Changelog Download

This is the second development build after the Windows Package Manager 1.4 build for Windows 10 (1809+) and Windows 11. This build will be released to Windows Insider Dev builds and Windows Package Manager Insiders. Experimental features are enabled in this release. The experimental feature for package pinning is now supported and included in this release. Run winget features to see which experimental features are enabled or disabled. Add the following to your settings (winget settings) file to enable the experimental features including package pinning: "experimentalFeatures": { "pinning": true, "dependencies": true, "directMSI": true, "uninstallPreviousArgument": true, }, This release includes an early preview of our Microsoft.WinGet.Client PowerShell module. Improvements to the PowerShell module have been made in this release to enhance the output of the cmdlets. Information about getting started and usage can be found here. Features Pin a package #476 by @florelis Open log files or provide path as output #2355 by @Trenly Show which admin setting has been enabled/disabled in confirmation string #2846 by @Trenly What's Changed Make --Open-Logs Stable by @Trenly in #2841 Add --custom argument for passing additional installer arguments by @Trenly in #2832 Add database for tracking pins and base implementation for pin commands by @florelis in #2769 Show which admin setting has been enabled/disabled in confirmation string by @Trenly in #2846 Refactor some code into shared library by @JohnMcPMS in #2844 Add rest interface 1.4 to supported list by @yao-msft in #2853 Block msix provisioning api calls where known OS bugs exist by @yao-msft in #2855 Allow Version Listing through 'Winget Search' by @Trenly in #2847 Refactor arg validation by @florelis in #2862 Rename privacy.md to PRIVACY.md by @WilliamDavidHarrison in #2907 fix: remove extra space by @WilliamDavidHarrison in #2904 chore: remove blank line by @WilliamDavidHarrison in #2906 feat: update pr template by @WilliamDavidHarrison in #2905 feat(template): update title + desc for feature request by @WilliamDavidHarrison in #2915 feat(template): update title + desc for docs report by @WilliamDavidHarrison in #2914 feat(template): update title + desc for bug report by @WilliamDavidHarrison in #2913 Remove use of Invoke-Expression in test script by @florelis in #2921 Show Enabled Admin Settings in --info by @Trenly in #2901 Update zlib library in Pure project by @ryfu-msft in #2923 Fix GetFullNameFromFamilyName for non-elevated context by @yao-msft in #2922 Allow multiple apps in a single command by @florelis in #2861 Use C# wrapper objects for PowerShell cmdlet output by @ryfu-msft in #2871 Fix behavior for user settings scope preference/requirement for portable install by @ryfu-msft in #2918 Fix Summary telemetry event by @yao-msft in #2941 Implement package pinning by @florelis in #2813 Spec for package pinning by @yao-msft in #2611 Fix spelling from pinning spec by @yao-msft in #2946 Give admin access to temp folder by @yao-msft in #2945 Down sampling telemetry events by @yao-msft in #2950 Add support for elevation requirement in COM by @ryfu-msft in #2919 New Contributors @WilliamDavidHarrison made their first contribution in #2907 Full Changelog: v1.5.101-preview...v1.5.441-preview Download

submodules: Bump outdated Download

This capa version comes with major improvements and additions to better handle .NET binaries. To showcase this we've updated and added over 30 .NET rules. Additionally, capa now caches its rule set for better performance. The capa explorer also caches its analysis results, so that multiple IDA Pro or plugin invocations don't need to repeat the same analysis. We have removed the SMDA backend and changed the program return codes to be positive numbers. Other improvements to highlight include better ELF OS detection, various rendering bug fixes, and enhancements to the feature extraction. We've also added support for Python 3.11. Thanks for all the support, especially to @jsoref, @bkojusner, @edeca, @richardweiss80, @joren485, @ryantxu1, @mwilliams31, @anushkavirgaonkar, @MalwareMechanic, @Still34, @dzbeck, @johnk3r, and everyone else who submitted bugs and provided feedback! New Features verify rule metadata format on load #1160 @mr-tz dotnet: emit property features #1168 @anushkavirgaonkar dotnet: emit API features for objects created via the newobj instruction #1186 @mike-hunhoff dotnet: emit API features for generic methods #1231 @mike-hunhoff Python 3.11 support #1192 @williballenthin dotnet: emit calls to/from MethodDef methods #1236 @mike-hunhoff dotnet: emit namespace/class features for ldvirtftn/ldftn instructions #1241 @mike-hunhoff dotnet: emit namespace/class features for type references #1242 @mike-hunhoff dotnet: extract dotnet and pe format #1187 @mr-tz don't render all library rule matches in vverbose output #1174 @mr-tz cache the rule set across invocations for better performance #1212 @williballenthin update ATT&CK/MBC data for linting #1297 @mr-tz Breaking Changes remove SMDA backend #1062 @williballenthin error return codes are now positive numbers #1269 @mr-tz New Rules (77) collection/use-dotnet-library-sharpclipboard @johnk3r data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils @johnk3r data-manipulation/json/use-dotnet-library-newtonsoftjson @johnk3r data-manipulation/svg/use-dotnet-library-sharpvectors @johnk3r executable/resource/embed-dependencies-as-resources-using-fodycostura @johnk3r @mr-tz communication/ftp/send/send-file-using-ftp michael.hunhof@mandiant.com anushka.virgaonkar@mandiant.com nursery/extract-zip-archive anushka.virgaonkar@mandiant.com nursery/allocate-unmanaged-memory-in-dotnet michael.hunhoff@mandiant.com nursery/check-file-extension-in-dotnet michael.hunhoff@mandiant.com nursery/decode-data-using-base64-in-dotnet michael.hunhoff@mandiant.com nursery/deserialize-json-in-dotnet michael.hunhoff@mandiant.com nursery/find-data-using-regex-in-dotnet michael.hunhoff@mandiant.com nursery/generate-random-filename-in-dotnet michael.hunhoff@mandiant.com nursery/get-os-version-in-dotnet michael.hunhoff@mandiant.com nursery/load-xml-in-dotnet michael.hunhoff@mandiant.com nursery/manipulate-unmanaged-memory-in-dotnet michael.hunhoff@mandiant.com nursery/save-image-in-dotnet michael.hunhoff@mandiant.com nursery/send-email-in-dotnet michael.hunhoff@mandiant.com nursery/serialize-json-in-dotnet michael.hunhoff@mandiant.com nursery/set-http-user-agent-in-dotnet michael.hunhoff@mandiant.com nursery/compile-csharp-in-dotnet michael.hunhoff@mandiant.com nursery/compile-visual-basic-in-dotnet michael.hunhoff@mandiant.com nursery/compress-data-using-gzip-in-dotnet michael.hunhoff@mandiant.com nursery/execute-sqlite-statement-in-dotnet michael.hunhoff@mandiant.com nursery/execute-via-asynchronous-task-in-dotnet michael.hunhoff@mandiant.com nursery/execute-via-timer-in-dotnet michael.hunhoff@mandiant.com nursery/execute-wmi-query-in-dotnet michael.hunhoff@mandiant.com nursery/manipulate-network-credentials-in-dotnet michael.hunhoff@mandiant.com nursery/encrypt-data-using-aes william.ballenthin@mandiant.com Ivan Kwiatkowski (@JusticeRage) host-interaction/uac/bypass/bypass-uac-via-rpc david.cannings@pwc.com david@edeca.net nursery/check-for-vm-using-instruction-vpcext richard.weiss@mandiant.com nursery/get-windows-directory-from-kuser_shared_data david.cannings@pwc.com nursery/encrypt-data-using-openssl-dsa Ana06 nursery/encrypt-data-using-openssl-ecdsa Ana06 nursery/encrypt-data-using-openssl-rsa Ana06 runtime/dotnet/execute-via-dotnet-startup-hook william.ballenthin@mandiant.com host-interaction/console/manipulate-console-buffer william.ballenthin@mandiant.com michael.hunhoff@mandiant.com nursery/access-wmi-data-in-dotnet michael.hunhoff@mandiant.com nursery/allocate-unmanaged-memory-via-dotnet michael.hunhoff@mandiant.com nursery/generate-random-bytes-in-dotnet michael.hunhoff@mandiant.com nursery/manipulate-console-window michael.hunhoff@mandiant.com nursery/obfuscated-with-koivm michael.hunhoff@mandiant.com nursery/implement-com-dll moritz.raabe@mandiant.com nursery/linked-against-libsodium @mr-tz compiler/nuitka/compiled-with-nuitka @williballenthin nursery/authenticate-data-with-md5-mac william.ballenthin@mandiant.com nursery/resolve-function-by-djb2-hash still@teamt5.org host-interaction/mutex/create-semaphore-on-linux @ramen0x3f host-interaction/mutex/lock-semaphore-on-linux @ramen0x3f host-interaction/mutex/unlock-semaphore-on-linux @ramen0x3f data-manipulation/hashing/sha384/hash-data-using-sha384 william.ballenthin@mandiant.com data-manipulation/hashing/sha512/hash-data-using-sha512 william.ballenthin@mandiant.com nursery/decode-data-using-url-encoding michael.hunhoff@mandiant.com nursery/manipulate-user-privileges michael.hunhoff@mandiant.com lib/get-os-version @mr-tz nursery/decrypt-data-using-tea william.ballenthin@mandiant.com nursery/encrypt-data-using-tea william.ballenthin@mandiant.com nursery/hash-data-using-whirlpool william.ballenthin@mandiant.com nursery/reference-base58-string william.ballenthin@mandiant.com communication/mailslot/create-mailslot william.ballenthin@mandiant.com executable/resource/access-dotnet-resource @mr-tz linking/static/linked-against-cpp-standard-library @mr-tz data-manipulation/compression/compress-data-using-lzo david@edeca.net david.cannings@pwc.com data-manipulation/compression/decompress-data-using-lzo david@edeca.net david.cannings@pwc.com communication/socket/tcp/create-tcp-socket-via-raw-afd-driver william.ballenthin@mandiant.com host-interaction/process/map-section-object william.ballenthin@mandiant.com lib/create-or-open-section-object william.ballenthin@mandiant.com load-code/dotnet/execute-dotnet-assembly-via-clr-host blas.kojusner@mandiant.com load-code/execute-vbscript-javascript-or-jscript-in-memory blas.kojusner@mandiant.com host-interaction/file-system/reference-absolute-stream-path-on-windows blas.kojusner@mandiant.com nursery/generate-method-via-reflection-in-dotnet michael.hunhoff@mandiant.com nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet michael.hunhoff@mandiant.com Bug Fixes render: convert feature attributes to aliased dictionary for vverbose #1152 @mike-hunhoff decouple Token dependency / extractor and features #1139 @mr-tz update pydantic model to guarantee type coercion #1176 @mike-hunhoff do not overwrite version in version.py during PyInstaller build #1169 @mr-tz render: fix vverbose rendering of offsets #1215 @williballenthin elf: better detect OS via GLIBC ABI version needed and dependencies #1221 @williballenthin dotnet: address unhandled exceptions with improved type checking #1230 @mike-hunhoff fix import-to-ida script formatting #1208 @williballenthin render: fix verbose rendering of scopes #1263 @williballenthin rules: better detect invalid rules #1282 @williballenthin show-features: better render strings with embedded whitespace #1267 @williballenthin handle vivisect bug around strings at instruction level, use min length 4 #1271 @williballenthin @mr-tz extractor: guard against invalid "calls from" features #1177 @mr-tz extractor: add format to global features #1258 @mr-tz extractor: discover all strings with length >= 4 #1280 @mr-tz extractor: don't extract byte features for strings #1293 @mr-tz capa explorer IDA Pro plugin fix: display instruction items #1154 @mr-tz fix: accept only plaintext pasted content #1194 @williballenthin fix: UnboundLocalError #1217 @williballenthin extractor: add support for COFF files and extern functions #1223 @mike-hunhoff doc: improve error messaging and documentation related to capa rule set #1249 @mike-hunhoff fix: assume 32-bit displacement for offsets #1250 @mike-hunhoff generator: refactor caching and matching #1251 @mike-hunhoff fix: improve exception handling to prevent IDA from locking up when errors occur #1262 @mike-hunhoff verify rule metadata using Pydantic #1167 @mr-tz extractor: make read consistent with file object behavior #1254 @mr-tz fix: UnboundLocalError x2 #1302 @mike-hunhoff cache capa results across IDA sessions #1279 @mr-tz Raw diffs capa v4.0.1...v5.0.0 capa-rules v4.0.1...v5.0.0 Download

GP-0 10.2.3 Change History Download

Please see the file NEWS for a detailed list of changes. Note: all versions are functionally equivalent, i.e. each version can handle all executable formats, so you only need the file that runs on your host OS. Security/VirusTotal links are listed in the pinned issue #437 Asset / File Description / Host OS upx-4.0.2-amd64_linux.tar.xz UPX - Linux version upx-4.0.2-arm64_linux.tar.xz UPX - Linux version upx-4.0.2-armeb_linux.tar.xz UPX - Linux version upx-4.0.2-arm_linux.tar.xz UPX - Linux version upx-4.0.2-dos.zip UPX - DOS version upx-4.0.2-i386_linux.tar.xz UPX - Linux version upx-4.0.2-mipsel_linux.tar.xz UPX - Linux version upx-4.0.2-mips_linux.tar.xz UPX - Linux version upx-4.0.2-powerpc64le_linux.tar.xz UPX - Linux version upx-4.0.2-powerpc_linux.tar.xz UPX - Linux version upx-4.0.2-src.tar.xz UPX - source code tarball upx-4.0.2-win32.zip UPX - X86 Win32 version upx-4.0.2-win64.zip UPX - X64 Win64 version Download

This release of Windows Terminal addresses a crash in self-elevation. Huge thanks to @jboelter for fixing it in 1.17 (#14637). Asset Hashes Microsoft.WindowsTerminal_Win11_1.16.10262.0_8wekyb3d8bbwe.msixbundle SHA256 229ABC77AE04FC47037F1050C6971E967C840B368CFB92468A2E0EAA78245501 Microsoft.WindowsTerminal_Win11_1.16.10262.0_8wekyb3d8bbwe.msixbundle_Windows10_PreinstallKit.zip SHA256 17C03963403EF72244E85AD097022B109D9A8502A73F76C8D034DAEDB9D123C4 Microsoft.WindowsTerminal_Win10_1.16.10261.0_8wekyb3d8bbwe.msixbundle SHA256 BA6FC6854E713094B4009CF2021E8B4887CFF737AB4B9C4F9390462DD2708298 Microsoft.WindowsTerminal_Win10_1.16.10261.0_8wekyb3d8bbwe.msixbundle_Windows10_PreinstallKit.zip SHA256 14A7C5D6743D0FF22397B9CFA43576F7193A29F1727C04C49652CDCBFA168634 Download

Happy New Year! Unwrap the first Preview build of Terminal in 2023, and find inside . . . a bunch of cool stuff! Our community really proverbially killed it last year, so we're proud to get their work (and ours, of course) out to the world. Note From this version forward, we are dropping some of the more clutter-y parts of our version number in our git tag and about dialog. For deployment purposes, however, the packages will retain all four version components. The package versions for this release are 1.17.10234.0 and 1.17.10235.0. Features You can now customize the order and contents of the New Tab menu (#13763) (thanks @FWest98!) (#14629) Right now, you can only do this with JSON; check out the docs for newTabMenu The first time you save your settings in 1.17, we'll convert your existing menu to the new format. This is lossless. This feature includes support for adding folders, separators, and profiles that meet certain criteria in addition to the standard/built-in default menu layout. You can now set the scroll bar to be "always" displayed (thanks @sotteson1!) (#14047) JSON field $profile.scrollbarState has learned the new enum value always. After a process terminates, you can press Ctrl+D to close its pane or Enter to relaunch it (#14060) Terminal now supports the remaining FinalTerm mark types (command input start, command executed and command finished) (#14341) Themes Terminal now supports using Mica as a background material on Windows 11 (#13935) (#14675) (#14567) (#14540) (#14644) (#14708) Note As a reminder, theme settings are only available via JSON. To use Mica, set up a new theme with the following settings: {"window": {"useMica": true}, "tabRow": {"background": "#00000000"}} You can now configure a color scheme (per profile) to apply in System Light theme and System Dark theme (#14064) (thanks @bennettnicholas!) Set $profile.colorScheme to an object containing the keys light and dark, ala { "light": "Scheme One", "dark": "Scheme Two" }. When first implemented, this may have crashed; it no longer does so! (#14653) (thanks @jboelter!) Likewise, you can do the same thing for the application theme (#14497) Changes Fundamentals The backing buffer now stores surrogate pairs inline, and measures columns differently (#13626) with bug fixes from @j4james (thanks!) (#14650) Please report any unusual behavior regarding Unicode characters, including selection, copy, paste and display. The contents of the Terminal package are now code-signed, so those of you who deploy it unzipped will no longer get in trouble with your IT folks (#14710) UI We have changed how we display our version numbers, opting to hide "bookkeeping" information such as the final digit of the version number. Those numbers will still be noted in the package release notes and are still germane to deployment scenarios. (#14660) You can now configure all of the launch position parameters in the Startup section of the Settings UI (#14569) (#14518) (#14186) (#14190) (#13605) plus community bug fixes (#14522) (thanks @ianjoneill!) We've revamped the color schemes page for ease of understanding and sheer coolness (#14470) (#14706) (#14631) (#14550) (#14704) When configuring a profile's color scheme, you will now see a tiny preview of that color scheme before you select it (#14587) (#14572) Usability wt now supports the --pos and --size commandline arguments to control the position and size of the new window (#13730) (thanks @ianjoneill!) When you duplicate a tab, the new will open next to the current tab (#14521) (thanks @vamsiikrishnaak!) You can now use exe and dll resources for icon paths, as in C:\Windows\system32\shell32.dll,41 (#14107) However, it looks like we have an off-by-one error (that should be 42 above, but whoops. We'll fix that.) The context menu now has tooltips (#14058) VT and Output @j4james did approximately a hundred things, so I'm going to summarize them in brief here: ... added support for DEC macro operations (#14402) ... added support for DECARM (Auto Repeat Mode) (#13981) ... added support for IRM (Insert Replace Mode), which will be of particular interest to @vixie (sorry for the delay, Paul!) (#14700) ... added support for private options in DSR queries (#14290) ... added support for selective erase operations (DECSED) (#14046) ... added support for the DECRQM escape sequence (#14444) ... added support for the rectangular area operations (DEC*RA) (#14285) ... merged the legacy and extended attributes (#14036) ... rewrote how we handled text embedded in a stream of VT, which closed like 8 bugs (seriously) (#14640) ... added support for line rendition attributes (DECDHL) over ConPTY (#13933) ... added support for soft fonts over (DECDLD) ConPTY as well (#13965) Bug Fixes The Export and Find context menu items work on unfocused tabs (#14673) (#14379) (thanks @ianjoneill!) We've retooled how we launch Terminal elevated when you use an elevate: true profile (or Ctrl+Shift-click a profile in the dropdown menu.) (#14637) (thanks @jboelter!) The about dialog (and other dialogs) will finally block the entire window even if you resize it (#14722) We now attempt to account for transparent tab backgrounds when calculating the text foreground color (#14643) You can now drag/drop more than 16 items directly out of 7-Zip (and some other applications) (#14648) (thanks @jiejasonliu!) Malformed settings objects will no longer cause an "Application error 0x%" settings warning (#14668) Note that "Use Acrylic in Tab Row" no longer requires a relaunch (#14478) Terminal now more reliably handles text selections in very scrolly environments (#14636) Split pane borders no longer display in the wrong theme color (#14486) We've updated the JSON schema to contain theme objects (#14672) (#14666) In separate titlebar mode, Terminal will now default to a dark title bar when you are using a dark theme (#14536) Reliability Voice Access will no longer crash Terminal (#14534) We've removed a leading cause of crashes closing panes and tabs while screen reading was active (#14714) Input will no longer (rarely) trigger a crash when a screen reader is enabled (#14694) wpf: stop dereferencing null pointers already! come on, it's 2023! (#14678) Performance We've reworked how the locking around each terminal pane works (#13746) We have removed our dependency on Microsoft.Toolkit.Win32.UI.XamlApplication.dll (#14520) Accessibility The "Add Appearance" button will now be read out properly by screen readers (#14564) ... so will the search box (#14519) Our internal management window will no longer appear as an empty pane to screen readers (#14541) Compatibility We will now properly track console handle inheritance so that cmd /c start /b cmd (et al) can properly reattach to the existing session (#14544) VT Wide characters will no longer cause weird cursor leavings (#14661) (thanks @j4james!) VT reports once again work when DECARM is disabled (#14216) (thanks @j4james!) conhost Note These changes will be released to the vintage console in a future version of Windows. When the alternate buffer is in use, the scroll bar will no longer overlap the content (#14329) (thanks @j4james!) With additional documentation, code health, grammar, spelling, workflow security and maintenance help from @AtariDreams, @musvaage, @sashashura, @grammar-police, @Dan-Albrecht, @d-caldasCaridad and @ianjoneill, @jsoref. Thanks so much! Asset Hashes Microsoft.WindowsTerminalPreview_Win10_1.17.10234.0_8wekyb3d8bbwe.msixbundle SHA256 8829BF4A1ECFFA384F2DBED1496C39DD291DB44D0D0FB3F81845AE76EB174484 Microsoft.WindowsTerminalPreview_Win11_1.17.10235.0_8wekyb3d8bbwe.msixbundle SHA256 4E5C4E1BBE226B02817B7DED321F09CFCE582803800CCDB224236C98682ED643 Download