v0.2

FEATURE

• More flexibility in reconstruction of Import Table (added new options to the /imp parameter)
  • Including: reconstructing Import Table from the scratch (Issue #34)
  • Import reconstruction can be applied on all the detected PEs (not only on the implanted ones)
• Reconstructing partially overwritten sections characteristics in the implanted PE
• Dumping PE implants that could not be reconstructed with an extension .corrupt_dll/corrupt_exe
• Added build date to the banner

REFACTORING

• Refactored PE dumping and import recovery

v0.1.8

FEATURE

• Path of each suspicious module added to the JSON report

BUGFIX

• Fixed error in searching partially erased Import Table (#35)
• Reduced false positives in searching patches (filtered out the patch at GuardCFCheckFunctionPointer: #27)
• Fixed bug causing some of the implants not to dump (error in calculating size of the implanted PE)

v0.1.7

FEATURE

• Search IAT and import table by artefacts (save RVAs in the Data Directory) (Issue #31)
• Improved payload recovery: shift the headers of implanted payload if needed (Issue #32)
• Improved payload recovery: improved validating and fixing corrupt PE header (Issue #33)

BUGFIX

• Fixed crashing during scan of payloads with malformed headers (#29, #28)
• Fixed reading memory areas with inaccessible pages in between
• Validate every implanted payload before dump
• End with an error only if scanning of modules and of workingset both failed (#30)

v0.1.6

FEATURE

• Identify the hook target: report what is the module where the hook leads to (#23)
• Add a possibility to set the root directory of the dumps (option /dir)
• Sections that are fully unpacked in memory are reported differently than patched (#22)
• Inform if invalid parameter was supplied

BUGFIX

• fixed crashing on some malformed samples (#21, #24)
• fixed inaccuracies in import recovery
• fixed an error in detection of PE artefacts (#25)
• fixed information displayed when the access to a process was denied (more relevant information)

v0.1.5

FEATURE

• various modes of payload dumping (virtual, raw, remapped)
• automatic detection of a dump mode that is the most suitable for the payload/packer type, enabling more accurate reconstruction of payloads
• cleaner interface: grouped displayed parameters

BUGFIX

• fixed JSON report (sections number should be displayed as decimal)
• fixed not working output mode 'report only' - it was not creating the dump directory and not saving the reports
• fixed inaccurate in detection of sections' headers (in artefacts scan)

v0.1.4.3

BUGFIX

• fixed missing detection of some of the manually loaded implants

v0.1.4

Faster & more accurate

REFACTORING & OPTIMIZATION

• refactored workingset scan to improve performance
• refactored code scan to improve accuracy of detecting hooks & patches

FEATURE

• reconstructing payloads with partially corrupt headers
• recognizing the payload's extension (dll or exe)
• improved JSON formatting
• scan all the sections that are executable in memory (even if they are not marked executable in headers) - improved detection and dumping of the packed sections
• improved reporting of Process Doppelgänging

v0.1.2

BUGFIX

• Fixed NT paths conversion
• Improved imports recovering

FEATURE

• Added info if the suspicious module is a .NET
• Cleaned report (hidden unused fields)

v0.1

BUGFIX

• fixed JSON report (unescaped backslashes - Issue #13 )
• fixed false positives in mapping scan (when the name of the mapped file does not match the image file)
• fixed duplicated reporting (code section mistakenly detected as shellcode - Issue #12 )

FEATURE

• improved hook detection: parsing short jumps

v0.0.9.9.9

BUGFIX

• fixed bug in parsing paths in format \\?\[...]

FEATURES

• more detailed detection of Process Doppelganging: checking if the mapped image matches the module image
• more detailed info about hooks: reporting the name of the hooked function
• added shellcode detection and dumping (can be enabled by a parameter)
• added icon and changed theme
• added backward compatibility with older versions of Windows (including Windows XP 32bit)