BUGFIX

• Fixed dumping reflectively loaded PEs (automatically find suitable base) - Issue #134
• Protected against DLL hijacking
• Fixed building resources with MinGW
• Other small fixes

See also: HollowsHunter v0.4.1.1 with the latest PE-sieve & MalUnpack v1.0 with the latest PE-sieve

BUGFIX

• In Thread Scan (/threads): fixed incompatibility with Windows 11 >= 23H2 which caused many threads to be flagged unnecessarily
• Overall reduction of false positives during threads scan
• Other small fixes

FEATURE

• Added detailed report about the indications found in each detected thread (complete call-stack with symbols, etc)

See also: HollowsHunter v0.4.1 with the latest PE-sieve

BUGFIX

• Fixed error in Import Table reconstruction (Issue #131)

See also: HollowsHunter v0.4.0.2 with the latest PE-sieve

FEATURE

• Improved thread scan. Rewritten scanning callstack for anomalies.
• New parameter: /rebase - allows to rebase the dumped module to its original base (or to the default one, if the original is not known)
• New parameter: /report - allowing to define what type of results from the scan should result in filing a report (possibility to obtain a detailed report about all the scans that were performed, not only which of them detected suspicious indicators)
• More details about the detected patches: identify breakpoints, padding, etc.
• Updated Python bindings

REFACT

• Dumping optimization: dump the same memory region only once, even if it was detected by multiple scanning filters
• Other improvements, and bugfixes

See also: HollowsHunter v0.4.0 with the latest PE-sieve

REFACT

• Refactored to use a new pattern matching engine (SigFinder) for shellcode detection. Improved performance.

FEATURE

• Added new parameter /pattern <file> allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag
• New fields in the scan_report.json:
  • Save the PE-sieve version with which the scan was performed (scanner_version)
  • In workingset_scan section: added patterns section with information about found patterns:
    • total_matched (count of all patterns matched, including the hardcoded ones)
    • custom_matched (count of patterns matched from the set defined by the user in pattern file)
• New fields in the dump_report.json:
  • If pattern.tag file was generated, the name of this file will be added in the pattern_tags_file field of the relevant module.

See also: HollowsHunter v0.3.9 & MalUnpack v0.9.9 with the latest PE-sieve

FEATURE

• New options for shellcode detection ( /shellc ):
  • detect by patterns (previous mode): available with /shellc P
  • detect by stats (new mode): available with /shellc S
  • possibility to mix both modes: options /shellc B (both) or /shellc A (any)
• Detection of obfuscated memory regions ( /obfusc )
• Caching of detected shellcodes (guarantee that the dumped shellcode is the same as detected shellcode - no second read)

See also: HollowsHunter v0.3.8 & MalUnpack v0.9.8 with the latest PE-sieve

FEATURE

• improved integration with other languages (Python, Golang: #112), improvements in the API
• in ThreadScan: calculate the entropy of the detected area:
  • decreased number of false positives (filtering by entropy)
  • added a new section to the ThreadScanReport: stats
• in dump report: set "is_shellcode" : 1 only if the code pattern was matched (to distinguish cases when i.e. the shellcode was encrypted and detected by thread scan)

BUGFIX

• fixed a bug in libPEconv (buffer boundary check: cabdd46)
• fixed crash if the output filter was set ( #113 - missing check if the dump report was generated )
• fixed backward compatibility with Windows XP ( #42 )
• decreased number of false positives when searching for PE files in non-executable memory

REFACT

• faster search for code signatures: skip padding from the scan

See also: HollowsHunter v0.3.6 & MalUnpack v0.9.7 with the latest PE-sieve

📖 README.md

FEATURE

• Added API function: PESieve_scan_ex - allowing to retrieve scan and dump JSON reports directly into the supplied memory buffer ( Issue #105 )
• Allow to scan own workingset ( Issue #104 )
• Added one more shellcode pattern ( Issue #108 )
• Added version information to resources

BUGFIX

• Fixed getting stuck on scanning for PE artifacts (in some rare cases)
• Fixed checking mapped modules against the image on disk (fixed issue with the remote module not being copied)
• Fixed false positive - MUI files detected as implanted, when using 32bit scanner on 64bit system (FS redirection issue)
• Other small fixes

See also: HollowsHunter v0.3.5 & MalUnpack v0.9.6 with the latest PE-sieve

📖 README.md

FEATURE

• In /mignore - removed buffer limit (Details: #99). WARNING: API change)
• New param: /threads, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution. (Read more here)

See also: HollowsHunter v0.3.4 with the latest PE-sieve

📖 README.md

BUGFIX

• Fully redesigned IAT scan, providing much better precision (Issues: #98, #92, #77)
• Fixed processing PEs with relocation table containing empty records (hasherezade/libpeconv#30)
• Fixed false positives in some of the code scans

FEATURE

• Added optional caching (Issue #94)
• Improved auto-detection of import reconstruction mode (/imp A) : set R0, R1 modes depending on the sizes of found IATs of particular types
• Do not exclude .NET modules from code scan. Improved filtering of the changes typical for .NET.
• Changed reporting of IAT hooks to the format consistent with inline hooks reports ( more details here )

See also: HollowsHunter v0.3.3 & MalUnpack v0.9.1 with the latest PE-sieve