Tag: News

The new version is out. 🙂 Here’s a recap of the latest improvements:

– increased python integration and exposed more parts of the SDK
– added SDK documentation to the docs directory
– added Python command line
– added global and individual file notes
– improved filters and added range parameters
– introduced fullscreen modality in workspace (F11)

This has been mostly a transition release and what took most of the time were structural changes in how the SDK is exposed to Python so that future releases will benefit from it. The main advantage for the user may be the addition of range parameters in the filters and the introduction of file notes, which is a small feature, but very useful in the context of analysis.

The next release will bring some new file formats and interesting improvements.

While we talked about some of the news of this version, there are some more which are worth mentioning.

– introduced new multi-file report and project technology with compression and encryption
– introduced new UI for workspace mode
– added Windows Lnk support
– added file extensions scan option
– added directory scan to command line
– added PNG CRC validation
– added new filters: misc/replace and dev/array
– several UI improvements
– hex editor improvements
– increased memory limit

New workspace UI

The workspace features a new dock-based UI. It is easy to get used to the new UI as it is completely intuitive.

Now our users can completely costumize their analysis workspace.

PNG CRC validation

This feature was requested by one of our customers and it can come handy during forensic analysis. The CRC of each PNG chunk is verified and those which don’t match are signaled in the format view (highlighted in red).

New filters: misc/replace and dev/array

Two new filters have been added. misc/replace is self explanatory: it replaces bytes and strings. While dev/array is a small addition which can come handy all those times we need to copy some bytes to an array in a programming language. We can specify the language, the radix and the number of columns and we get something like:

unsigned char data[64] =
{
    0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00,
    0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
    0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xF8, 0x00, 0x00, 0x00
};

We hope you enjoy this new version.

Since there are many improvements and additions, here’s a list with the most important ones:

– finished support for Portable Executable directories (.NET excluded): Delay Import, Bound Import, Exception (x64, IA64), Security
– improved detection of files in MSI archives
– replaced the native scan table with the custom table control: now it’s fast and efficient
– added threat highlighting and jump in scan table and hierarchy view
– increased the UI responsiveness during batch scans
– introduced option to disable intrinsic risk factors
– added search functionality to every control which lacked it
– added support for PNG and APNG files
– added support for GIF files
– improved PE Debug directory view
– added language switch in text view
– improved file format choose dialog
– improved initialization performance by delay-loading some modules
– updated OpenSSL

This version prepares the ground for the next .6 version, which as I expect will be very interesting. However, even in 0.8.5 there are many useful new things, so in this post I’ll just do a tour of those which might need an explanation.

Threat highlighting

This means that files with a risk factor > 0 are now highlighted with different gradients of orange (low risk) and red (high risk). This is true for the new file system scan results table, which by the way is now blazingly fast.

But also for the file hierarchy itself.

It’s possible to jump to files with risk factor > _customizable_threshold_limit_ with F2 (next) and Shift+F2 (previous).

Disable intrinsic risk factors

It’s pretty clear that an executable can contain native code, right? It’s expected to, just as a font file is expected to contain its specific bytecode. These characteristics are intrinsic to these file formats and as users we might not desire to be alarmed by that.

By enabling this new handy option, these factors will no longer contribute to calculate the risk of a file.

PE directories

Apart from .NET, all Portable Executable directories are now supported. Specifically, support for the following directories has been added: Delay Import, Bound Import, Exception (x64, IA64) and Security.

This month we will post about some new interesting features and the PE analysis series will be continued. 🙂