File: changes.log Project: pestudio Email info@winitor.com Web: www.winitor.com twitter: @ochsenmeier Warning: This software is provided 'as-is', without any expressed or implied warranty. In no event will the author be held liable for any damage arising from the use of this software. Summary of the features of pestudio & pestudio-pro at following URL: www.winitor.com/tools/pestudio/current/pestudio-features.pdf Some features are availabe only in the professional version of pestudio (aka. pestudio-pro) The free version of pestudio may not be used in a professional environment. When retrieving the scores from Virustotal, pestudio NEVER submits the sample itself! pestudio only submits the hash (MD5) of the sample being analyzed. Several XML files are provided with pestudio. Usage of these XML files outside of the context of pestudio (e.g. in a third-party application, tools chain, etc...) must be explicitly authorized by the author. Copyright (C) 2009-2024, Marc Ochsenmeier Version 9.58 . Fix an issue when fetching the Virustotal report . Fix a bug when detecting libraries . Extend indicators Version 9.57 . Fix bug in XML report . Fix bug in libraries detection . Fix bug in Resources string-tables handling . Fix an infinite loop happening with some resources . Add toggling of language flag . Extend Certificate detection . Extend detection of message-tables Version 9.56 . Toggle DLL <> EXE (file-header) . Assign new entry-point (optional-header) . Extend certificate detection . Extend footprints detection . Extend dialog settings . Dump sections . Fix bugs Version 9.51 to 9.55 . Add groups collection . Extend dialog settings . Reduce CPU consumption . Extend embedded file detection . Extend footprints collection . Extend internal | external jumps . Fix bug when handling export table . Fix bug when handling the checksum of the image . Fix potential DLL side-loading of libraries used by pestudio . Fix bug when handling .NET resources . Fix internal jumps . Extend dump of section items . Add detection of callback functions . Add footprints view . Extend strings detection . Extend resources detection . Extend Image view with file-names . Extend Certificate detection . Fix bugs Version 9.46 to 9.50 . Show tail of Certificate . Extend summary of Image stamps . Extend Mitre detection . Extend data collection of Certificate . Extend data collection of debug . Add switch to toggle VT . Fix a crash when handling the relocations table . Fix bug when handling imports table . Add support for customer virustotal key . Extend detection of Certificate anomaly . Extend detection of library groups . Extend detection of .NET Resources . Extend detection debug streams . Extend exports view . Extend sections view . Fix issue with virustotal report . Fix bug when showing directories . Fix bug in detection of overlay . Extend indicators . Extend detection of debug stream types . Extend context menus . Group libraries . Clean Mitre report . Detect spoofed libraries . Detect invalid Import Address Table (IAT) entries . Extend Sections view . Fix bug in the detection of delay-loaded libraries . fix bugs Version 9.41 to 9.45 . Detect spoofed & hooked imports . Detect missing Import Name Table (INT) . Detect duplicated libraries . Extend .NET detection . Extend indicators . Fix directory validity check . Extend imports view with First-Thunk-Original (aka. INT), First-Thunk (aka. IAT) and hint . Show discrepancy between INT and IAT tables . Fix detection of bound libraries . Extend indicators . Extend debug streams detection . Extend links to google search . Add detection of /CETCOMPACT . Extend .NET detection . Extend indicators . Map .NET namespaces into groups and Mitres indicators . Handle missing import directory . Fix bugs Version 9.36 to 9.40 . Synchronize XML mitre output report with front-end . Extend rich-header view . Fix bug when handling Import Address Table . Fix bug when handling Delay-loaded Import Table . Link views to one another . Fix bug when handling Exceptions table . Fix bug when handling .NET stream names . Extend sections view . Clean context menus . Redesign Mitre View with more details . Fix and extend exports . Rename "blacklist" items into "flag" . Map os-version into a friendly name . Fix bug when showing image name in caption . Consolidate Indicators . Fix bugs Version 9.31 to 9.35 . Extend indicators . Extend detection of .NET Resources . Extend detection of Tooling . Extend .NET items detection . Extend file-header view . Extend exports view . Allow modification from DLL to Executable . Allow modification of the entry-point . Extend indicators . Extend .NET tables detection . Extend optional-header detection . Add toggling of optional-header characteristics . Extend .NET tables detection . Compute MD5 of .NET streams . Dump .NET streams . Fix a bug when collecting short Unicode strings . Fix a bug when retrieving the typelibid of the .NET header . Fix a bug when computing the imphash . Show .NET Functions Namespaces as separate items . Extend .NET streams detection . Fix minimum string length bug Version 9.26 to 9.30 . Handle .NET ascii strings (#Strings) Stream . Extend detection of embedded files (e.g. MS-Compress) . Extend indicators . Simplify indicators . Handle .NET unicode user-strings (#US) Stream . Differentiate between n/a and empty Export Table . Remove duplicates in indicators . Show file-ratio of.NET Streams size . Show threshold of .NET Streams size . Blacklist .NET functions that belong to a blacklist Namespace . Split Namespaces into system and custom Namespaces . Fix a bug with the delay-load imports . compile pestudio package to 64bit . Add .NET Field table . Fix bugs Version 9.21 to 9.25 . Better detection of file signature . Add mapping rich-header to tooling . Show all time-stamps always and only in UTC . Add blacklisting of .NET namespace . Add namespace collection . Add detection of .NET Module name . Extend detection of.NET tables . Handle .NET namespaces . Fix bugs Version 9.16 to 9.20 . Extend detection of.NET functions and libraries . Handle more .NET metadata . Extend .NET relevant indicators . Fix an issue with the detection of duplicate exports . handle more .NET metadata . handle .NET tables . fix issue when handling very large amount of exports . Start handling .NET streams . Fix bugs Version 9.11 to 9.15 . Fix a bug when computing the offset of string items . Add Resource context menu to change the severity of signature . Add Libraries context menu to toggle blacklist flag . Fix bugs when modifying indicator's severity level . Add Resources context menu to toggle language blacklist flag . Extend File-header detection . Extend Optional-header detection . Add File-Header characteristics . Add Option-Header characteristics . Add Ordinal name mapping for delay-loaded libraries . Add details to Certificate . Extend detection of string hints . Extend collection of DateTime stamp indicators . Extend context menus . Extend Mitre detection . Extend detection of embedded files . Extend libraries, imports and export views . Map strings to imports as hint . Fix a bug when a library is missing Version 9.06 to 9.10 . Extend Libraries and Imports reports . Add fields to the libraries view . Add fields to the Imports view . Add handling of Rich-header . Extend context menus . Extend detection of embedded files . Add Sections > Characteristics field . Show Relocations . Show Exceptions . Extend support of MUI files . Fix bug when retrieving executable hidden in data section . Fix bug About > Check update . Fix bug GUID pdb . Fix bug in the exported XML file . Fix bug in detection of exports . Fix bug handling malformed debug entry . Fix a bug when handling malformed relocations table . Extend User-Interface to handle XML-based settings . Add setting filters for online-score, indicators, mitre, etc.. . Show duplicated exports for 64bit executable . Fix bug when computing minimum string length . Fix bug when computing file-offset of resources Version 9.01 to 9.05 . Add settings dialog to handle settings.xml file . Fix bugs . Add switch upper-case|lower-case Hash values . Fix Virustotal Imphash query . Add short/long Mitre View switch . Add search Virustotal for strings . Extend indicators Version 8.96 to 9.00 . Detect when compiler time stamp is outside of certificate time stamp range . Add Mitre Tactics detection . Add Mitre View . Add Mitre Techniques detection . Extend indicators with function(s) group(s) . Change syntax of pestudio.exe parameters . Extend indicators . Fix bugs Version 8.90 to 8.95 . Fix a bug when handling sections . Indicate virtualized sections . Handle (very) long strings . Extend indicators . Extend detection of anomalies . Fix a bug when handling exports by ordinals . Fix a bug when handling entry-point outside the first section . Indicate when entry-point is located at the beginning of the file (aka. MZ-instructions cancellation) . Fix a bug when handling the original file name of 64bit files . Fix a bug when handling the manifest of 64bit files . Fix a bug when showing the entropy in the XML report file . Add detection of auto-elevation based the manifest . Extend indicators . Fix a bug when handling very long unicode strings Version 8.86 to 8.90 . Detect more anomalies . Show first-bytes-text of resources . Add some missing items in the XML report file . Fix bugs . Synchronize the content of the XML report with the GUI . Fix a bug when handling export XML file from the CLI . Extend overview of time-date stamps . Handle more malformation of sections and show indicators appropriately . Add sample name analysed in the caption of pestudio GUI . Fix bugs . Detect TLS Callback functions for 64bit executable . Extend sections view with "self-modifying" tag . Extend msdn search on imports . Extend google search on exports . Extend google search on strings . Show hashes of Certificates to ease hunting . Fix bugs . Add search Google and Virustotal for resources Version 8.81 to 8.85 . fix bugs . clean API classification . extend several context menus . show time date stamp of directories . Add google search to sections hash . Compute hashes of Version blob . Add google search using hashes of Version blob . Show file hashes with and without overlay . Fix a bug when handling embedded files . Fix a crash on Win10 . Fix a bug when dumping sections . Extend google search to imphash to ease hunting . Extend google search to hashes of image, pdb, dos-stub, overlay to ease hunting . Add underlining items to indicate google search URL link . Add search google for strings view . Show details of virustotal report Version 8.76 - 8.80 . Fix bugs . Handle characteristics specific to EFI executable files . Extend detection of embedded executable to all sections . Fix a bug when detecting resources types . Compute SHA1 and SHA256 for dos-stub . Compute SHA1 and SHA256 for debugger . Extend the detection of embedded file(s) in overlay . Fix sorting of Virustotal scores . Extend context Menu of Virustotal view . Add support of "favorite-engine" for Virustotal Version 8.71 - 8.75 . Fix flickering of the views . Extend strings detection by indicating presence of API and Libraries strings in the Import Table . Fix a bug with the creation of the XML report file . Add functions groups to the strings View . Extend functions groups to the delay-loaded functions . Show functions that are delay-loaded . Fix a bug when handling deprecated functions . Extend context menu for imports to cope with functions.xml file . Extend groups of imports . Extend groups of imports Version 8.66 - 8.70 . Expose the indicators id number in the output XML file . Extend grouping of utilities . Extend grouping of imports by types and colors . Add grouping of imports by types and colors . Extend strings "hint" detection and mapping . Extend signatures detection . Extend strings "hint" detection and mapping . Extend detection of strings "hint" . Fix a bug when computing the position of the entry-point when located at the very beginning of a section . Add detection of strings "hint" (e.g. GUID, RTTI, ..) Version 8.61 - 8.65 . Compute the Sha256 of the image and the overlay . Extend and consolidate the Indicators . Fix a bug when handling a debug type . Fix bug when showing exports of 64bit file . Fix bug when showing the offset of the Security Directory . Extend Indicators . Add detection of whitelist (well-known) strings . Add detection of deprecated functions . Add detection of undocumented functions . Consolidate indicators . Extend the resource type detection . Extend handling of malformed manifest . Extend handling of the file signature . Detect "unusual" dos-stub messages . Increase performance when loading executable with large collection of exports . Consolidate switches in settings.xml . Consolidate API classification . Fix a bug when handling the Thread-Local Storage (TLS) . Fix a bug of the Manifest View . Fix a bug when detecting 64-bit managed files . Add online check of update in the "About" dialog . Add support for ARM detection . Indicate missing library . Extend features of standard version Version 8.56 - 8.60 . Add detection of Control Flow Guard (CFG) . Add details for Virustotal view . Show first bytes (hex) of resources . Show first bytes (hex and text) of file . Handle empty entry-point . Extend Indicators . Fix a crash with some 64bit executables . Add detection of missing libraries . Extend status-bar . Extend translations . Extend Exports handling . Extend Imports handling . Extend signatures . Clean and Extend indicators . Show first bytes of entrypoint . Show first bytes of overlay . Show dos-stub message . Compute file-ratio for resources, sections, overlay and dos-stub . Extend file summary . Extend file signature detection . Fix bugs Version 8.51 to 8.55 . Extend Indicators . Dump PKCS7 Certificate . Fix bug with libraries . Show overlay strings numbers . Detect duplicated exported symbols . Enhance unicode strings detection . Show strings location map with colors . Differentiate URLs referenced in the certificate . Differentiate between standard and professional (pro) versions of pestudio . Add deletion of overlay . Add computation of entropy . Add detection of TLS Callback functions . Show more details about sections . Fix bugs and crash . Rename pestudioprompt.exe into pestudiox.exe . Add virustotal scoring of hardcoded URL . Add detection of pipes . Add Network Watchdog to update Virustotal score automatically . Add XML switches to define the colors of the front-end . Fix ordinal functions mapping for 64bit images . Fix a crash when handling overlay . Fix a bug when retrieving the Description of the delay-loaded libraries Version 8.00 to 8.50 . Fix a bug when handling exported functions of 64bit executables . Add detection of Windows builtin services . Fix a bug when handling strings . Extend Thresholds . Extend Indicators . Show virustotal score for Overlay (when available) . Fix an issue in the Debug detection . Fix an issue in imported symbols by ordinal for 64bit files . Add computation of Imports Hash (imphash) . Add detection of strings embedded in non-PE files . Fix a crash with malformed files . Corrected duplicates during collection of functions statistics . Add Virustotal aging and submission date . Extend Languages detection and mapping . Add PeID Signature detection . Add XML-based detection of OIDs . Add XML-based detection of useragent . Add detection of references to Firefox API . Add MD5 Blacklist for a file and its Resources . Extend detection of Overlay . Extend validation of Sections . Add Blacklist of MD5 dedicated to the Overlay . Extend detection of files embedded in Resources . Add detection of Regular Expressions and Threshold . Fix a bug when handling the imports of some images . Add Functions Groups classification . Resources with unknown Signature and containing only text are now tagged as Text . Fix a bug when handling the Characteristics of the FileHeader . Add MD5, SHA1 and Virustotal Score for Overlay . Fix bugs Version 6.00 to 7.00 . Add Dump of Indicators . Add Dump of Manifest . Add Context menu for Certificates . Add Dump of Certificates . Raw discovery of fundamental characteristics of the Certificate(s) embedded in the Image . Handle non-printable characters in XML report . Add more Indicators specific to the location of the Entry Point . Add more details (offset and size) for each file Cave detected . Show the name of the section BaseOfCode is located in . Fix reporting of the Libraries in the XML report . Add Indicators specific for First and Last Sections . Take virtual Section into account when pointing the overlay . Fix detection of MPRESS under 64bit Version 5.00 to 6.00 . Fix a bug by reading Symbols . Correct missing Dependencies for some types of images . Rename *.XML files to PeStudio*.XML . Interfaces to PeParser (PeParser.h and PeParser.lib) are now part of the Package. . Add Indexing of String . Add Detection of duplicated Section Names . Allow Strings length choice for filtering at the UI . Show Strings at the UI . Add Strings count in output XML . Detect Section-less images and added in Indicators.XML . Correct Address Offset of reported Strings Version 1.0 to 5.00 . strings contained in the file analysed can now be exported to the output XML file . Add validation Check of AddressOfEntryPoint field . Custom Resources are shown in orange colour . Correct handling of Certificate Directory . Correct colouring of Indicators . When handling a resources only images, some validity checks are different . Enhanc detection of device driver images . Rename parameters for command prompt (see Prompt support description above) . Add detection of CAB, PDF, RIFF, GIF, PNG files . Add detection of "requireAdministrator" Execution Level from the Manifest . Add Command Prompt support (see Prompt support description above) . Add "The image exports XY Symbols" as new Indicator . Add more obsolete functions in the WindowsFunctionsDeprecated.xml file (delivered with this project) . Support 64bit Images on 32bit Platform . Show Resources Languages . Show Type of Debug information (NB09, NB10, NB11, RSDS ) . Show imported Functions of missing libraries . Show total number of Bytes available in Caves . Show Gaps in Exported Symbols collection . Show Section Name the Base of Data belongs to . Add OptionalHeader to XML report . Add detection of duplicated Sections names . Add detection of Code-less images . Add detection of Section containing the Entry point . Correct filtering of Obsolete Imported Functions . Correct Imported Symbols for 64bit images . Correct Page-able Section Flag . Correct detection of msstyles "Resources Only" Images . Correct a crash that takes place when switching between Tree and list View in Resources Tab . Add Detection of Image Obfuscation (encryption, compression) as Evidence . Un-decorate function names . Support Manifest dependentAssembly. . support Side-by-Side libraries. . Support Forwarded Functions . Filtering Obsolete Functions . Enumeration of Implicit dependencies and other general information