pev - the PE file analysis toolkit - ChangeLog Legend: + Added feature * Improved/changed feature - Bug fixed ! Known issue / missing feature pev 0.80 - ? ! Missing documentation for libpe. ! peres does not reconstruct icons and cursors extracted from resources section. * Now the -V switch is used by all pev programs to show their version numbers. * pehash: Now the hash of the whole file is shown by default (-c option). * pestr: --net option removed (we may readd this in the future). * udis86 updated to version 1.7.2. + Basic plugins support. + cpload: new tool for CPL file debugging (Windows only). + Fixed: pestr: unable to handle too big strings. + Fixed: valid XML and HTML output formats (Jan Seidl) + pehash: Import Hash (imphash) support for both Mandiant and pefile's implementation. + peres: output the PE File Version with -v option. + Support for pev.conf configuration file. - readpe can now read virtual import descriptors. pev 0.70 - December 26, 2013 ! Missing full/English documentation. ! Missing valid XML and HTML output formats. ! pestr: no support for --net option when parsing unicode strings. ! pestr: unable to handle too big strings. * libpe: rewritten, now using mmap. (Jardel Weyrich). * pestr: added countries domains suffixes. * readpe and peres: output enhancements (Jardel Weyrich). + pehash: sections and headers hash calculation (Jardel Weyrich). + pehash: ssdeep fuzzy hash calculation. + pehash: support for new digest hashes like sha512, ripemd160 and more. + peres: added new tool to analyze/extract PE resources (Marcelo Fleury). + pescan: cpl malware detection. + pescan: undocumented anti-disassembly fpu trick detection. + pesec: show and extract cerfiticates from digitally signed binaries (Jardel Weyrich). - readpe can't show functions exported by ID only. - readpe: fixed subsystem types (Dmitry Mostovenko). pev 0.60 - October 31, 2012 ! Missing full/English documentation. ! Missing valid XML and HTML output formats. ! pestr: no support for --net option with unicode strings. ! readpe can't show functions exported by ID only. * pedis: -F/--function option replaced by -r/--rva. + added manpages for all tools. + pedis: added -m/--mode option to set disassembly mode (16, 32 or 64-bit). + pedis: added -n option to limit number of disassembled instructions. + pedis: added options to disassembly entrypoint and raw fille offset. + pedis: disassemble bytes number specified by -n option. + pehash: new tool to calculate PE file hashes (Jan Seidl). + pepack: added PEiD signature search (Rodrigo Escobar). + pescan: added -f/--format option to format output. + pescan: added section, imagebase and timestamp analysis. + readpe: added --exports option to show exported functions. - pedis: fixed address representation in calls and jump instructions. pev 0.50 - June 25, 2012 ! Missing documentation. ! Missing valid XML and HTML output formats. ! pedis shows arguments of jumps and calls as relative positions. * Improved pev tools Makefile (Gabriel Barbosa). * MEW packer detection in packid (Rodrigo Rubira). * pev now is a collection of binaries and a library to work with PE executables. + libpe: xmalloc trick and fixes (Rodrigo Rubira). + Output in monospaced text and csv in most programs. + pedis: disassemble functions and sections (Tiago Zaniquelli). + pepack: detect fake EP (Wagner Barongello). + pescan: new tool to search for suspicious things in PE files including TLS callbacks. + pesec: find security features in PE files. + readpe can now show imported functions with --imports or -i switch. + readpe: show PE headers and sections information (most of obsolete pev binary). + Released libpe 1.0 to support our programs. + rva2ofs and ofs2rva: convert from rva to raw file offset and vice-versa. - Fixed erroneuous ord numbers in functions imported without name. - Fixed two bugs with fake TLS callbacks in petls (thanks to Qualys guys for reporting). pev 0.40 - August 7, 2011 * Compatible with PE/COFF specification v8.2. * Date format in COFF header similar to RFC 2822. * Improved function to get machine type (Gabriel Duarte). + Added "-r" option to show resource items at first level. + Added more human-readable fields, like subsystem and section characteristics. + Added TLS callback functions detection in every PE section. + ASLR and DEP identification. + PE32+ support. Now pev can handle 64-bits executables. + Variable data directories support (no more fixed in 16). pev 0.31 - May 11, 2011 + Added characteristics flags in COFF output. + Added human-readable machine types in COFF output. - Fixed compilation in OS X. (Gustavo Roberto). - Fixed warning with Linux 32-bits boxes when compiling. pev 0.30 - February 20, 2011 * Improved memory use. * Now pev shows the Product Version with option "-p". + Added option "-a" to show all information. + Added option "-c" to show the COFF header. + Added option "-d" to show the DOS header. + Added option "-o" to show the Option (PE) header. + Added option "-s" to show executable sections. pev 0.22 - January 9, 2011 ! Does not support PE32+ files. ! Plans to read more PE informations. * Improved Makefile. + Added manpage. pev 0.2 - December 26, 2011 * Improved search algorithm. - Fixed bug compiling in MS-Windows platform. pev 0.1 - December 12, 2010 Initial release. (Eduardo Fernandes, Fernando Mercęs, Francivan Bezerra and Thiago Moraes).