2012-10-28 21:41:38 +04:00
|
|
|
|
2015-12-28 18:26:18 +03:00
|
|
|
v056
|
|
|
|
|
|
|
|
- Added new checks
|
|
|
|
- IsNativeVhdBoot #46
|
|
|
|
- OS uptime check #45
|
|
|
|
|
|
|
|
- Added a DNS request trace for each detection #43
|
|
|
|
- Disabled check_hook_DeleteFileW_m1 because it causes FP in Win 8
|
|
|
|
|
2015-10-08 20:32:01 +03:00
|
|
|
v055
|
|
|
|
|
|
|
|
- Added new checks
|
|
|
|
- Neutrino bot bochs detection #40
|
|
|
|
- Qemu detection based on CPU brand string
|
|
|
|
- Bochs detections based on CPU brand string
|
|
|
|
- VMware detection based on network adapter name
|
|
|
|
- Minor refactor userland hook detection, added
|
|
|
|
2 more functions to check.
|
|
|
|
|
|
|
|
- Added cpu functions to query Processor Brand String
|
|
|
|
- Some refactoring, specially main.c, making it easier
|
|
|
|
to add new checks.
|
|
|
|
|
2015-07-12 18:26:26 +03:00
|
|
|
v054
|
|
|
|
|
|
|
|
- Added new checks (Hacking Team antiVM)
|
|
|
|
- VirtualBox device identifiers using WMI
|
|
|
|
- VMware serial number using WMI
|
|
|
|
- HT's cuckoo evasion turned into detection
|
|
|
|
(TLS_HOOK_INFO_RETADDR_SPACE address alloc check)
|
|
|
|
- Fixes
|
|
|
|
- Fix #37 warning on MinGW linux
|
|
|
|
|
|
|
|
- Contributors to this release
|
|
|
|
serializingme
|
|
|
|
|
2015-06-02 20:42:31 +03:00
|
|
|
v053
|
|
|
|
|
|
|
|
- Added new checks
|
|
|
|
- Systems with less than 1GB of memory
|
|
|
|
- Wine registry key HKCU\\SOFTWARE\\Wine
|
|
|
|
- VMware pseudo-devices
|
|
|
|
- VMware MAC addresses
|
|
|
|
|
|
|
|
- Fixes
|
|
|
|
- Handle filesystem redirection in x86_64 systems
|
|
|
|
- Handle registry redirection in x86_64 systems
|
|
|
|
- A proper fix for Linux compilation
|
|
|
|
|
|
|
|
- Contributors to this release
|
|
|
|
serializingme
|
|
|
|
|
2015-05-10 19:50:49 +03:00
|
|
|
v052
|
|
|
|
|
|
|
|
- Minor release to add two different NumberOfProcessors based detection used by
|
|
|
|
new Dyre malware version:
|
|
|
|
gensandbox_one_cpu()
|
|
|
|
gensandbox_one_cpu_GetSystemInfo()
|
|
|
|
- Fixes #25 (compilation error in linux)
|
|
|
|
|
2015-04-08 20:37:07 +03:00
|
|
|
v051
|
|
|
|
|
|
|
|
- Minor release to add a new detection based on CPU information,
|
|
|
|
Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
|
|
|
|
- gcc -O0 due to errors in low level functions caused by the
|
|
|
|
optimizations
|
|
|
|
- Minor coding style changes
|
|
|
|
|
2015-03-20 20:22:03 +03:00
|
|
|
v05
|
|
|
|
|
|
|
|
- Added a new set of detections based on CPU information
|
|
|
|
- rdtsc timing detection
|
|
|
|
- cpuid vendor string
|
|
|
|
- cpuid hv bit
|
|
|
|
- Added a new generic sandbox detection for sample.exe and malware.exe
|
|
|
|
in drives root
|
|
|
|
- Added a new VirtualBox detection based on SystemBiosDate
|
|
|
|
- Added more ports to Scsi in VMWare
|
|
|
|
- Greatly reduced icon size
|
|
|
|
|
|
|
|
- Bugfixes
|
|
|
|
- Restore CLI colors when finish
|
|
|
|
|
|
|
|
- Code style
|
|
|
|
- Now CFLAGS includes -Wall -Wextra
|
|
|
|
- cppcheck scan
|
|
|
|
- With this, lots of code style changes and minor fixes
|
|
|
|
have been done
|
|
|
|
|
|
|
|
- Contributors for this release
|
|
|
|
Inaki Rodriguez
|
|
|
|
mlw.re
|
|
|
|
Sanchit Karve
|
|
|
|
Mikael Keri
|
|
|
|
|
2015-01-01 20:27:39 +03:00
|
|
|
v04
|
|
|
|
|
|
|
|
- Added new VirtualBox detections and system traces
|
|
|
|
- HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__
|
|
|
|
- HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__
|
|
|
|
- HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__
|
|
|
|
- HKLM\\SYSTEM\\ControlSet001\\Services\\VBox*
|
|
|
|
- C:\\WINDOWS\\system32\\drivers\\VBox*
|
|
|
|
- C:\\WINDOWS\\system32\\vbox*
|
|
|
|
- C:\\program files\\oracle\\virtualbox guest additions\\
|
|
|
|
- MAC address starting with 08:00:27
|
|
|
|
- Pseudo devices (VBoxMiniRdrDN, VBoxTrayIPC)
|
|
|
|
- VBoxTray windows
|
|
|
|
- VBox network share
|
|
|
|
- VBox processes (vboxservice.exe, vboxtray.exe)
|
|
|
|
- Added GetTickCount() sleep patching detection
|
|
|
|
- Added new way to get disk size (GetDiskFreeSpaceExA)
|
|
|
|
|
|
|
|
Developers:
|
|
|
|
- Build system migrated to pure MinGW (make + gcc) + windres for resources
|
|
|
|
- utils.c now contains repetitive functions
|
|
|
|
- TRUE FALSE types defined in types.h, no more confusion when returning
|
|
|
|
|
|
|
|
Contributions:
|
|
|
|
- Thanks to Thorsten Sick (https://github.com/Thorsten-Sick) for it's
|
|
|
|
valuable contributions, most of this release is thanks to him.
|
|
|
|
|
2014-01-01 17:00:09 +04:00
|
|
|
v03
|
|
|
|
|
|
|
|
- Added disk size < 50 GB detection trick
|
|
|
|
- Added ring3 hooks detection trick
|
|
|
|
- Created files when detections match are more
|
|
|
|
accurate now
|
|
|
|
- Sleep time in lack of mouse activity detection
|
|
|
|
increased to 1750 ms
|
|
|
|
|
2013-06-09 22:21:01 +04:00
|
|
|
v025
|
|
|
|
|
|
|
|
- New colors schema
|
|
|
|
- Added file creation traces when detection to
|
|
|
|
follow them
|
|
|
|
- Added one new detection for VirtualBox
|
|
|
|
|
2013-02-24 01:18:28 +04:00
|
|
|
v024
|
|
|
|
|
|
|
|
- From now, official pafish executables will be signed, readme for
|
|
|
|
more information
|
|
|
|
|
2013-02-10 23:19:04 +04:00
|
|
|
v023
|
|
|
|
|
|
|
|
- Added two new detections for generic sandboxes (username, file path)
|
|
|
|
- Added one new detection for VMware (driver file)
|
|
|
|
- Added one new detection for Qemu (reg key)
|
|
|
|
|
2012-12-06 17:01:02 +04:00
|
|
|
v022
|
|
|
|
|
|
|
|
- Added one new detection for Qemu
|
|
|
|
|
2012-10-28 21:41:38 +04:00
|
|
|
v02
|
|
|
|
|
|
|
|
- Now pafish writes a log file (pafish.log) to
|
|
|
|
easily track detections
|
|
|
|
|
|
|
|
- Deleted one dummy detection for Sandboxie
|
|
|
|
|
|
|
|
- Added two new detections for VirtualBox
|
|
|
|
- Added one new detection for wine
|
|
|
|
- Added three new detections for VMware
|
|
|
|
- Added one new detection for generic sandboxes
|
|
|
|
|
|
|
|
- Some coding style improvements
|
|
|
|
- gcc optimization flag in compilation -O1
|
|
|
|
|
|
|
|
v01
|
|
|
|
|
|
|
|
- First version
|
2015-03-20 20:22:03 +03:00
|
|
|
|