All notable changes to this project will be documented in this file.
3.14.0 - 2024-05-29
- Added
secret
andkey_derivation
fields toEncryptionKey
metadata for storing KDF information. construct
utility:- Added
RegexSearch
andRegexMatch
helpers. - Added ability to embed constructs using
*
unpacking.
- Added
- All pefileutils functions that are meant to return lists now return empty lists when empty instead of
None
. - The temporary directory created by
FileObject.temp_path()
will not be deleted ifkeep
is set to True or the--keep-tmp
command line flag is used. The last directory created will be symbolically linked tomwcp_current
. - Relaxed
construct
version requirement to support 2.9 or 2.10
- Dropped support for Python 3.8
3.13.1 - 2023-11-29
- Catch OSError from DateTime related constructs and raise as ConstructError
FileObject
objects now also accept bytearrays for thefile_data
field.
- Fixed bug causing files to be unprocessed when using yara recursion with a dispatched file with a modified parent. (#40)
3.13.0 - 2023-07-17
- Added
cwd
toCommand
metadata object. - Added
ScheduledTask
metadata object. (#38) - Added
--cov
flag tomwcp test
command for enabling code coverage for parsers. (see documentation)
- Improved handling of STIX results for
Network
objects. - The
dc3:ISO
parser has been updated to handle ISO 9660UDF
,Joliet
, andRock Ridge
extensions.- Consequently, the
isoparser
dependency has been replaced withpycdlib
.
- Consequently, the
3.12.0 - 2023-04-20
- Updated schema:
URL2
andSocket2
objects replaceURL
andSocket
objects.- New
Network
object containsURL2
,Socket2
andCredential
. URL2
objects no longer containsocket
orcredential
fields. This behavior is deprecated and is meant for theNetwork
object.Socket2
objects no longer contain ac2
field. Instead,c2
must be added as a tag to theSocket2
orURL2
.C2SocketAddress
,C2Address
, andC2URL
automatically add thec2
tag to the relevantSocket2
orURL2
.
- Improved STIX output for modified objects.
- Fixed issue with web server not providing a proper json response when STIX output is enabled.
- Fixed report display when a nested element contains a tag.
3.11.0 - 2023-02-21
- Added ability to provide external knowledge_base information. (see documentation)
- Configuration will now be validated on startup.
- Added better failure message when running a recursive test case without a YARA repo setup.
Dispatcher.knowledge_base
has been moved toReport.knowledge_base
. The original location is deprecated and will eventually be removed.Report.as_stix()
no longer requires a writer and will now return serialized JSON results.- Please use
Report.write_stix()
for original functionality.
- Please use
mwcp config
CLI command will now still work even if the config file is invalid.--yara-repo
flag will now properly be read when running a test.- Fixed memory leak issues due to lingering report references.
3.10.1 - 2023-02-03
- packaging dependency
- Use
packaging.version
for version comparison with test results
3.10.0 - 2023-01-25
- Added
.with_encoding()
function onEncryptionKey
metadata elements for telling MWCP how to display encryption keys in the text report.
- Improved handling of displaying decodable encryption keys.
- YaraRunner will now skip compiling rule files without 'mwcp' meta defined.
- Parser test cases can now be added or updated with recursive YARA matching by adding the
--recursive
flag to themwcp test
command.
- Fixed IDA project file not being output for 64-bit samples.
- Fixed issue with duplicate residual files when using recursive YARA matching.
- Fixed memory leak that occurs when processing multiple runs subsequently in the same process.
3.9.0 - 2022-11-22
- Added
FileObject.ext
property for getting and setting the file's extension. - Added builtin parsers.
- Added YARA matching capability to automatically determine which parser(s) to run. (see documentation)
- Improved aliasing in parser configuration file.
- Aliases can now be used for pointing to individual parser components. (e.g.
PDF: .Document
) This helps to avoid the need to create parser groups just for pointing to a single parser component. - External pointers are no longer limited to just inside parser groups. Aliases can now also point to external parsers (e.g.
DecoyDOC: dc3:Decoy.DOC
)
- Aliases can now be used for pointing to individual parser components. (e.g.
- Removed legacy
mwcp.Reporter
object. - Removed
cleanup_temp_files
option frommwcp.Runner
object. - Removed
temp_directory
option frommwcp.Runner
object. - Removed deprecated components from
mwcp.Runner
(these components should be pulled from the generated Report object instead):.managed_tempdir
.add_metadata()
.input_file
.metadata
.output_file()
.errors
.run_parser()
.print_report()
.print_report()
.get_output_text()
.fields
- Removed deprecated
.managed_tempdir
frommwcp.Report
object. - Removed
--cleanup
CLI flag.
3.8.0 - 2022-09-14
- Added
Report.strings()
convenience function for obtaining reported decoded strings. - Added option to produce external string reports for decoded strings instead of being included in the main report.
- Reports will be added as supplemental files with original name suffixed with
_strings.json
and_strings.txt
. - Use the
--string-report
flag to enable this in the CLI tool. - Use the
external_strings
field to enable this in the server.
- Reports will be added as supplemental files with original name suffixed with
DecodedString
metadata is now included in legacy report output.
- Fixed issue with
Path2.from_segments()
ignoring previous segments when another segment starts with a slash. - Fixed issue with throwing of
UnableToParse
sometimes causing the residual file not to be reported. - Files for which a parser throws an
UnableToParse
and end up not getting identified by any other parsers will now appropriately be identified as "Unidentified file". (NOTE: This change may cause previous test cases to fail.) - Fixed bug with
Report.get()
andReport.iter()
returning elements that don't match requested type. - Fixed bug in STIX output when a parser added a tag to a piece of metadata that translated to an observed-string.
3.7.0 - 2022-06-28
- STIX 2.1 output format that includes three SCO extensions and one property extension. This generates a STIX package containing the results of the full analysis.
- SCO Extensions
- observed-string
- crypto-currency-address
- symmetric-encryption
- Property Extensions
- extension-definition--b84c95f5-d48d-4e4a-b723-7d209a02deb9 -- RSA Private key extension for x509-certificate
- SCO Extensions
- Added
Path2
metadata element which simplifies fields fromPath
and better supports non-Windows paths.name
anddirectory_path
are removed in favor of just having apath
element.- Added
posix
field to indicated if path is Posix or Windows based. - Added
.from_segments()
and.from_pathlib_path()
constructors.
- Added
derivation
field toFileObject
object andFile
metadata element. - Added
FileObject.disassembly()
function for obtaining Dragodis dissassembler.
- AttributeError that can occur during testing if a Registry without a path was reported.
- Disables skipping recursive files to avoid a breaking bug with greedy parsers.
- This is temporary until a proper fix can be implemented.
- Fixed issue with process stalling when integer is provided in a bytes metadata field.
Path
is deprecated in favor ofPath2
.- NOTE: Once deprecations are removed,
Path2
will be renamed back toPath
.
- NOTE: Once deprecations are removed,
3.6.2 - 2022-04-04
- config.load now accepts file_path as a string on pathlib.Path (@rhartig-ct)
- In 3.6.1 config.load was updated to take pathlib.Path, but mwcp.tools.server still used string
3.6.1 - 2022-03-28
- AttributeError that can occur during testing if a Registry without a path was reported.
- Disables skipping recursive files to avoid a breaking bug with greedy parsers.
- This is temporary until a proper fix can be implemented.
3.6.0 - 2022-03-23
Command
metadata element.CryptoAddress
metadata element.Report.add_tag()
which allows adding tags to the report itself.- Added ability to include
TAGS
attribute inParser
classes. - Added ability to include direct aliases in parser config by simply providing the name. (e.g.
FooAlias: Foo
) - Added
.from_PEM()
,.from_DER()
,.from_BLOB()
, and.from_XML()
construction methods forRSAPublicKey
andRSAPrivateKey
metadata elements. - Added
Registry2
metadata element which includes the following changes fromRegistry
:path
attribute has been removed.key
attribute has been renamed tosubkey
and no longer includes the root hive key.hive
attribute has been added which is casted to ametadata.RegistryHive
enum type.hive
will automatically be extracted if not provided but included insubkey
.data_type
attribute has been added, which is ametadata.RegistryDataType
enum type.data_type
will automatically be inferred from the data type ofdata
if not provided.- Added a
.from_path()
constructor to generate an entry from a full path.
- Added
mwcp download
CLI command to download sample files from the malware repo.- Includes
--last-failed
flag to download samples from previously failed tests.
- Includes
- Enable construct Adapters for
EpochTime
,SystemTime
, andFileTime
to accept a timezone, and add default helpers for UTC. (@ddash-ct) - Renamed
Dispatcher.add_to_queue()
toDispatcher.add()
. - Added full parameters to
C2URL
metadata function to matchURL
. - Updated
mwcp test
CLI command:- Condensed diff and removed extraneous information for failed test reports.
- Added
--full-diff
flag to get the full diff. - Added
--last-failed
flag to rerun only previously failed test cases.- Can also be combined with
--update
flag to update only previously failed tests.
- Can also be combined with
- Fixed issue with
Version
table in text report stripping off 0's - Added detection of recursive loop parsing the same file.
- Duplicate files will automatically be tagged with
duplicate
and not be parsed.
- Duplicate files will automatically be tagged with
- If a parser dispatches the file it is currently processing, it will now be ignored.
Dispacher.add_to_queue()
is deprecated in favor ofDispatcher.add()
.Registry
is deprecated in favor ofRegistry2
.- NOTE: Once deprecations are removed,
Registry2
will be renamed back toRegistry
.
- NOTE: Once deprecations are removed,
3.5.0 - 2022-01-11
- Added
--command
flag tomwcp test
. This flag will provide the user with a printout of the pytest command that would be run given the other options provided in the command line.
- The
--no-legacy
flag is now set by default formwcp parse
andmwcp test
commands.- If you still need to use legacy testing or parse results, you must now explicitly include the
--legacy
flag. - This does not affect the web service tool. For now, legacy mode is still set as default.
- If you still need to use legacy testing or parse results, you must now explicitly include the
- Updated the
Other
metadata element to accept string, bytes, integers, or booleans as values.- Also, added new field
value_format
to show the data type of the value. This helps to avoid any ambiguities in json results.
- Also, added new field
- The "Tags" column in the generated report won't be shown if there are no tags in the table.
- Fixed UnicodeDecodeError that can occur when printing a report with nested metadata elements. (#31)
- Include missing "Mode" column from EncryptionKey report tables.
- Fixed rendering for values with line breaks in the HTML report output.
- Removed obfuscated powershell examples from poshdeob causing a VT hit. (#32)
3.4.0 - 2021-10-06
- Added a formal schema for (non-legacy) JSON report output which can be found in schema.json
- Added
mwcp schema
CLI command to generate the current schema. - Added documentation on how to create your own custom reportable metadata element.
- Updated server dependencies.
- The
input_file
andresidual_file
metadata types are now both referred to asfile
. - Legacy versions of
uuid
andinterval
metadata types are now typed asuuid_legacy
andinterval_legacy
respectively. This was done to ensure a proper schema can be generated. - Updated testing utility to ensure test cases older than 3.3.3 handle changes accordingly.
- Updated the regular expression in the
URL
metadata object allowing it to succeed with optional schema URL
metadata object no longer defaults the network protocol totcp
for embeddedsocket
- Fixed
EncryptionKey
report formatting to display text representation when key is printable (not just ascii). - The
--testcase-dir
flag when runningmwcp test
in non-legacy mode will now handle any directory structure.
3.3.2 - 2021-07-19
- Added
mode
attribute for EncryptionKey to report on block cipher mode.- Updated testing utility to ensure test cases older than 3.3.2 ignore this new property.
- Added word wrap for long fields in a generated report.
- Switched "html" report output format to be consistent with "simple" and "markdown" formats.
- Improved display formatting for EncryptionKey, RSAPrivateKey, and RSAPublicKey.
- Fixed test case path for
foo
parser, changed to a path which will always exist since input file is irrelevant. (@ddash-ct) - Fixed issue with results in the new metadata style not being dedupped across file sources.
- Split report results are now correctly ordered by processing order.
- Fixed issue with running
mwcp test -u
command to update all legacy parser tests. - Fixed bug with differently ordered tags causing test cases to fail.
- Removed unused
split
argument inReport
initialization.
3.3.1 - 2021-06-28
- Added support for providing a custom logging filter when running a parser.
- Updated
poshdeob
utility to work with the latest version of pyparsing.- Removed version pinning for pyparsing dependency.
- Fixed "can't set attribute" error occurring when using web server.
3.3.0 - 2021-06-10
NOTE: This release may require updating setuptools to successfully install.
- Added
mwcp.run()
as a shortcut for running a parser and getting back its results. (See documentation) - Added ability to provide a
mwcp.Parser
class directly tomwcp.run()
. This is helpful for quick one-off scripting. - Added
--split
option within themwcp parse
command, which changes the report to display metadata split by originating file instead of all being consolidating with the initial input file. (This option is only available when--no-legacy
is enabled.) - The
Report
class now includes the following output options for programmatically rendering results in different formats:.as_text()
- Renders sectioned tables of results in a simple text format (this is the default format when using the command line)..as_markdown()
- Renders sectioned tables of results in markdown..as_html()
- Renders a flat table of results in html..as_csv()
- Renders a flat table of results in csv..as_dataframe()
- Produces a flat table of results in a pandas dataframe..file_tree()
- Renders an ascii tree representing the hierarchy of residual files.
- Added ability to add tags to metadata elements. (See documentation)
- Added DecodedString metadata element.
- Added
.compile_time
attribute toFileObject
. - Added
.architecture
attribute toFileObject
. - Added ability to pass results from
Parser.identify()
into theParser.run()
function. (See documentation)
- MWCP version can now be accessed from
mwcp.__version__
- Updated metadata mechanism to an objected-oriented approach. (See documentation)
mwcp.Reporter
has been replaced withmwcp.Runner
. (However, usingmwcp.run()
is now recommended.)- Updated json and text report output.
- NOTE: To keep backwards compatibility, the schema for the original json output is provided by default.
To enable the new schema, you must provide the
--no-legacy
in the command line.
- NOTE: To keep backwards compatibility, the schema for the original json output is provided by default.
To enable the new schema, you must provide the
FileObject.data
(andFileObject.file_data
) has been set to a read-only attribute.- Updated parser testing to support the new metadata schema. To use, provide the
--no-legacy
flag to themwcp test
command.- Created a new command line tool
mwcp_update_legacy_tests
to update your existing test cases to use the new metadata schema. (See documentation) - New parser test cases now use pytest.
- Created a new command line tool
- Updated text report display and added markdown and html formats.
- Also added file tree display at the end of the report (for some formats).
- Updated csv output.
- Results from
Parser.identify()
are now cached to prevent repeated processing of the same file.
FileObject.file_path
is planned to be changed to only be a non-None value if theFileObject
instance is backed by a real file on the file system.- The creation of a temporary file path has been moved to
.temp_path()
.
- The creation of a temporary file path has been moved to
- Adding metadata is now done using objects found in
mwcp.metadata
. The key/value approach is deprecated and support will be removed in a future major release. mwcp.Reporter
object is deprecated in favor of using eithermwcp.Runner
ormwcp.run()
.- The
self.reporter
attribute in a parser has been renamed toself.report
and is now amwcp.Report
object.- Interface is currently the same as
mwcp.Reporter
, so your code shouldn't break except for in extreme corner cases.
- Interface is currently the same as
- The
.metadata
attribute inmwcp.Reporter
(now calledmwcp.Report
) is deprecated in favor of using.as_dict()
.- WARNING: A best attempt was done to keep the results of the
.metadata
attribute the same. However, due to new validation and type coercion mechanisms, you may run into corner cases where the results are slightly different, causing your parser test to fail.
- WARNING: A best attempt was done to keep the results of the
- The json schema as described in fields.txt is deprecated in favor
of the schema described in
mwcp.metadata
. - Providing a "reporter" argument to
FileObject.__init__()
is deprecated. FileObject.output()
andReporter.output_file()
is deprecated in favor of adding amwcp.metadata.ResidualFile
object toReport.add()
.- Using
FileObject.file_path
to get a temporary file path is deprecated in favor of using.temp_path()
, which is now a context manager.- (This change is to ensure we have more guaranteed cleanup of temporary files.)
Reporter.managed_tempdir
is deprecated. Instead, the developer should properly create and destroy a temporary directory themselves using Python's builtin library. However, it is best to useFileObject.temp_path()
or reevaluate if there is a way parsing can be accomplished without writing out a file to the file system if possible.- The
-i
flag is no longer supported. Input file information will now always be provided (with the exception of legacy JSON output). - Using a
FileObject
instance in awith
statement directly to get a file stream is now deprecated. Please useFileObject.open()
instead. FileObject.file_data
is deprecated in favor ofFileObject.data
.FileObject.file_name
is deprecated in favor ofFileObject.name
.
3.2.1 - 2020-11-03
- Added source argument to Dispatcher initialization to comply with new method signature
3.2.0 - 2020-10-30
- Updated
IMAGE_OPTIONAL_HEADER
to support 64-bit and added missingDllCharacteristics
Flags. (@ddash-ct) - Updated
IMAGE_FILE_HEADER.SizeOfOptionalHeader
to enable leveragingsizeof()
. (@ddash-ct) - Changed log messages for file identification and misidentification to update phrasing for parsing groups vs parsing components. (@ddash-ct)
- Added support for importing external parser components/groups within a parser configuration. (See documentation)
- Added support for providing run configuration options to
FileObject.run_kordesii_decoder()
which will be passed along tokordesii.run_ida()
when calling IDA. (This allows you to provide the newis_64bit
option if necessary.)
- Fixed glob pattern in Techanarchy wrapper. (@cccs-aa)
- Fixed misspelling of "Characteristics" in
IMAGE_IMPORT_DESCRIPTOR
. (@ddash-ct) - Fixed infinite loop that can be caused due to a sub-parser throwing an
UnableToParse
exception. (@ddash-ct) - Fixed bug in construct.Base64 adapter for build with unicode encoding types. (@ddash-ct)
- General fixes to improve support when running under Linux.
- Changed log configuration usage of
%LOCALAPPDATA%
for the log directory reported byappdirs
.
- Changed log configuration usage of
- Fixed build issue in
pecon
and added option for setting architecture to 64 bit.
3.1.0 - 2020-06-05
- Added
children
andsiblings
attributes toFileObject
class. - Added
--prefix/--no-prefix
command line flag allowing the removal of the first 5 characters of the md5 prefixed on output files.- WARNING: If disabled, unique files with the same file name will be overwritten.
- Removed deprecated
requirements.txt
file.
3.0.1 - 2020-05-01
- Setup fixes for PyPi deployment
- Remove deprecated
decoderdir
variable fromfile_object.run_kordesii_decoder()
and addkordesii.register_entry_points()
3.0.0 - 2020-02-20
- Dropped support for Python 2
- Removed previously deprecated components:
- Support for reading configuration from enviromnent variables:
MWCP_PARSER_DIR
,MWCP_PARSER_CONFIG
,MWCP_PARSER_SOURCE
,MWCP_TESTCASE_DIR
,MWCP_MALWARE_REPO
report_tempfile()
inReporter
classmwcp-tool
,mwcp-client
,mwcp-server
, andmwcp-test
command line tools
- Support for reading configuration from enviromnent variables:
2.2.0 - 2020-01-15
NOTE: This is the last version to support Python 2. The next release will only support Python 3.
- Added
--force
flag toTester
for adding or updating testcases to ignore errors if set. (@ddash-ct) - Added
embedded
option that can be set in the parser configuration. (See documentation)
pefileutils.obtain_export_list
would contain anull
entry as the last item in the list for any file- Errors that occur while importing a parser are no longer silenced.
- Recursive loops in the parser configuration are now detected and cause an error.
2.1.0 - 2019-09-10
- Simple HTML interface with mwcp server.
- The
outputfiles
attribute inmwcp.Reporter
has been removed. Instead, the output file path will be returned byoutput_file()
. - All output filenames now include the first 5 digits of its MD5 and are converted to file system safe names.
- Configuration is now set using a yaml file located within the user's profile directory.
- This file can be modified by running
mwcp config
.
- This file can be modified by running
- Input file paths in test cases now support environment variable expansion.
- Input file paths in test cases can include
{MALWARE_REPO}
which will be replaced by the currently set malware repository path. - Using
mwcp test Foo --add=...
to a add file that already exists in the test cases will no longer cause the test case to be updated. This must be explicitly allowed by also adding the--update
flag. - Added
mwcp serve
command to run mwcp server. - mwcp server is now implemented with Flask instead of Bottle.
- If using the server as a WSGI app, the app instance must be created with
the factory function
mwcp.tools.server.create_app()
.
- If using the server as a WSGI app, the app instance must be created with
the factory function
- Setting configuration using environment variables is deprecated. Please use the configuration file instead.
- Removed support for adding a prefix to output files.
2.0.3 - 2019-06-20
- Updated pefileutils to support pefile version 2018.4.18
- Pinned pyparsing dependency to 2.3.0 to avoid breaking poshdeob.
2.0.2 - 2019-04-10
- Moved output files to a folder named '{input filename}_mwcp_output' when running
mwcp parse
- This prevents output files from being overwritten when running multiple input files.
- Pinned kordesii dependency to 1.4.0 or greater.
- Fixed bug with using old "enableidalog" parameter when running kordesii parsers.
- Fixed tuple error when attempting to use the
--add-filelist
option inmwcp test
.
Reporter.report_tempfile()
is deprecated. UseFileObject.output()
instead.
2.0.1 - 2019-03-15
- Added caching of kordesii results.
mwcp test
can now accept more than one parser.
- Fixed up dispatcher logic to properly work with sub parser groups.
- Fixed missing dispatcher issue when running a single parser directly from command line.
- Fixed up unicode string handling in Reporter.
- Fixed handling of optional capture groups for
Regex
construct helper.
2.0.0 - 2019-02-11
sha1
andsha256
attributes in FileObject class.- Created a new command line tool called
mwcp
which encompasses parsing and testing in one tool.- This tool simplifies and cleans up the old CLI flags and uses subcommands for better organization.
--parser-config
flag to specify location of a parser configuration file for a custom parser directory.- Ability to set a parser source with
--parser-source
flag. - Streamlined the wrapper for TechAnarchy parsers.
- Parsers can be run using the naming scheme
TA.{decoder_filename}
after placing the parsers in themwcp/resources/RATDecoders
directory.
- Parsers can be run using the naming scheme
pecon
PE file reconstruction utility.poshdeob
Powershell deobfuscator utility.- Support for relative input paths in test cases.
- Parsers are now declared using a YAML configuration file.
- Please see the Parser Installation and Parser Developemnt documentation for more info.
FileObject.md5
now produces a hex string instead of raw bytes.- Rearranged the location of some modules (imports do not change however).
- "parserstests" folder has been moved to within the "parsers" folder and renamed "tests".
- Changed
Reporter.managed_tempdir
to a property. - Updated
construct
helpers to support construct version 2.9.45.- Please see their transision to 2.9 to see what has changed.
- Reintroduced back some construct 2.8 features that were removed from 2.8, such as
[:]
syntax and default encodings for String constructs.- These changes will be patched in when using
mwcp.utils.construct
instead ofconstruct
by itself. - Please see the docstring found in version28.py for a full list of changes.
- These changes will be patched in when using
- Added/Updated new
construct
helpers:ELFPointer
support for ARM. Seemwcp.utils.construct.ARM.ELFPointer
- Expanded windows structures.
- Added support for supplying a callable instead of a dictionary for
Iter
.
- The
mwcp-tool
andmwcp-test
tools are deprecated in exchange for using the newmwcp
tool and will be removed in a future version.- NOTE: Some flags will no longer work due to removed features (see Removed section).
- The
-t
flag is no longer necessary when running tests withmwcp-test
. It is assumed if you are not updating/adding tests.
- Removed previously deprecated components:
data
,filename()
,pe
,handle
,resourcedir
,parserdir
,debug()
,error()
from Reporter class.mwcp.malwareconfigparser
,mwcp.malwareconfigreporter
TerminatedString
inconstruct
helpers.
- Removed unused/unpopular Reporter options:
disablemodulesearch
disablevaluededup
disableautosubfieldparsing
- Add ability to set decoder directory from the
run_kordesii_decoder()
function by @ddash-ct (#8)
1.4.1 - 2018-10-15
- Parsers are now imported on-demand to save initial startup time.
- Small tweaks to logging level.
- Refactored testing utility and force a failed test if a test case or parser is missing.
- Fixed bug where new parsers in the default directory were not getting registered. (#6)
1.4.0 - 2018-08-07
elffileutils
helper utility that works similar topefileutils
, but for ELF files.- Timing statistics in
mwcp-test
- New
construct
helpers:EpochTime
,ELFPointer
,FocusLast
- Logging is now performed using Python's builtin
logging
module.- Please see the README for more information.
- Removed "_malwareconfigparser" suffix from example parsers.
- Updated
custombase64
to also support standard alphabet.- (Making it suitable as a drop-in replacement of
base64
)
- (Making it suitable as a drop-in replacement of
- Updated
construct
helpers:Delimited
,Backwards
- Deprecated the use of
debug()
anderror()
functions in the Reporter class.- Parsers should use the ComponentParser's
logger
or create one at the top of your module.
- Parsers should use the ComponentParser's
- Deprecated
TerminatedString
inconstruct
helpers. (Please use Padded with CString instead.)
- Reporter will now modify the output filename on a name collision.
- Fixed bug with incorrect csv output formatting when input is a directory.
1.3.0 - 2018-05-15
- Added unit testing using tox and pytest.
- Added new standard metadata fields
- Cleaned up mwcp tool
- Updated and added documentation for developing/testing parsers.
- Set DC3-Kordesii as an optional dependency.
- Fixed "unorderable types" error when outputting to csv
- Fixed bugs found in unit tests.
1.2.0 - 2018-04-17
- Support for multiprocessing in tester.
- Helper function for running kordesii decoders in FileObject class.
- Enhancements to Dispatcher.
- Added option to not output unidentified files.
- Added option to force overwriting descriptions.
- bugfixes and code reformatting
- Pinned construct version to avoid errors that occur with newer versions.
- Removed
enstructured
library.
1.1.0 - 2018-01-09
- Initial support for Python 3 from @mlaferrera
pefileutils
helper utilitycustombase64
helper utility- Dispatcher model, which allows you to split up a parser by their components (Dropper, Implant, etc). (See documentation for more information.)
- Support for using setuptool's entry_points to allow for formal python packaging of parsers. (See documentation for more information.)
- Added ability to merge results from multiple parsers with the same name but different sources.
- Replaced
enstructured
with aconstruct
helper utility (See migration guide for more information.) - Updated setup.py to install scripts using setuptool's entry_points.
- Renamed "malwareconfigreporter" to "Reporter" and "malwareconfigparser" to "Parser".
- Old names have been aliased for backwards compatibility but are deprecated.
- Deprecated use of resourcedir in Reporter.
- Parser should modify sys.path themselves or properly install the library if it has a dependency.
- Initial contribution.
- Fixed broken markdown headings from @bryant1410