v4.0.0

Breaking changes:

• Dropped support for Python 2
• Unified malduck interface:
  • Dropped malduck.short module: all features are exposed directly by malduck module
  • Unified crypto interface - the only allowed variants are listed below:
    • aes.<mode>.encrypt(), aes.<mode>.decrypt()
    • blowfish.ecb.encrypt(), blowfish.ecb.decrypt()
    • des3.cbc.encrypt(), des3.cbc.decrypt()
    • serpent.cbc.encrypt(), serpent.cbc.decrypt()
    • rabbit()
    • rc4()
    • xor()
• Removed length argument from aplib() (deprecated from 2.x)
• Removed pe2cuckoo function (orphaned long time ago)
• Extractor.handle_yara is deprecated. If you want to customize ripping process and @Extractor.* decorators doesn't cover your needs: use Extractor.handle_match which is providing extended Yara match information.
• Disassemble methods are returning iterator instead of list (procmem.disasmv, malduck.disasm)

New features and improvements:

• Added @Extractor.rule and @Extractor.string decorators (#5 and #6)
• Added opt-in extended Yara match structures:
  • optional extended argument in procmem.yarap/yarav methods and malduck.yara.Yara.match method
  • in place of YaraRulesetOffsets (YaraMatches alias) and YaraRuleOffsets (former YaraMatch), extended match uses more verbose structures: YaraRulesetMatch, YaraRuleMatch and YaraStringMatch. They're provided via new extractor methods: handle_match, @rule and @string decorated
  • everything is opt-in: handle_yara, @extractor and @final are unaffected, so modules should stay compatible.
• bigint() is deprecated in favor of bigint.pack and bigint.unpack methods. bigint() method was switching between string and integer representations which was unintuitive. Added big-endian variants: bigint.pack_be and bigint.unpack_be (#10)
• Disassemble methods (procmem.disasmv, malduck.disasm) are accepting additional argument: count of instructions.
• Added typings
• Various small bugfixes

v3.2.0

v3.2.x is planned to be the last minor release that supports Python 2

New features and improvements:

• Added --version switch to malduck CLI
• Added .encrypt() methods to all supported ciphers in crypto module
• malduck.short module is deprecated, all components should be imported directly from malduck module. Elements that are not part of interface can be imported directly from subpackages.
• Unified crypto module interface and deprecated shortcut variants due to inconsistency between various algorithms and modes. Changes can be found in documentation or #8
• cryptography is no longer used in malduck (in favor of PyCryptodome)

Bugfixes:

• Fixed extractor module loader in extractor module: some modules were not properly loaded from sys.modules cache so they were executed after each creation of malduck.extractor.ExtractorModules object.
• Tuples can be included in config - fixed encode_for_json
• Fixed issues in documentation

v3.1.2

• Removed strict version pinning from requirements.txt where it was not needed (f6d9aca)

v3.1.1

Small fixes:

• Fixed Py3-compatibility of serpent.encrypt
• Idamem is now compatible with IDA 7.4 (>=7.0)

v3.1.0

Small improvements related with Py3 support:

• Encoding text-typed (str) query argument via ensure_bytes was counterintuitive for ProcessMemory.regexp and ProcessMemory.regexv. If query argument is not binary-typed, TypeError exception is raised.
• Fixed issues related with malduck.main and configuration extraction engine

v3.0.2

Bugfixes:

• ExtractManager.push_procmem returned family only for second better config extraction, not for the first one
• ExtractManager.push_procmem tried to process embedded binaries even if no Yara matches have been found in whole dump

v3.0.0

Breaking changes:

• Refactored ProcessMemory regions - part of internally used interface changed a bit. iter_regions, readv_regions have slightly different argument names and behavior. Lots of corner-cases related with cross-region access have been fixed.
• Static configuration extraction engine has different strategy for processing binaries. Firstly it tries to find as many PE/ELF binaries as possible and extracts configuration using both memory- and file-alignment. Then the best config is chosen based on number of successfully ripped config keys.
• Improved logging (malduck -v extract) and exception handling (especially for PE/ELF parse errors)

New features:

• [beta] ProcessMemory interface for IDAPython (IDAProcessMemory or idamem, tested in IDA Pro >7.0)
• Added malduck.crypto.aes.AES.encrypt (but hey, we still need to refactor all these crypto things later...)

Bugfixes:

• malduck.crc32 is guaranteed to return unsigned value both in Py2/Py3

v2.1.1

Bugfixes:

• @Extractor.weak and @Extractor.extractor must have been placed in particular order
• Improved error handling in malduck extract CLI

v2.1.0

• Big-endian pack/unpack in malduck.ints
• ELF detection in malduck.extractor.extract_manager.push_file
• Logging support in CLI + Extractor.log getter for Logger
• Bugfixes and additional type/argument validation checks (yara_rules type check in Extractor classes)

v2.0.1

Bugfixes:

• fixed incompatibility with Python 2 (exist_ok argument in os.makedirs is Py3-only)
• fixed bug in malduck.pe.PE.validate_padding