v2.0.0

Breaking changes:

• malduck.hex was renamed to malduck.enhex due to collision with built-in hex
• Removed malduck cuckoomem.list command from CLI tool

New features:

• Yara-based engine for static configuration extractors (malduck.extractor, currently should be considered "beta" - more information will be published soon)
• Wrapper for yara-python (malduck.yara) + support for Yara search in ProcessMemory objects (procmem.yarav)
• Basic support for ELF format (malduck.procmemelf)
• Removed closed source native modules (originated from roach)
• Added pure-Python aplib module
• Many small improvements

Fixes:

• Fix for "aplib decompress with empty buffer hangs forever"
• More robust procmempe._load_image and procmempe.store implementation
• Restructured and improved documentation readability

v1.3.1

Fixed bugs:

• procmempe.pe.section(...) operations didn't work properly for PE images because of bugs in malduck.pe.MemoryPEData implementation
• Improved procmempe.pe.validate_padding() (detect_image)
• Added workaround for erocarrera/pefile#266

v1.3.0

New features:

• detect_image in procmempe (detect correct PE file and load with image=True if necessary)
• added LZNT1 decompression
• added procmempe.store and related fixpe tool in CLI

$ malduck fixpe malwr.bin malwr.exe

v1.2.0

Fixed issues from v1.1.0:

• Moved from pycryptodome to pycryptodomex (non-colliding namespace with legacy pycrypto)
• IntTypes are unobligatory (fixed attribute in IntType.unpack)
• Integer getters in procmem (e.g.uint8v) return plain ints by default, not IntTypes
• Added x64 attribute to procmem.disasmv

v1.1.0

• Fixed bug procmem.readv_regions which reads too much data when length is overlapping regions
• Moved from PyCrypto to PyCryptodome
• Changed utf16z behavior - now converting to ASCII bytes instead of returning terminated UTF-16 string.
• Added malduck.crypto.serpent
• Added procmem.findp and procmem.findv

Initial release (v1.0.0)

Update README.md