-
Notifications
You must be signed in to change notification settings - Fork 27
/
changelog.txt
193 lines (158 loc) · 9.68 KB
/
changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
1.6.1
- Fixes legacy bug that could result in failure to identify NSIS installers.
- In previous builds, we only checked a small window for the NSIS header. That window has been increased.
- Updates the tkinterdnd hook file to only collect binaries associated with the operating system it is being built for.
- Add placeholders for 2 new use cases to solve for.
- Updates buildCLI.txt to specify output filename.
- Add file for GitHub build automation.
1.6.0
- Improves NSIS Parser to handle an irregular NSIS format
- Adds solution for Use Case 17
- Attackers can include junk marked as the code signing signature. In previous versions, the certificate preservation would preserve the junk. Without certificate preservation, the junk would be removed but return a Result Code of "0 - No Solution Found" even though the file was deflated.
- Bug Fix
- Adds error handling to escape non-unicode PE section names
1.5.6.6
- Bug Fix
- Patches bug in Result-Code 4 where an excess could be removed.
- This was due to a miscalculation. In these instances, the "dynamic trim" and "refinery trim" methods were essentially being applied to the same data, then calculating an excess of junk.
- The check for duplicate items in an NSIS Installer has been improved.
- Previous check looked for item at the same offset; this version checks to see that all features are the same.
1.5.6.5
- Bug Fix
- Inadvertently changed "sample_compression" limit, thought it'd be OK, but it actually causes this check's main purpose to fail (that is, failing quickly when needed). Got some new ideas out of it though.
1.5.6.4
- Bug Fixes
- Fixed logic that could incorrectly flag .text sections as suspicious.
- Handled rare error that could occur in updating offsets.
- Certificate preservation now works reliably for all use-cases.
1.5.6.3
- Bug Fixes
- Modified NSIS Parser to address issue identified in the implementation. More details here: https://github.com/binref/refinery/issues/49
- TLDR, NSIS Installers with the properly of uncompressed data was not previously accounted for due to lack of examples. They now are accounted for.
- Modified compression check in bloated overlay analysis
- previous compression check was erroneous and worked only based on miracles.
- Improvements
- Modified trimming threshold: 0.05 -> 0.15
- New trimming threshold allows for lower compressed junk.
- New trimming threshold removes more junk without being too aggressive.
- Known issue
- The certificate preservation option does not preserve the certificate in all use-cases, particularly cases where junk is in the overlay.
1.5.6.2
- Bug Fix
- Not all possible paths returned a result code. An additional result code was added.
1.5.6.1
- Bug Fix
- Added the result code for real this time.
1.5.6
- Cert Support
- Added support in both CLI and GUI to preserve the authenticode certificate.
- Authenticode certificate is removed by default because the certificate becomes invalid. When it becomes invalid it becomes unclear whether the certificate was always invalid or not.
- Bug Fix
- A result code was missing which could cause problems in processing that looked for a result code.
1.5.5
- General Improvements
- Added functionality to print debloat version/ added to GUI UI
- Deduped results_codes into processor file
- New Use Case
- Identified a use case that wasn't being solved, improved program logic to solve.
- Packed files with a bloated section.
1.5.4
- General Improvements
- This version prints report codes indicating which inflation tactic is identified.
- This version can now handle instances where no pattern exists within the junk data, or the pattern is disrupted by a few characters. This version uses the trimming method from binary refinery in two cases that were found to be more efficient.
- A performance testing script has been included.
The new updates hand a few edge use-cases that were not solvable before and fixes one bug.
Bugfix: If debloat was unable to trim a inflated section, it would tell you it could and then exit telling you that it could not.
New use-case solved: This solves the use-case where there a pattern exists in the overlay, but additional bytes have been added to disrupt the pattern. As much as 1 byte is enough to disrupt the pattern. This is not a problem anymore.
1.5.3.4
- NSIS Parser improvements
- Additional use cases for NSIS were identified and tested. These identified additional bugs which are fixed in this version. These use cases were added and tested:
- bzip2_liquid
- bzip2_solid
- lzma_liquid
- lzma_solid
- zlib_liquid
- zlib_solid
1.5.3.3
- Modified NSIS Parser significantly.
- Two use cases were identified where the parser were not working adequately. This resulted in identifying two logic bugs which resulted in fixing one and a large rewrite of some portions of the NSIS Parser. Rewrite was done by Huettenhain (https://github.com/huettenhain) for the original project of the NSIS Parser (https://github.com/binref/refinery) and then was incorporated into Debloat by me (Squiblydoo).
- Removed some code that was unused.
1.5.3.2
- Fixed a bug with the RSRC trimming
- These were some long standing issues:
- The default threshold and default size_limit were brought into conformance with Refinery Trim
- With the previously high threshold, it could result in problems from removing the entire resource.
- I also reverted the compression method in this section. The one used elsewhere was found not to be compatible with this part of the processing.
1.5.3.1
- Fixed NSIS extractor bug.
- Bug was caused due to the failure of adding some bytes when iterating through NSIS entries.
- Bug was caused by a missing variable.
- Updated the imports for nsisParser and readers
- (Somehow?) It was working without these needing to be explicitly mentioned, but it has been updated for completeness.
1.5.3
- Fixed alignment bug
- There was a bug where I was subtracting instead of adding bytes to fix alignment. It now adds instead of subtracts.
- Polished the trim
- The "find_chunk_start" method had some unclear logic, that has been improved.
- Instead of trying to remove all junk, the method now returns all bytes if the full regex was unable to match.
- So, if the step is 1000 or 2000 bytes and not all of them are junk, it will leave all 1000
- The logic is that they aren't really hurting anything by being here, and it is better to leave them than accidentally remove them.
1.5.2
- Merged Optimization changes
- Changes primarily related to the trim_junk function
- Primary changes reduced the active memory cost
- No changes in the functionality were made in this release.
1.5.1
- Made modifications recommended by gdesmar for memory improvements.
- Added the ability to pass the size of the file to the process_pe method
- This reduces memory usage to calculate the length
- Bug fixes suggested by gdesmar such as passing the correct object type
- New compression algorithim implemented
- See https://github.com/Squiblydoo/debloat/pull/18 to learn more about performance enhancements.
- Implemented the optional "beginning_file_size" parameter for "process_pe" in both main.py and gui.py
- Fixed typecasting bug introduced in 1.5.0 in relation to the "write_multiple_files" method
1.5.0
- Added capability to handle Nullsoft Scriptable Install System (NSIS, aka Nullsoft) executables.
- Setup instructions and binaries are extracted from the Nullsoft installer to a separate directory.
- At this time, the user needs to resubmit files if they are bloated. Currently, debloat has no way of determining which files are malicious.
- Fully renamed "Unsafe" Processing to "last_ditch_processing"
- Last ditch better represents its purpose.
- "Unsafe" is a name that is often used in the context of untrusted code.
- Fixed inconsistency in naming of "last ditch processing"
- Adjusted how debloat determines if junk was removed or not:
- Previously, it could think junk removed if 1 or more bytes were removed or if only the signature was removed.
- Now debloat checks for a 10% removal at the least
- Updated documentation regarding Linux build command.
- This had been updated elsewhere, but the update had not made it to the README
1.4.3
- Fixed a logic bug where debloating a section did not debloat the proper section.
- This worked previously when the bloated section was the last section
- Finished a TODO item: namely, change all the offsets in the sections when the bloated section wasn't the last section of the binary.
1.4.2
- Added checkbox for unsafe processing in GUI
- Moved RSRC class out of processor into utilities
- Fixed bug where chunk_start could fail to be given a value with the result that the program would stop functioning but not inform the user. Better error handling in this case to come.
1.4.1
- Fixed loading PE in GUI
1.4.0
- Fixed headers in a few use cases where I had missed them before.
- Fixed removing resource method. Works properly now.
- Fixed instance where the dynamic trim regex could pick up illegal characters
- Now last_loads PE for better loading time.
- Now manipuates PE data in the buffer.
1.3.2.2
- Fixed a bug where the Delta_last_non_junk value could fail to be set in one use case.
1.3.2.1
- Temporary fix for release version.
1.3.2
- Added Dynamic Trim for trimming bytes from both the Overlay and bloated sections
- Dynamic trim identifies the junk and creates a targeted regex to remove it.
- Improved output.
- Output wasn't being updated as the program ran. I now clear the buffer and update the UI after each output message.
1.3.1
- Fixed required versions in pyproject.toml
1.3.0
- Merged refactoring changes per nazywam's recommendation
- Updated text length per PEP8
- Started docstrings and other documentation for methods
- Updated variable names for PEP8 consistency