Releases: hasherezade/pe-bear
v0.7.0
FEATURE
- Updated to build with Qt6
- Added support for ARM64 PEs
- New icon
- Upgraded sig_finder: faster search; allow for patterns with masked nibbles
BUGFIX
- Allow to open files from Unicode paths from the Explorer menu (and commandline) ( Issue #56 )
- Fixed invalid mapping of NT 3.1 executables ( Issue #45 )
- Fixed wrong interpretation of the section flag ( Issue #54 )
WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).
File | Qt | OS | Depends | Info |
---|---|---|---|---|
PE-bear_0.7.0_qt6_x64_win_vs19.zip | 6 | 64-bit, Windows, portable | requires: VS2019 Redistributables | test build, for Windows 10 and above |
PE-bear_0.7.0_qt5_x64_win_vs19.zip | 5 | 64-bit, Windows, portable | requires: VS2019 Redistributables | recommended |
PE-bear_0.7.0_qt5_x86_win_vs19.zip | 5 | 32-bit, Windows, portable | requires: VS2019 Redistributables | |
PE-bear_0.7.0_qt4_x86_win_vs10.zip | 4 | 32-bit, Windows, portable | legacy build for Windows XP (not recommended) | |
PE-bear_0.7.0_qt6_x64_macos.app.zip | 6 | 64-bit, MacOS, portable | ||
PE-bear_0.7.0_qt5_x64_macos.app.zip | 5 | 64-bit, MacOS, portable | ||
PE-bear_0.7.0_qt6.2_x64_linux.tar.xz | 6.2.4 | 64-bit, Linux | requires Qt installation | |
PE-bear_0.7.0_qt5.15_x64_linux.tar.xz | 5.15.3 | 64-bit, Linux | requires Qt installation |
v0.6.7.3
BUGFIX
- Fixed a bug in validator of HexSpinBox (preventing from direct editing of the value)
- Fixed wrong imp hash being calculated after a new import is added
- Remove the RichHeader tab if the RichHeader has been erased
- Don't parse timestamps set to (-1) - assume invalid
FEATURE
- Strings: allow to search for Strings by regex. Allow to enable/disable case sensitive search.
- Resources: show listing of resource strings
WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).
v0.6.7
BUGFIX
- Fixed parsing a PE header in file with oversized DOS stub ( Issue #41 )
- Fixed incorrectly decoded Timestamp for Borland IMAGE_RESOURCE_DIRECTORY ( Issue #42 )
- Fixed crashes on edit via hex editor. Stability improvements.
- Validate relocation block before parsing (skip invalid)
FEATURE
- Added Strings tab (displaying ANSI and Unicode strings)
- Search for defined binary patterns within a selected file
- Added detection if the loaded PE is a memory dump in a virtual format (and needs remapping)
- Added remapping of a file with one click (new button on the Sections' Tab toolbar): DEMO
WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).
v0.6.6
BUGFIX
- Use NumberOfRvaAndSizes to specify the count of Data Directory entries ( Issue #31 )
- Fixed parsing of GuardCFFunctionTable ( Issue #32 )
- Fixed error in Checksum calculation ( Issue #30 )
- Fixed PE-bear hanging on loading a PE with too many sections (Corkami: 65535sects.exe) ( Issue #24 )
- Fixed PE-bear hanging on loading a PE with too many imports (Corkami: manyimportsW7) ( Issue #23 )
FEATURE
- Added ImpHash
- Added Rich Header hash
- Added a localization option (currently supported languages: English, Chinese)
WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).
v0.6.5.2
BUGFIX
- Fixes in bearparser, including:
- Fixed error in mapping Raw Size to Virtual Size (when Virtual Size is smaller) - Issue: hasherezade/bearparser#20
- Fixed error in getting the last mapped address: exclude empty sections - Issue: hasherezade/bearparser#21
- Fixed an error in RVA/raw conversion in case of malformed (overlapping) Virtual Sections
- Recognize Thumb2 PE files
FEATURE
- Change interpretation of the TimeStamp field if the executable was build as reproducible
- Improved alerts about samples containing unusual features or malformations, including
- alert about .NET samples that may contain native code
- Better integration on Linux and other *nixes - desktop launcher, etc. #21
REFACT
- Code cleanup, replaced some deprecated Qt functions with new equivalents
v0.6.5
BUGFIX
- fixed crashing on opening of the DiffWindow after PE was resized
- fixed signatures matching ( Issue #18 )
- parse Debug Directory as an array of entries ( Issue #15 )
- fixed parsing PE files with atypical section alignment ( Issue #11)
- fixed modifying data in Bound Imports Directory
- fixed modifying export name
FEATURE
- updated Capstone (switched to the active branch
next
) - added a wizard for adding imports ( Issue #16 )
- added undo for resize operations
- show all the matched signatures in the General Panel (not only one of them)
- load signatures from the current directory, as well as from User Data Directory (UDD)
- added filtering to signatures listing window
- allow to export disassembly of the section into a file ( Issue #14 )
- allow to dump sections, or export disassembly from all opened files at once
- show info about the atypical PE features as a tool-tip in a tree view
v0.6.1
BUGFIX
- fixed unhandled exception on the attempted opening of an empty file
- fixed filling a selected PE section with a content of a file
- fixed Virtual Section diagram (by default, fill with mapped raw section size)
FEATURE
- added new mode of displaying Virtual Sections diagram (a new option in the menu allows to switch between alternative views)
- in sections diagram: changed the menu option "Grid" to more descriptive "Grid (Alignment Units)"
- changes in drawing the grid
- enriched list of signatures: display not only the signature name, but also the size and the content
- do not calculate hashes of a truncated file
REFACT
- internal refactoring
v0.6.0
REFACT
- Refactored to work with the latest bearparser
BUGFIX
- Fixed issue: hasherezade/pe-bear-releases#49
FEATURE
- In Sections Headers: show the real sections size as primary, and mapped as secondary
- Allow to load (most of the) TinyPEs from the Corkami collection (Issue https://github.com/hasherezade/pe-bear-releases/issues/43)