hasherezade

icon indicating a website link https://hasherezade.net

icon location Poland

Results 20 issues of hasherezade

Support NB10 debug info

Currently only a debug info in RSDS format is displayed. Signature of a similar format: NB10 is recognized, but the table is not parsed. Test sample: + [dde61f86d8f6b4a43b70a87fb6f9a18ab54c0b8dd094e26f1045d1c9b6009535](https://www.virustotal.com/gui/file/dde61f86d8f6b4a43b70a87fb6f9a18ab54c0b8dd094e26f1045d1c9b6009535/relations) The table...

enhancement

Undetected 64 bit shellcode

The following 64 bit shellcode was not detected by pattern scan: + [ 19fe477bfe1a2da4541e4ce97f265900fd43e10d4d43141b0af046da0f5fddeb ](https://www.virustotal.com/gui/file/19fe477bfe1a2da4541e4ce97f265900fd43e10d4d43141b0af046da0f5fddeb/detection) It should be supported by adding one more shellcode pattern.

Error reconstructing PE from the found artifacts (64 bit PE)

1 comment

Sample: [e818738311bc1d540a23f3235d75e5a9d79ee75e8661bf34e54cdb7755e619e3](https://www.virustotal.com/gui/file/e818738311bc1d540a23f3235d75e5a9d79ee75e8661bf34e54cdb7755e619e3/detection) The implanted PEs are detected, yet, they are dumped as `.corrupt_dll`s. The reconstructions fails. Detected artifacts: ```json "workingset_scan" : { "module" : "4d1f9b0000", "status" : 1, "has_pe" :...

Remove the displayed strings in the quiet mode

Some strings are still displayed in the quiet mode, but they should be muted. ![EeNJEQgWsAIgJEA](https://user-images.githubusercontent.com/3115348/89013786-cc61f580-d314-11ea-9089-e3240b9506e8.jpeg) https://twitter.com/itobacco7/status/1288954265386594305?s=20

Whitelisting known hooks

3 comment

Allow to exclude known hooks from the detection. Hooks should be defined in an external configuration file, easily readable and editable for humans.

enhancement

PE-bear can’t handle the tiniest PEs from the Corkami collection

PE-bear can’t handle tiny, but valid (working) PE files: 61 bytes, 97 bytes, 252 bytes and so on, while CFF Explorer handles this files correctly. Here is a collection of...

bug
enhancement

Name of the section is not displayed properly on the diagram

In case of some fonts that are wider than average, the description of the section will overflow the dedicated area. Example: ![pebear_font](https://user-images.githubusercontent.com/3115348/102652914-716b5680-416e-11eb-8b69-a20d6d4d30e0.png)

Dumping overlay into a file

Add an option to a context menu to that will allow dumping overlay to a file (just as it is done with sections). ![show_overlat](https://user-images.githubusercontent.com/3115348/101716899-883ee880-3a9e-11eb-8c45-3a25c0ab2078.png)

enhancement

A glitch in the GUI - double arrow (on Win 10)

There is a glitch in the way in which the arrow on the side panel is rendered: ![glitch](https://user-images.githubusercontent.com/3115348/85827169-02e0a980-b786-11ea-9caa-e6c458f9c378.png) Interestingly, it occurs only on Windows 10.

bug

Show the meaning of differences in bytes between compared binaries

So far PE-bear allows to compare two PE files at byte level: ![diff_window](https://user-images.githubusercontent.com/3115348/76710291-8f4eeb00-6706-11ea-90b5-c20b113ec12a.png) Yet, the interpretation of this comparison requires additional effort. PE-bear should be able to allow finding the...

enhancement