Pe Bear Versions Save

BUGFIX

• Fixed a bug in validator of HexSpinBox (preventing from direct editing of the value)
• Fixed wrong imp hash being calculated after a new import is added
• Remove the RichHeader tab if the RichHeader has been erased
• Don't parse timestamps set to (-1) - assume invalid

FEATURE

• Strings: allow to search for Strings by regex. Allow to enable/disable case sensitive search.
• Resources: show listing of resource strings

WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).

📖 README.md

BUGFIX

• Fixed parsing a PE header in file with oversized DOS stub ( Issue #41 )
• Fixed incorrectly decoded Timestamp for Borland IMAGE_RESOURCE_DIRECTORY ( Issue #42 )
• Fixed crashes on edit via hex editor. Stability improvements.
• Validate relocation block before parsing (skip invalid)

FEATURE

• Added Strings tab (displaying ANSI and Unicode strings)
• Search for defined binary patterns within a selected file
• Added detection if the loaded PE is a memory dump in a virtual format (and needs remapping)
• Added remapping of a file with one click (new button on the Sections' Tab toolbar): DEMO

WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).

📖 README.md

BUGFIX

• Use NumberOfRvaAndSizes to specify the count of Data Directory entries ( Issue #31 )
• Fixed parsing of GuardCFFunctionTable ( Issue #32 )
• Fixed error in Checksum calculation ( Issue #30 )
• Fixed PE-bear hanging on loading a PE with too many sections (Corkami: 65535sects.exe) ( Issue #24 )
• Fixed PE-bear hanging on loading a PE with too many imports (Corkami: manyimportsW7) ( Issue #23 )

FEATURE

• Added ImpHash
• Added Rich Header hash
• Added a localization option (currently supported languages: English, Chinese)

WARNING: The Windows build with vs10 suffix is built with Qt4 (legacy) - in contrast to the other builds that are with Qt5 (recommended). It is prepared for the purpose of backward compatibility with old versions of Windows (i.e. XP).

BUGFIX

• Fixes in bearparser, including:
  • Fixed error in mapping Raw Size to Virtual Size (when Virtual Size is smaller) - Issue: https://github.com/hasherezade/bearparser/issues/20
  • Fixed error in getting the last mapped address: exclude empty sections - Issue: https://github.com/hasherezade/bearparser/issues/21
  • Fixed an error in RVA/raw conversion in case of malformed (overlapping) Virtual Sections
  • Recognize Thumb2 PE files

FEATURE

• Change interpretation of the TimeStamp field if the executable was build as reproducible
• Improved alerts about samples containing unusual features or malformations, including
  • alert about .NET samples that may contain native code
• Better integration on Linux and other *nixes - desktop launcher, etc. #21

REFACT

• Code cleanup, replaced some deprecated Qt functions with new equivalents

BUGFIX

• fixed crashing on opening of the DiffWindow after PE was resized
• fixed signatures matching ( Issue #18 )
• parse Debug Directory as an array of entries ( Issue #15 )
• fixed parsing PE files with atypical section alignment ( Issue #11)
• fixed modifying data in Bound Imports Directory
• fixed modifying export name

FEATURE

• updated Capstone (switched to the active branch next )
• added a wizard for adding imports ( Issue #16 )
• added undo for resize operations
• show all the matched signatures in the General Panel (not only one of them)
• load signatures from the current directory, as well as from User Data Directory (UDD)
• added filtering to signatures listing window
• allow to export disassembly of the section into a file ( Issue #14 )
• allow to dump sections, or export disassembly from all opened files at once
• show info about the atypical PE features as a tool-tip in a tree view

BUGFIX

• fixed unhandled exception on the attempted opening of an empty file
• fixed filling a selected PE section with a content of a file
• fixed Virtual Section diagram (by default, fill with mapped raw section size)

FEATURE

• added new mode of displaying Virtual Sections diagram (a new option in the menu allows to switch between alternative views)
• in sections diagram: changed the menu option "Grid" to more descriptive "Grid (Alignment Units)"
• changes in drawing the grid
• enriched list of signatures: display not only the signature name, but also the size and the content
• do not calculate hashes of a truncated file

REFACT

• internal refactoring

REFACT

• Refactored to work with the latest bearparser

BUGFIX

• Fixed issue: https://github.com/hasherezade/pe-bear-releases/issues/49

FEATURE

• In Sections Headers: show the real sections size as primary, and mapped as secondary
• Allow to load (most of the) TinyPEs from the Corkami collection (Issue https://github.com/hasherezade/pe-bear-releases/issues/43)