PortexAnalyzerGUI v 0.13.2

New:

• Bound imports (with mixed address support)
• Delay load imports (with mixed address support)
• Extended DLL Characteristics are now also shown in the Optional Header alongside the other DLL Characteristics and not only in the debug entry

PortexAnalyzerGUI v 0.13.0

New features

• .NET metadata shown: metadata root, stream headers, CLR tables of #~ stream
• CLR tables resolve references to other tables to give the values more meaning
• Reversing hints added for: AutohotKey, embedded archives, embedded executables, AutoIt, Electron package, fake VMProtect, InnoSetup, generic installer, Nullsoft, PyInstaller, a specific but unknown Batch-to-Exe wrapper, SFX, UPX
• More anomalies

The picture below shows one of the .NET CLR tables

About reversing hints

These take several anomalies and other features into consideration to determine that a specific approach should be used to analyse/extract/unpack this file. The hint is provided at the node "PE Format" for now and will list all reasons and signatures that led to the hint.

One file can have several hints.

What is the difference to signature matches?

Signatures detect something and display a name for the result. They allow you to classify a sample. They do not present a reason nor explanation of what you should do.

A reversing hint is a collection of 1-N anomalies and gives it a meaning. Anomalies can be signature matches but also any other characteristic of the file. Reversing hints always provide an explanation on how to reverse the file.

PortexAnalyzerGUI v 0.12.13

New:

• remove overlay button
• upgrade to newer PortEx library version with repro timestamp handling

Fixed:

• better error handling when choosing target file for overlay dumps or visualization image

PortexAnalyzerGUI v 0.12.12

New:

• dump overlay button
• load summary in PE File tree node

Fixed:

• missing check for invalid resource
• missing check for invalid codeview structure

PortexAnalyzerGUI v 0.12.11

Bugfix:

• visualization legend skipped some entries

PortexAnalyzer GUI v 0.12.10

Added better visualization of PE image
Added repro hash to debug tab

Bugfixes:

• save visualization file into folder will now use correct path

PortexAnalyzer GUI v 0.12.9

Changes:

• Debug node shows tabs for different debug entries
• alternate coloring of table rows for better visibility in both themes
• selection in tables highlights row
• show hex and show content preview are preserved in settings.ini
• removed bug in tabs showing the wrong content, related to https://stackoverflow.com/questions/19302447/jtabbedpane-displays-wrong-tab-components-at-first
• migrated to Maven

PortexAnalyzer GUI v 0.12.8

Includes new PortEx library, which received the following changes:

• applied max value for export name length
• display exports even if RVA is in virtual space
• bugfix: no debug section loading, when it starts in virtual space

Includes bugfix of system theme being shown when no settings file present, despite a default value of having PortEx theme set

PortexAnalyzer GUI v 0.12.7

Changes:

• added system theme support
• added ASCII text preview for content of the file at currently viewed offsets

Full Changelog: 0.12.6...0.12.7

PortexAnalyzer GUI v 0.12.6

Signature scanning added:

• custom Yara scan
• internal filetype scan
• internal PEiD scan

Settings menu added:

• disable Yara warnings
• disable update check

Added progress bar for visualization

Settings via the menu and the custom Yara scan module are persisted via settings.ini

PE can contain several manifest files, now shows all contained manifests

Bugfix:

• fix for loading data from previous PE with long running threads via SwingWorker cancellation

Full Changelog: 0.12.5...0.12.6