- Adds the
ripemd160andripemd128units. - Adds the
xtwunit for extracting cryptocurrency wallet addresses. - Adds the
iemapunit to display a colored entropy heatmap. - Introduces new syntax to the
structunit for handling byte alignment. - The
rsakeyunit supports a new option to output the public key portion of a private key. - The
pemetaunit now computes the size of the PE file based on header information. - Several switches for comparison operators were added to the
iffunit.
- Thanks to @baderj, the unit
xlmdeobfwas added which wraps the extremely useful XLMMacroDeobfuscator tool for extracting and deobfuscating Excel V4 macros. - Adds the
carve-7zunit for carving 7zip archives from blobs.
- Renames the
blockopunit toalu. - Removes the shortcut unit
carveb64z. - Renames a number of command-line switches for
carve,xtp, and other pattern extraction units. - Adds a default argument to
resubthat makes it strip whitespace from the input by default.
Improves performance by replacing an import of pkg_resources with equivalent functionality from importlib. On a test machine, this removes between 250 and 500 milliseconds from the execution time of any single unit.
Changes the format for the binary formatter used in struct, rex, resub, and cfmt. It now uses a reverse multibin handler instead of parsing the modifier like a command-line pipeline.
- Adds the
lzounit
- The
winregunit is now able to extract data from Windows registry editor exports (i.e..regfiles). - The key derivation units
pbkdf2andpbkdf1use a more forgiving decoder to better cover theRfc2898DeriveBytesclass, which offers a call signature that receives an arbitrary byte string as password. - The
stringregular expression pattern now excludes literal line breaks within the string.
- Base64 regular expression patterns were improved to account for correct character counts.
- The
dexstrunit was added. - The
indexmeta variable is now automatically populated within frames. - The
n40string decryption unit was added. - The
xtpyiunit now extracts Python disassembly when decompilation fails. - The
lzmaunit now correctly decompresses output produced by PyLZMA.
- The
doctxtunit was added; courtesy of @baderj
- Adds the
serpentunit.
- Adds the
xtpdfunit for extracting embedded objects from PDF documents. - The
accu:handler now supports pre-configured finite state machines for well-knownrand()implementations.
- The
officectyptunit now supports the Excel default passwordVelvetSweatshop. - The
ciproperty has been removed from the output ofpeek --meta. - The following units were added:
xj0,evtx - The
hexdmpunit was renamed once more tohexload, and its pattern matching was improved. - The
asmunit was completely redesigned using an Angr-based fallback to produce better disassembly. - The
pcap-httpunit now extracts the URL from whence the data was downloaded. - The
repunit received some performance improvements. - The refinery dependencies were cleaned up considerably.
- Blockwise operations no longer require numpy to be reasonably fast by implementing a dynamic inlining step.
- Adds the
cswapunit. - The index counter of
blockopnow starts at zero. - An option was added to the
swapunit to swap the contents of two meta variables. This can also be used to rename a meta variable. - An option was added to
xtpyito unpack, but not decompile the contents of a PYZ. - Adds the
--bareoption toescand uses it inpeek. - Adds the
--metaoption toef. Theefunit now also descends into dot-directories and lists dot-files. - The
__init__.pklfile containing the unit lookup cache was moved into the distribution.
- Adds the
xtvbaunit to extract Office document macros. - Adds the
pcapunit to extract TCP streams from packet capture files. - Adds the
xthtmlunit to extract components of HTML documents. - The
htmunit has been renamed tohtmlesc. - The default sort order of
sortedhas been changed to descending. - The
pemetaandpkcs7units now also extract certificate thumbprints.
- Fixes an issue with applying
ppjscriptto obfuscated JavaScript files. - Adds Murmur Hash units
- Adds
xtpyiunit to extract PyInstaller-packed archives. - Logging now uses the Python
loggingmodule.
- Significantly improves unit loading time which had regressed due to the changes in 0.4.0.
This release removes the setup-venv helper scripts and instead uses a slightly less ugly hack to resolve dependencies before running the refinery setup by declaring every dependency a build dependency in pyproject.toml. Any kind of installation should work seamlessly through pip.
Updates build system.
- Fixes critical bug in deployment.
- Adds the
msgpackunit. - Adds the
cullunit and changes the behaviour of conditional units to make filtered chunks invisible instead of removing them. Conditional units have been renamed toiff,iffs,iffx, andiifp.
- Adds the
xfccunit, which replaces theintersectionunit. - The
cmunit can now be used to remove meta variables. - JSON dumps no longer use hex encoding for big integers as JSON has no size limit on integer expressions.
- The
structunit was significantly redesigned and thelprefixunit removed because it can now be trivially implemented withstruct. - The
ifexprunit has been renamed toiffand theiffpunit was added. - The field names in
dnfieldshave been altered to more closely resemble file names. - Adds a list of default passwords to archive units.
- Renames the
freadunit toef. - Metadata / Format string expression parsing is now more flexible.
- Adds the
intersectionunit.
- Adds the
xtjsonandxtxmlunits for extracting data from JSON and XML files. - Slight redesigns of
lprefix,peek,xtmail, andcfmt. - Refinery now has (very weak) support for PowerShell.
- Adds the
--tabularoption toppjsonto produce a flattened jason output. - Changes to the in-code pipe syntax:
data | unit | unitis an iterable over output chunksdata | unit | unit | callableinvokescallablewith a bytearray containign all concatenated chunks- connected pipelines (
data | unit | ... | unit) can be passed tostrandbytes
- Path extraction units (like
fread,xtzip) offer better control over the path variable. - Variable merging was added to the
popunit. - The
cmunit only populatessizeandindexby default, never performing a full scan unless explicitly requested.
- Meta variables are now allowed in
structformats, andstructassumes no alignment by default. - The
pemetaunit now has support for RICH header data. - The
rsakeyunit was added. - The
popunit was extended by an option to discard chunks. - Several new archive extractors are now available:
xt7z,xtace,xtiso, andxtcpio. - The
xlxtrunit was refactored and generates more metadata. - The
sortedunit can sort by metadata variables now. - The
swapunit can now swap with an empty variable, which will empty the chunk body.
- The
triviaunit was renamed tocmfor "common meta". - The
pemetaunit can now display PE header information, .NET header flags, and supports a table view instead of the JSON output. - Python expressions all across multibin arguments no longer restrict the operators that can be used.
- The domain regular expression was updated with new TLDs and the artificial TDLs
.coinand.bazar. - The
terminateunit was added. - The
structunit was added.
- Adds the
ifexprandifstrunits for filtering framed data. - The
pemetaunit now also extracts theEntryPointTokenfield from the .NET header.
- The
hexviewunit was removed, instead thehexdmpunit was created. By default, this unit converts hexdumps back to binary, the previous functionality ofhexviewis now available as the reverse operation ofhexdmp. - Adds the
dnblobunit. - The
drpunit underwent major refactoring with the goal to improve both speed and quality of results. Two options were added to help control these new settings.
- Adds the
xtrtfunit to extract embedded objects from RTF documents. - Adds the
officecryptunit to decode password-protected Office documents. - Improves PKCS7 parsing and fixes some cases where
pemetadid not display the details of the digital signature. - Adds brieflz support to the universal
decompressunit.
- Unification of (nearly) all multibin handlers. Only the
yara:andescape:handlers remain to regular expression type arguments. - Adds the multibin handlers
accu,reduce,cycle, andtake. - Alters the
leandbehandlers to support both conversion from integer to byte string and vice versa. - Renames the
unpackhandler tobtoiand adds thebtoihandler which performs the inverse operation. - Command line switches for the
lprefixunit changed. - Adds the global
--lenientoption which is now required to admit partial results as output.
- Adds the
blzunit for BriefLZ compression and decompression.
- Adds the
xtdocunit which can extract more files from Office documents thanxtzip. - Adds the
triviaunit which can be used to attach certain meta variables. Moving forward, this will be the preferred way to access simple invariants of a binary chunk. For now, it can attach the integer variablessizeandindex, containing the size of the data in bytes and the chunk index within the current frame, respectively. Theeval:handler for numeric multibin values no longer accepts the special variableNto represent the chunk size as this functionality can be recovered by preprocessing each chunk withtriviaand using the variablesizeinstead ofN. - The
carve-peunit is now a path extractor unit (TL/DR: More command line options).
- Changes the interface for the frame squeeze mechanic
- Adds option to
pefileto compute carve size based on virtual section sizes & offsets.
- Using hex escape sequences in the replacement string for
resubnow works as expected. - The
yara:modifier for regular expression based units now accepts lowercase hex characters. - The
imphashunit's performance was improved slightly. - Additional options for the
pecarveunit. - Adds the
ppjscriptunit (wrapper around jsbeautifier). - The
vsnipunit can now extract more than one memory region. - Adds a count restriction to the
resplitandresubunits.
- The interface for cipher units has been changed; the encryption mode is no longer a mandatory argument. Better handling of various cipher block chaining modes has been implemented.
- Conservative option added to
peoverlayandpestrip.
- The
salsaandchachacipher units now have pure Python implementations that allow you to specify the number of rounds. The PyCryptodome interfaces still exist, now as unitssalsa20andchacha20. - The
HMACunit was added to support simple HMAC based key derivation. - The
dumpunit stream mode has been adjusted so that it is possible to write consecutive data to a file inside a nested frame.
- The
cfmtunit has been reworked to support more common modern Python format string syntax. - The output of
crc32andadler32checksum hashes has been altered to use the correct byte order. - The
rabbitunit was added which implements the RABBIT stream cipher.
- The
mpush,mpop, andmputunits have been renamed to simplypush,pop, andput. - The
autoxorunit has been transformed into thedrpunit, the behavior ofautoxorcan be achieved usingxor drp:copy:all. - Data types of .NET fields are better detected by
dnfieldsnow, but a proper parser for type signatures is still missing.
- The
gzunit was deprecated because thezlunit covers its usecase (and does a better job at it). - The
lprefixunit for parsing length-prefixed data was added. - Parsing of managed .NET string resources via the
dnmrunit was fixed, these would previously be returned unparsed. - The
binpngunit has been improved and renamed tostego, a more flexible unit to extract data from images.
- The
peslice,elfslice, andpesectunits have been removed. - In their place, the cross-format units
vsnipandvsectcan now be used to extract data from virtual addresses and sections of PE, ELF, and MachO files.
- adds
md2andmd4hashing algorithms - the
CryptDeriveKeyunit now also mirrors the API call for SHA2 based hashing algorithms - message type attachments in Outlook email formats are now supported by
xtmail
- The interface of the memory slicing units
pesliceandelfslicehas changed. - Python expression parser and numeric arguments have been refactored.
- Removes the
--install-optioncapability introduced in 0.3.5, see pip/#8748 for more information. - The
xttarunit was added. - The
lzmaunit can now return partial results for buffers with junk bytes at the end.
- The
ifrexunit was added. - The
jvstrunit was added. - A source distribution manifest was added to fix errors that occurred during source installs.
- Using
pip install --install-option=library binary-refineryor aREFINERY_PREFIXenvironment variable with value!will now install the binary refinery without any command line scripts, only as a library.
- It is now possible to use local refinery units (i.e. a Python script in the current director which contains a refinery unit that is not abstract) for multibin prefixes and in any other situation where units are dynamically loaded.
- The
pesectunit was added. - The
resubandresplitunits no longer offer options that have no bearing on their behavior. - The
lz4unit was added with a pure Python implementation of LZ4 decompression. - The
jvdasmunit for disassembling Java class files was added.
- The
autoxorunit was added. - The
cfmtunit was added. - The License of Binary Refinery was changed to 3-Clause BSD.
- The
netbiosunit was added. - The
stretchunit was added. - The
hc128cipher unit was added. - The unit
dnrcwas split intodnrcfor extracting .NET resources anddnmrfor unpacking managed .NET resources. - Several units that extract items from container formats have received a unified interface. So far, this interface applies to
xtmail,xtzip,winreg,dnfields,dnrc, anddnmr. - When using named match groups for the
rexunit, these matches are now forwarded as metadata within frames. - The
xtzipunit was given an optional archive password parameter. - The
xtmailunit can now extract headers in text and json format.
- Test coverage was increased
- The
recodeunit can now autodetect input encoding. - Several bugfixes were performed on the
vbeunit. - More bandaids were added to PowerShell deobfuscation.
- The
pestripandpeoverlayunits were added. - Interface retrofitting was completed.
- Fixes a tiny bug in the PyPI display of the readme file, and completes changelog from previous version.
- The
rsaunit was improved and can handle the Microsoft blob format now. - PowerShell deobfuscation was improved, but that doesn't change the fact that this would be much better with a proper parser.
- The
b32for base32 encoding and decoding was added. - Preliminary support for meta variables has been added with the
mpush,mpop, andmputunits. This feature is experimental and not well documented yet. - The
--squeeze/-Zoption was added to all units that produce multiple outputs: It disables the default separation of these outputs by line breaks. - Pattern extraction units such as
rexwill now preserve the order of extracted strings, even when the--longestoption is used. - The suggested
PATHenvironment variabe modification from the Linux installer script was corrected; The previous variant would make the refinery virtual environment take precedence over the global python executables.
- The
dumpunit has been refactored to make it easier to use; Formatting of file names is done automatically now unless the flag-por--plainis specified to prevent string formatting. - The
snipunit can now remove bytes from the input. - The
dnfieldsunit was added. - The
ppjsonunit can now minify json by specifying0as the desired indentation width. - The
dsjavaunit was improved, although it remains a work in progress. - The
freadunit received a linewise mode.
- After some incomplete attempts to improve backwards compatibility, the package now simply requires Python 3.7.
- Units can now be written with a Python
__init__constructor and deduce the command line interface from this constructor. A decorator class was added to help enriching the parameter list of the constructor with information on how to translate these into command line parameters. The goal is to eventually retrofit all units to follow this standard. - The
pemetaunit has more features now. - The
coupleunit was added; it is an adapter to turn any stdin/stdout based command line tool into a refinery unit. - The
carve-xmlunit was added. - The
dnstrunit was added.
- All hashing prefixes for multibin expressions have been implemented as separate units, i.e.
sha256andmd5are now units that output the corresponding hash of the input data. - The
xtmailunit was added which can extract the body and attachments of email documents, both Outlook and MIME formats. - The framed format was extended with rudimentary support for metadata in framed chunks. This is currently used by the
xtzipandxtmailunits to attach anameproperty to emitted chunks which contains the file name information from the parsed data. Thedumpunit now has a--metaoption to read thisnameproperty and use it as the file name for dumping. The--metaoptions defaults to using the SHA256 hash of the data as the file name if no corresponding metadata is present. - The
pemetaunit was added. - The
carve-jsonunit was added. - The
pesliceandelfsliceunits were given a unified interface. - The
b85for base 85 encoding an decoding was added.
- Fixes a bug in the .NET header parser where the tables were sometimes parsed in the wrong order.
- The
xtzipunit has been added, which can extract data from zip archives. - The
carve-zipunit has been added. It can carve ZIP files from buffers, similar tocarve-pefor PE files. - The
rsaunit has finally been added. - The
rncryptunit has been added. - The
dncfxunit has been added; it extracts the strings from ConfuserEx obfuscated .NET binaries. - Adds support for TrendMicro Clicktime URL guards in the
urlguardsunit.
- Several tests were added, testing now uses malshare to test units against real world samples. To properly execute tests, the environment variable
MALSHARE_APIneeds to contain a valid malshare API key. - A
numpyimport that always occured during any unit load was moved into thepeekunit code to reduce import time of other units. - Issues with wheel installation on Windows were fixed.
- It is now possible to instantiate units in code with arguments of type
bytesand have it work as expected, i.e.xor(B's3cr3t')will construct axorunit that decrypts using the byte string keys3cr3t. - The
rexunit can now apply an arbitrary number of transformations to each match and return the results as separate outputs. - The
urlguardsunit now supports ProofPoint V3 guarded URLs. - Thanks to the recent fix of #29 in javaobj, the
dsjava(deserialize Java serialized data) unit should now work. However, since there are currently no tests, bugs should be expected.
- Processing of data in frames is no longer interrupted by errors in one unit.
- The global
--lenient(or-L) flag has been added: It allows refinery units to return partial results. This behavior is disabled by default because it usually means that an error occurred during processing. - The virtual environment setup script has received bug fixes for problems with absolute paths.
- This changelog was added.
- The unit
jsonfmthas been renamed toppjson(for pretty-print json). - The unit
ppxml(pretty-print xml) was added. - The unit
carve-pe(carve PE files) was added. - The unit
winreg(read windows registry hives) was added, also adding a dependency on the python-registry package (also on GitHub). - .NET managed resource extraction was improved, although it is still not perfect.
- The unit
sortednow only sorts the chunks of the input stream that are in scope. - The unit
dedupcan no longer sort the input stream becausesortedcan do this. - PowerShell deobfuscation and their test coverage was improved.
- Cryptographic units have been refactored; the
salsaandchachaunits now take a--nonceparameter rather than an--ivparameter, as they should.