PsyloDbg is a versatile, user-friendly, and open-source debugger for the Windows platform. It is entirely written in Delphi, and its purpose is to assist malware analysts in their work by providing them with a fast and effective tool. As a result, analysts can save time and improve their response to malware threats.

New Unprotect C# Code Snippet added for technique Timestomp.

This tiny code snippet demonstrate the principle of file time stomping.

Steps:

• Enumerate files in current directory (excluding the target file).
• Sort enumerated files by modification date.
• Takes the most recent file and apply its File Creation Date, File Last Modification and File Last Access to our target file.

Additional information:

• Supports relative target file.
• If no files lives inside the current directory, then current directory (parent folder) date information are used.
• If no files lives inside the current directory and current directory is a root path, then timestomp procedure fails.

New Unprotect Delphi code snippet added for technique Process Hollowing, RunPE with support of both x86-32 and x86-64 in a single code.

New Unprotect Delphi Code Snippet added for technique Checking Mouse Activity

New Unprotect Delphi Code Snippet added for technique DLL Injection via CreateRemoteThread and LoadLibrary with both support of x86-32 and x86-64.

New Unprotect Delphi Code Snippet added for technique ProcEnvInjection - Remote code injection by abusing process environment strings for both x86-32 and x86-64.

New code snippet that demonstrate how Malware authors create self-deleting application. This technique rely on an external command line interpreter process that attempt to delete malware sample when sample process is terminated.

• Streaming performance considerably increased. FPS rate increased by 65% and can be optimised further by tweaking available options.
• Streaming desktop resolution is now controlled by the viewer.
• FastResize option was removed.
• Code optimisation.
• Windows key is now supported.
• Virtual Desktop window will show above terminal window.
• Beta support of LogonUI (Winlogon Protected Desktop).

The purpose of this tool is to allow users to run applications with system-level privileges in the context of their current active Windows session, using only the Microsoft Windows Task Scheduler.

Unlike other common tools, this technique does not require any external software or services, and can be easily configured to launch the system terminal and run the desired application within the current session. This allows users to access system-level functionality and interact with the application in real time.

• Invoke-RemoteDesktopServer error fixed during module import.

• Code improvement.
• Streaming performance increased.
• X509 Certificate password supported.

• Option to prevent server computer to enter sleep mode.
• Streaming performance increased by using dirty region detection (motion update). Only the part of Remote Desktop that changed are sent to viewer.
• Mouse control improved.
• Keyboard control improved.
• Code improvement.

PowerRunAsAttached is a ported version of RunAsAttached in pure PowerShell.

PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell.

• Application protocol redesigned to be more fast, stable and modular.
• Session concurrency now supported. Multiple viewers can connect to the same server at the same time.
• Possibility to shutdown server using CTRL+C
• Streaming quality is now controlled by the viewer.
• Desktop image size is now requested server-side.
• Bug fix in virtual desktop alignement.
• Timeout implement during protocol negotiations to avoid possible dead locks.
• Virtual desktop can now be set on top of other windows.
• Server supports SecureString for authentication password.

• Deprecated TransportMode option removed.
• Streaming performance improved.
• Code improvement, release stability is good enough to mark release as stable.

• Code improvement.
• Ingress / Egress event support.
• Bug fix for password generation algorithm.
• Bug fix for virtual keyboard.
• Clipboard synchronisation implemented.
• View only option added. If used remote viewer cannot control remote server.