When an addition to the existing API is made, the minor version is bumped. When an API feature or function is removed or changed, the major version is bumped.
Pointer class now supports get_raw_value().
KTIMER no longer supports get_raw_dpc().
Support encoding parameter for objects.utility.array_to_string
Add support for windows GUI classes and OS distinguishers.
Add a symbol_table_name for ExecutiveObject.get_object_header()/
Linux net constants added. Network objects moved to separate versionable module.
uuid method added to linux.extensions.
NM_TYPES_DESC constants added to linux.
latch_tree_root and kernel_symbol added to linux extensions.
Linux module class additions:
get_module_address_boundariessection_typetabLinuxtask_structclass additions:get_address_space_layerstateLinuxbpf_progclass additions:bpf_jit_binary_hdr_address
Introduction of Modules versionable linux extension module.
Deprecation of some LinuxUtilities functions relating to modules.
Addition of scatterlist linux extension.
The addition of a types member to SymbolInterface
Addition of TAINT_FLAG constants, TaintFlag dataclass
Addition of linux tainting versionable module
Addition of convert_fourcc_code to LinuxUtilities class
No significant changes (part of the 2.16.0 PR which took time in development)
Linux task object extension addition of getppid
Changes to the Intel layer to support PROT_NONE pages.
Addition of get_type method to windows CM_KEY_NODE registry structure
No significant API changes (CLI changes to the JSONL text renderer)
No significant API changes (change to call linux.LinuxUtilities.get_module_from_volobj_type to get the kernel)
Addition of the BinOrAbsent, HexOrAbsent, HexBytesOrAbsent and MultiTypeDataOrAbsent data type renderers
Addition of is_valid, get_create_time and get_exit_time to ETHREAD structure
No significant changes (again, the version got bump twice in the PR straight to 2.7.0)
Add in support for specifying a type override for object_from_symbol
Add a get_size() method to Windows VAD structures and fix several off-by-one issues when calculating VAD sizes.
Update in the windows _EPROCESS.owning_process method to support Windows Vista and later versions.
Add in child_template to template class
Changes to linux core calls
Add in the linux task.get_threads method to the API.
Add in the windows DEVICE_OBJECT.get_attached_devices and DRIVER_OBJECT.get_devices methods to the API.
Fix the behaviour of the offsets returned by the PDB scanner.
Remove the symbol_shift mechanism, where symbol tables could alter their own symbols.
Symbols from a symbol table are now always the offset values. They can be added to a Module
and when symbols are requested from a Module they are shifted by the module's offset to get
an absolute offset. This can be done with Module.get_absolute_symbol_address or as part of
Module.object_from_symbol(absolute = False, ...).
- Added support for module collections
- Added context.modules
- Added ModuleRequirement
- Added get_symbols_by_absolute_location