Loki

• PE-Sieve upgraded to fixed version 0.3.6

• fix: since we're still using the stable old version of PE-Sieve, the JSON structure change had to be reverted
• fix: string match display broke with yara-python upgrade (new structure)

• first release in which loki.exe and loki-upgrader.exe are a x64 binaries (better in-memory detection, changes in how SysWow64 / Sysnative gets processed etc.)
• end of x86 support / no pre-build executables anymore (the last 32bit version is LOKI version 0.46.2)
• fix: aligned with new PE-Sieve JSON output structure

• LAST 32bit version of the LOKI Windows binary
• fix: downgrading PE-Sieve to version 0.3.4 due to stability issues

• change wording when hash score is low ("Malware Hash" to "Suspicious Hash")
  

• package upgrades
• support for new hash IOC format (2nd column contains score)
• PE-Sieve upgrade

the new hash IOC format, which we're using in THOR for quite some time (with an optional 2nd column), allows us to set a score for hash IOCs, e.g. this new hash IOC list for malicious/vulnerable drivers from LOLDrivers project

• build with YARA 4.1.3
• PESieve update to v0.3.4

• fix: comparison issue
• fix: custom IOC initialisation issue
• fix: allow different python version

• workaround for "owner" field supported in THOR only

• new command line flags --allhds and --alldrives allow scanning all local hard drives or all drives in general including removable drives and network drives
• You can use --force to force scan a directory that has been excluded by default (e.g. /dev, /media, /mnt etc.)
• The usage description in the README has been updated

• feat: rule author output to comply with DRL 1.1 (new signature-base license)

• refactor: making the vulnerability check optional

• trying to fix unicode decode issues for some users

• docs: better description of Hive Permission bug
• fix: typos in some words

• vulnerability check: local SAM database readable by every user

• fix: multiple Cobalt Strike rule matches on a single process could cause a false negative message saying that LOKI shows "too many matches on process memory" and prints a "WARNING" level message that states "most likely a false positive" - we've increased the threshold from 3 to 5 different rules https://github.com/Neo23x0/Loki/pull/180

• build with YARA 4.1.0
• performance improvements (20-35%)
• lower memory usage

• removed tracebacks for permission denied errors during file walk while scanning as non-admin user

• Build with patch from https://github.com/pyinstaller/pyinstaller/pull/5580 to reduce AV engine matches

Before
https://www.virustotal.com/gui/file/3d8ff612de481707fa706952a894d904a4132d28ccae963813137eca063297d5/detection

After
https://www.virustotal.com/gui/file/eb4015587a19a296d314359af969f33dae53518bd715ea196edf1bc5b0c3e3ab/detection

• changed code to support Python 3
• new build using PyInstaller 4.2 on Windows 10
• removed some unneeded modules and structures: reginfs, plugins, pylzma requirement by custom encrypted signatures