What's new in HEX DEREF 1.10
May 18, 2022
- Main view:
- Added support for physical memory scans as follows: Physical memory scan options
- Fixed an issue with the process name when dumping a process
New in HEX DEREF 1.09 (May 14, 2022)
- Main view:
- Fixed an issue in kernel mode (KM) when retrieving the base address and size of an image
- Fixed an issue in result files with reading and writing UInt64 values
- Added support for kernel memory scans (Byte, 2 Bytes, 4 Bytes, 8 Bytes and Hex)
- Default memory scans as follows: 2 Bytes (UInt16), 4 Bytes (UInt32), 8 Bytes (Int64), Hex (UInt64)
- Memory viewer:
- Fixed an issue with pointer validation in a non-kernel mode
- Draw a primitive value from the address pointed by the instruction in disassembly mode. e.g "FFFFF80646DA1783 - 44 84 3D 48 89 88 00 - test byte ptr [FFFFF8064762A0D2h], r15L"
- Tools->Dump or disassemble the module->Sections->Added "Use the file on the disk for comparison instead of memory"
- Tools->Dump or disassemble the module->Sections->Added an option to scan selected section for memory patches or the entire image
- Fixed a "flicker" problem when pointer values were changing constantly
- Tools->Search->Find a sequence of bytes->Search the entire kernel memory for the byte pattern
- Fixed a logic issue in the disassembly mode. Draw the data in the following order at the address pointed by the instruction: 1) Draw API information 2) Draw a string reference. A string reference is a string at the address pointed by the instruction. 3) If the first and the latter one does not exists, draw a primitive value such a byte
New in HEX DEREF 1.08 (Apr 1, 2022)
- Main view:
- Fixed logic issue with automatic process attach
- Fixed unhandled exceptions with protected processes where an anti-cheat downgraded handle access
- Added an option in settings to refresh the process list automatically
- "C" kernel driver:
- Added process handle elevation DKOM feature (elevate a handle PROCESS_ALL_ACCESS 0x1FFFFF). All possible access rights for a process object
- Added DKOM based process hiding functionality
- Memory viewer:
- Minor UI optimizations (a slightly less lag when drawing user process memory)
- By default show the values as unsigned
- When you modify a value in memory, the value entered can also be a hexadecimal number
- Fixed various unhandled exceptions with protected processes
New in HEX DEREF 1.07 (Feb 14, 2022)
- Main view:
- Added an option to sort processes by PID
- Show protected processes in gray in the process list
- Added an option to dump with the right-click the protected user mode process (a stripped handle access) with the driver
- Edit−>Settings−>General−>The size of the buffer when reading memory is customizable
- Memory viewer:
- Filter non-printable characters also when reading the Unicode UTF-16 string
- Tools−>Process modules−>When listing kernel modules, translate the path of the NT namespace to the actual module path
- Tools−>Views−>Sections−>Map the PE file as SEC_IMAGE so the sections gets correctly aligned and displayed in section view
- Tools−>Views−>Sections−>Added an option to find an array of bytes in the selected section
- Tools−>Views−>Sections−>Added an option to scan the selected section for memory patches
- Fixed an issue in the logic that determines whether or not the section is executable
- Take a peek behind the pointer feature shows the values as unsigned
- "C" kernel driver:
- Implemented a page table walk which is pretty much effectively able to find every allocated user or kernel memory page in a matter of few seconds