Joebox 2.0.0 (released 24.07.2010) - Architectural change to improve stability Joebox 1.9.0 (released 26.06.2010) - Reputation for network connections - Clearer structuring of network connections - Some bugfixes - Register extraction from syscall with thread context parameter Joebox 1.8.0 (released 30.05.2010) - Added syscall reputation database - Added syscall reputation data to report Joebox 1.7.1 (released 24.05.2010) - New hooked functions: NtContinue, NtThreadGetContext, added to report - Improved process image file path and command line handling - Fixed a driver bug (db import problem) - Improved screenshot generation (now dumps jpgs) Joebox 1.7.0 (released 04.05.2010) - Screenshots generation for popups and new windows - Automated installer clicking - Architectural improvements Joebox 1.6.0 (released 18.04.2010) - Support for zip and rar (single or multiple executable) - Fixed no traffic data bug - Added host column to http report section Joebox 1.5.5 (released 14.03.2010) - Fixed bug about to big html files - Added file written section - Added key value queried section - Increased html layout - Fixed vm guest time update bug Joebox 1.5.0 (released 28.12.2009) - Added system activities, time activities, user activities, debug activities and exception activities to the report - A stack back traces is made after each system call - Runs on Vista SP2 and W7 - Checks if a file or key exists before ZwCreateFile, ZwOpenFile, ZwCreateKey and ZwOpenKey is called - Added controller for VirtualBox and VMware - Added new joebox script command _JBSetSystem - Added MD5 hashing of all started processes and driver - Added column "mapped to pid" to "section created" activities - Replaced NULL values with "not known" or "own process" string - Implemented a dispatcher service for managing many analysis environments - Fixed various driver bugs Joebox 1.3.5 (released 12.06.2009) - Now all executable files formats are analysed (exe, sys, dll, doc, pdf ...) - Some internal updates which speed up the abstraction process - Added new chronological function section to analysis file - Added possiblity to get raw csv and pcap data - Added possiblity to queue submission if analysis machine is down Joebox 1.3.0 (released 07.03.2009) - Changed behaviour format from xml to easy parsable csv - Handle data is extracted seperatly, improves integrity - Added possiblity to hook gui function (for instance NtUserSetWindowsHookEx) - Number of hooked system calls increased from 15 to 166 :) - All parameters are extracted - Parameter data are hashed, leads to quick comparison possibilites - Added thread data to calls - Added paremeter meaning data (for instance FILEACCESSMASK ULONG IN 1) - Added new parameter to hooking config to influence side channel detection - Added an anti unhook techniques - Improved side channel (code injection) detection - Improved exception handling in kernelmode - Reimplemented the whole abstraction tool - Abstraction tool is now platfrom independ - Added mutant behaviour data to report - Added open process/threads behaviour data to report - Added possiblity to change static driver settings - Added antivirus labeling - Created a portable joebox version - Portable version is able to analyse automatically exe,pif,cmd,bat,scr,com,pdf,html,msi,url,cab files - Improved robustness of client-server communication by adding finate state machines - Added a simple ping-pong protocol for checking analysis machine status - Changed data transfer mechanism from ftp to samba - Fixed various performance problems (extraction and abstraction) - Fixed various deadlock problems - Added various configuration settings - Changed complete architecture from monolitic to controller based - Improved the whole design - Removed restore solution deep freeze - Added pxe imaging solution fog - Developped a secure ring0 hashmap - Developped a secure ring0 linkedlist - Reimplement whole diff tool - Improved diff tool performance - Added a process exception list Joebox 1.2.0 (released 15.09.2008) - Integrated AutoIt - Added the possiblity to control joebox via scripts - Added the ability to create and differentiate behaviour baselines - Added the ability to modify the analysis state - Added the ability to add comments to the reports - Added various hooking functions (process memory and thread modifications) - Added a startup section to the report - Added a chronological section per process and driver to the report - Added tshark for sniffing network traffic - Added network section to the report - Added ability to analyse dll injection and thread hijacking - Improved the stability of joeboxdriver - Added a interface for submitting files via samba Joebox 1.0.2 (released 28.01.2008) - Fixed error "driver unloaded without canceling pending operations" definitively - Fixed page fault bug while extract registry paths - Corrected bugy driver and process filter Joebox 1.0.1 (released 26.01.2008) - NtOpenKey hooked - NT (\??\C:\) and device paths (\device\harddiskvolum1) are converted to DOS paths - Registry paths \registry\machine and \registry\user are converted to HKEY_LOCAL_MACHINE and HKEY_USERS - Drivers are know analysed properly - Analysis driver find the config file relatively to his path - Driver log file will be stored in directory were the driver was placed - Added cookie system to driver to call hooked function without being analysed - Complete revision of the analysis file - Added section other file operations - Added section keys opened - If a file was opened or created is detected by the returned IO status block - If a key was opened or created is detected by the returned disposition - Removed bogus kernel calling statistic - No more a maximum of concurrent process and driver analysis - Fixed error "driver unloaded without canceling pending operations" - Corrected time from system to local time Joebox 1.0.0 (released 18.01.2008) - first public available version