RingForge Analyzer v1.2

RingForge Analyzer v1.2

RingForge Analyzer v1.2 is a GUI polish and workflow refinement release that builds on the v1.1 scoring and workflow milestone. This version focuses on visual consistency, cleaner usability, and a more streamlined experience across the main GUI, Dynamic Analysis, and API Spec Analysis workflows.

Highlights

• Refined the main GUI so the output panel is visible on launch
• Improved button styling, spacing, and consistency across the application
• Standardized Browse and Clear button behavior to better align with entry-field layouts
• Simplified the main workflow by consolidating API and Spec entry into API Spec Analysis
• Reworked the Dynamic Analysis window to better match the main GUI
• Reworked the API Spec Analysis window for a clearer, more report-style layout
• Preserved the v1.1 combined scoring and workflow functionality across Static, Dynamic, and Spec/API analysis

Main GUI improvements

• Output area now displays correctly at startup
• Main action row spacing was tightened for a cleaner, more professional appearance
• Button styling was standardized across main actions and side utility controls
• Browse and Clear controls were resized and aligned to better match adjacent text-entry rows
• Main workflow buttons were simplified to reduce confusion and clutter

Dynamic Analysis improvements

• Dynamic Analysis window now follows the same visual structure as the main GUI
• Settings were grouped into a clearer Dynamic Analysis Settings section
• Enable Procmon Capture was moved next to timeout controls for a more logical layout
• Dynamic action row was simplified to:
  • Run Dynamic Analysis
  • Open Case Folder
  • Open Latest Report
• Removed the redundant export button from the primary action row
• Side Browse buttons were resized and aligned for better consistency
• Output pane remains visible and continues to support live run feedback

API Spec Analysis improvements

• Renamed and positioned as the primary API/spec workflow
• Updated visual structure to match the main GUI and Dynamic Analysis window
• Organized output into:
  • Summary
  • Risk Notes
  • Endpoint Inventory
• Improved top action row and control styling
• API spec analysis continues to save into the case spec folder
• API spec results continue to feed the combined Spec/API scoring workflow

API testing workflow

• Manual live API request testing remains available as a separate advanced utility
• The primary user-facing workflow is now centered on API Spec Analysis
• This keeps the main GUI focused while preserving flexibility for deeper manual API testing when needed

Versioning

• v1.1 = scoring and workflow milestone
• v1.2 = GUI polish, usability refinement, and workflow cleanup

Notes

• Core combined scoring behavior introduced in v1.1 remains intact
• No major architecture changes were introduced in v1.2
• This release is intended as the polished follow-up to the validated v1.1 milestone

RingForge Analyzer v1.1

What’s New in v1.1

• Added Dynamic Analysis window workflow
• Added Procmon configuration support
• Added dynamic HTML report export
• Added browser-based PDF fallback workflow
• Improved dynamic findings noise reduction on non-isolated hosts
• Improved progress/status wording for optional tool steps
• Began UI theming updates to align with report styling

RingForge Analyzer v1.0 — Dynamic Analysis Foundation

This is the first branded release of RingForge Analyzer, expanding the project from a static triage workflow into a hybrid static + dynamic analysis platform. This release introduces the first major dynamic-analysis workflow for behavioral capture, persistence-change detection, dropped-file triage, and analyst-facing findings, all integrated into the GUI.

Added

• dedicated dynamic_analysis package for orchestration, Procmon handling, parsing, persistence diffing, findings, and utilities
• Procmon-backed dynamic capture workflow
• Procmon CSV parsing and normalized JSON output
• interesting-event filtering for higher-value behavior review
• dropped-file candidate triage
• scheduled task snapshotting and diffing
• Windows service snapshotting and diffing
• analyst-facing findings summaries
• separate Dynamic Analysis GUI window
• live phase/status updates during dynamic runs

Improved

• cleaner dynamic case structure under metadata, procmon, persistence, files, and reports
• more useful GUI output with highlights, task/service diff summaries, top written paths, top network processes, and final JSON summary
• reduced dropped-file triage noise by focusing on suspicious and user-writable locations
• reduced false findings caused by the tool’s own snapshotting activity
• better GUI handling of samples that exit with nonzero return codes

Fixed

• Procmon launch hang caused by blocking startup behavior
• GUI worker-thread issue that prevented backend execution
• scheduled-task snapshot reliability issues from PowerShell JSON handling
• excessive dropped-file overcounting during benign runs
• self-generated false persistence and LOLBin findings

Dynamic case artifacts

cases/<case_name>/
  metadata/
    run_config.json
    sample_info.json
    run_summary.json
  procmon/
    raw.pml
    export.csv
    parsed_events.json
    interesting_events.json
  persistence/
    tasks_before.json
    tasks_after.json
    task_diffs.json
    services_before.json
    services_after.json
    service_diffs.json
  files/
    dropped_files.json
    dropped_files_summary.json
  reports/
    dynamic_findings.json

Notes

Dynamic analysis in this release is intended for use in an isolated Windows VM or sandbox. RingForge Analyzer v1.0 establishes the first major dynamic-analysis baseline for the platform and creates a strong foundation for future tuning and expansion.

v4.0 – API Analysis, Signing Fixes, and Scoring Improvements

Release Notes – v4.0

This release improves the static triage pipeline with stronger signing validation, better false-positive control, executable API analysis, and clearer risk scoring.

Added

• executable API import analysis
• API behavior chain detection for PE files
• api_analysis.json output artifact
• API Analysis section in Markdown and HTML reports
• API-chain scoring support in the risk model

Improved

• Authenticode parsing now correctly recognizes successful verification states from osslsigncode
• signing cache handling now reparses cached raw signing output so improved parsing logic is applied to previously analyzed files
• scoring logic better handles legitimate signed installers and launchers
• VirusTotal-aware dampening and trusted-signature handling reduce false positives more reliably

Fixed

• cases where valid signed software could still be treated like unsigned or partially trusted samples
• over-scoring of legitimate installer and launcher software
• missing API analysis visibility in reports after feature integration
• stale signing cache results preventing corrected verification logic from being reflected in new runs

Notes

• v4 is best packaged as an onedir release
• keep the executable together with the bundled scripts, engine files, and tools
• separate API spec / endpoint analysis is planned as a future mode

Static Software Analysis v3

Release Notes

Static Software / Malware Analysis v3.0.0 improves the GUI workflow and fixes multiple packaging and execution issues discovered during testing.

Added

• VirusTotal API key field in the GUI
• Open Case Files button
• Open HTML Report button
• Open PDF Report button
• Packaged release README for Windows distribution

Fixed

• Fixed VirusTotal integration so the GUI correctly passes VT_API_KEY to the backend
• Fixed packaged EXE relaunch/self-spawn behavior
• Fixed release folder layout for scripts, tools, and backend runtime
• Fixed progress handling so successful runs reconcile correctly at completion
• Fixed final status handling for score, verdict, confidence, and VirusTotal summary

Improved

• Better packaged Windows EXE workflow
• Better end-user report access
• Better final-state progress display and result summary behavior

Static Software Analysis v2

Release Notes — Version 2

Version 2 builds on the initial public release with major improvements to the Windows GUI workflow, packaging, path handling, and troubleshooting experience. This release focuses on making the project easier to run, easier to understand, and more reliable for day-to-day use, especially for users testing on Windows.

What was added and improved in Version 2

GUI improvements

• Updated progress handling in the GUI for timestamped analysis.log entries
• Improved step tracking for long-running analysis jobs
• Added better success handling so completed runs reach 100%
• Improved report/finalize progress behavior
• Clearer step labels in the progress view
• Better handling for repeated or reused case folders during testing

Windows usability improvements

• Added clearer Windows-friendly status handling for steps that rely on Linux-oriented tooling
• File Type and Strings now show as Not Available on Windows when the supporting tools are not present, instead of appearing as hard failures
• Updated labels to make Linux-dependent steps easier to understand:
  • File Type (Linux tool / optional on Windows)
  • Strings (Linux tool / optional on Windows)
• Added Windows note that PDF generation may be optional depending on environment/tool availability

Engine and path fixes

• CASE_ROOT_DIR handling was fixed so case output location selection works correctly
• CAPA rules and signatures directory overrides are now properly honored
• Improved compatibility with frozen configuration handling
• Better detection and handling of report artifacts generated during analysis

Packaging and release improvements

• Improved Windows packaging workflow for the GUI
• Clarified that the recommended Windows distribution model is:
  • GUI executable
  • backend scripts
  • engine package
  • CAPA rules/signature folders
• Added better documentation for release folder structure and support files required at runtime

Documentation and troubleshooting improvements

• README was expanded and rewritten for a cleaner, more professional setup experience
• Added more detailed Windows setup guidance
• Added troubleshooting for:
  • invalid CAPA rules folder paths
  • missing static_triage.py in packaged releases
  • lief installed into the wrong Python environment
  • 7-Zip not in PATH
  • PowerShell path and prompt mistakes
  • stale or appended analysis.log behavior
  • Windows EXE support file layout issues

Included in this release

• Updated GUI and CLI workflows for static triage
• Hashing support (MD5, SHA1, SHA256)
• Strings extraction with optional lightweight mode
• capa capability analysis
• PE and LIEF metadata collection
• IOC extraction to structured output formats
• Report generation in Markdown, HTML, and PDF
• Recursive extraction support for common archive and installer formats
• Inno Setup extraction support
• Bootstrap support for retrieving required CAPA rules
• Improved Windows GUI release packaging guidance
• Expanded README and troubleshooting documentation

Recommended environment

Ubuntu or WSL remains the best-supported environment for full feature compatibility and the most complete tooling support.

Windows support has been improved significantly in Version 2, especially for the GUI workflow, but some steps still depend on Linux-oriented tooling and may appear as Not Available unless equivalent tools are installed and configured.

Additional notes

• CAPA rules are still not vendored directly in the repository and should be retrieved during setup
• Windows packaged releases should include the required support files and folders alongside the GUI executable
• For the most reliable end-to-end execution path, Ubuntu/WSL is still recommended

Thank you for checking out Version 2 of the Static Software / Malware Analysis — Static Triage Pipeline.

Static Software Analysis v1

Release Notes

This is the initial public release of Static Software / Malware Analysis — Static Triage Pipeline, a toolkit for performing static triage of Windows executables and installer packages and generating structured investigation artifacts.

Included in this release

• GUI and CLI workflows for static triage
• Hashing support (MD5, SHA1, SHA256)
• Strings extraction with optional lightweight mode
• capa capability analysis
• PE and LIEF metadata collection
• IOC extraction to structured output formats
• Report generation in Markdown, HTML, and PDF
• Recursive extraction support for common archive and installer formats
• Inno Setup extraction support
• Bootstrap script for retrieving the required capa rules

Recommended environment

For best compatibility and full feature support, this project is recommended for Ubuntu or WSL. Some functionality depends on supporting tools commonly available in Linux-based environments.

Additional notes

• The default capa rules are not vendored in the repository and should be retrieved during setup using the provided bootstrap script.
• Windows packaging is provided for convenience, but the most reliable execution path remains Ubuntu/WSL for complete tooling support.

Thank you for checking out the project.