Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

4n4lDetector 3.3.0

https://forum.tuts4you.com/files/file/2427-4n4ldetector/
4n0nym0us

By 4n0nym0us

4 Screenshots

This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
  - 32 bits (8086, x86, ARMv7)
  - 64 bits (AMD64, x86-64, x64, ARMv8)

TI and ET Extraction:

Alpha AXP, ARM, ARM Thumb-2 (32-bit Thumb), ARM64, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel i860, Intel Itanium (IA-64), M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS with FPU, MIPS little-endian, MIPS little-endian WCE v2, x64, x86, x86-64.

Buttons code:
  - Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
  - The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
  - Purple buttons announce the activation of online interactions.
  - The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
  - [A] Main analysis tab
  - [W] Analysis tab in modifiable HTML format for report (WebView)
  - [S] Viewer of strings extracted from the parsed file
  - [V] Module with the Virustotal report using its API
  
Detections:
  - PE Information
  - Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
  - Packers
  - Compilations
  - Binders/Joiners/Crypters
  - Architectures
  - Possible malicious functions
  - Registry Keys
  - Files Access
  - Juicy Words
  - Anti-VM/Sandbox/Debug
  - URLs Extractor
  - Payloads
  - AV Services
  - Duplicate Sections
  - IP/Domains List
  - Config RAT (Only In Memory Dumps)
  - Call API By Name
  - Unusual Chars In Description File (Polymorphic Patterns)
  - Rich Signature Analyzer
  - CheckSum Integrity Problem
  - PE Integrity Check
  - SQL Queries
  - Emails
  - Malicious resources
  - PE Carve
  - Exploits
  - File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
  - 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
  - 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
  - 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
  - 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Edited by 4n0nym0us

What's New in Version 3.3.0

Released

Changelog v3.3

  • Fixed a rare bug that could show the spinning hacker logo after completing the first analysis.

  • Added extraction of the IAT disk address in the Information section.

  • “Show Offsets” notifications now display information about the offset location when pressing DUMP or Disassemble.

  • Added overflow controls in external signature modules.

  • Revised section count handling for PE files with corrupted headers.

  • Adjusted Subsystem and MajorOSVersion identifiers in PE files.

  • Added MinorOSVersion field to the Information analysis.

  • Reviewed the function for counting duplicate sections in PE headers.

  • Completely restructured the SQL extraction module now much more powerful.

  • Reviewed the File Access execution extraction section.

  • Improved name detection in Export Table carving.

  • The options form now remains visible during analysis if it was open. (REVISION2)

  • Fixed a rare bug affecting the Finder’s UNICODE string search.

  • Slightly increased detections in Intelligent String section.

    • Added exclusive string cleaning for Golang-compiled binaries.

  • Reviewed the File Access module.

    • Maximized Unicode string extraction capability.

    • Improved ASCII cleaning to reduce Golang compiler false positives.

  • Reviewed the Sections module.

    • Added entropy and Chi² calculations for file sections.

    • Included full flag descriptions for all sections.

    • Unnamed sections now appear as unnamed.

  • Rebalanced the Flow Anomalies module.

    • Added padding and header detection for fragments between sections.

    • Included reading of TLS Callbacks.

    • Improved detection speed for shellcode and payload instructions.

    • Adjusted opcode interpretation with ModR/M and SIB to differentiate simple Displacement form from complex ModRM/SIB parsed, maintaining backward compatibility.

    • Junk code detection at entry points now applies to the entire PE file.

    • Section field detection is now explicitly tied to disk offsets.

    • The heuristic module now includes the [cnf] shortcut to open [Settings].

    • Extended x64 instruction translation support.

  • Added a new “Indirect Call/Jump” heuristic options section in [Settings] for indirect call and jump control.

    • Allows setting the code size to analyze (Decimal, 1,000–100,000 bytes).

    • Init Offset defines the starting analysis point, storable in decimal or hexadecimal.

    • CALL [static], JMP [static], CALL [reg], and JMP [reg] can be toggled individually.

    • “Indirect Call/Jump” configurations are automatically saved and loaded at startup, and can be deleted from the Config files section.
  • Like 4
  • Thanks 3
https://forum.tuts4you.com/files/file/2427-4n4ldetector/
Previous File AT4RE Power Loader

User Feedback

Recommended Comments

4n0nym0us

4n0nym0us

Junior

(edited)

I have uploaded the new version to the web.

Edited by 4n0nym0us

    • Thanks 1
    RDGMax

    RDGMax

    Full Member

    Excellent work. baby malibu

    • Like 2
    4n0nym0us

    4n0nym0us

    Junior

    4n4lDetector 2.9.0

    Download:

    https://github.com/4n0nym0us/4n4lDetector/releases/tag/v2.9

    [+] New logo of the application by Sandra Badia Gimeno (www.sandrabadia.com).
    [+] Relocated Kernel-mode functions to the Suspicious Functions section.
    [+] Surprises are included so you don't get bored with daily use of the tool.
    [+] A multitude of tests were carried out focused on providing the greatest stability, speed and effectiveness of the extracted contents.
    [+] Optimization during idle state. File creation checks are no longer performed for the PECarve and UPX functionalities.
    [+] Detection of sections that allow writing from flags was included.
    [+] The extraction of functions from the "Export Table" using Carving has been slightly improved.
    [+] The name of the file under analysis has been included in the content of the report.
    [+] Added a longer description about the possibilities of the Zombie_AddRef function.
    [+] Fixed a bug where the "Show Offsets" tool dump did not allow reading a small portion of the end of the analyzed file.
    [+] Now when you click on the Virustotal result in the main form, it will take us to the analysis web page.
    [+] Virustotal analysis has been included in the analyzes carried out from console mode.
    [+] Review of Shikata_ga_nai detections and update of Payload detection heuristics.
    [+] Increased and improved the query extraction functionality of the ASCII and UNICODE records branch.
    [+] Increased and improved the ASCII and UNICODE SQL query extraction functionality.
    [+] Increased and improved URL extraction functionality, also searches FTP and SFTP in ASCII and UNICODE.
    [+] Increased and improved ASCII and UNICODE file name extraction functionality.
       -> .EXE, .DLL, .BAT, .VBS, .VBE, .JSE, .WSF, .WSH, .PS1, .PSM1, .PSC1, .SCR, .HTA, .DLL, .PIF, .MSI , .MSP, .SYS, .CPL, .JAR, .TXT, .INI, .PDF, .WDS, .DOC
    [+] The word finder has been completely delimited for any search location of the text boxes.
       -> In web view the browser is now automatically blocked.
    [+] Fixed a rare error in the IPs section that could lead the execution thread to a loop without finishing analyzing the files.
       -> This fix also fixed the ability to end analysis with a single active option in the tool's modules panel.
    [+] The 4n4l.rules module now internally converts text format rules "T:" to Unicode format.
       -> The rules of this file have been optimized, now search more with less.
    [+] The bytes to be reviewed at the Entry Point by the rules file are increased from 100 to 1500.
       -> Revised some of the rules to eliminate false positives after the update.
    [+] The reading of the rule files is done only once after starting the application or after the first analysis, then it is loaded into memory for future uses.
       -> The charging status can be checked from the "Settings" section.
    [+] Added the tilde (~), the dollar ($), the single quote (') and the double quote (") as characters that can be part of the reports.
       -> A conversion filter is applied to these quotes for the tool's Web view.
    [+] Worked on the efficiency of the "Intelligent Strings" module.
       -> The length of strings to be analyzed was increased in all the Strings functionalities of the tool (75% longer strings).
       -> Specific cleanup of anomalous characters is now performed and new ones are allowed.
       -> Search words were extended.
    [+] Added a graph in charge of displaying the content of the executables and any analyzed files.
       -> The executable header is displayed in blue.
       -> The identified sections are divided between magenta for the executable sections and black for the rest.
       -> The excess code of the executables will have a red color as in Crypters, Binders, Joiners...
       -> If the analyzed section contains an RSize of zero, its content will not be painted on the graph.
       -> If the file is not a Windows executable, it will be scanned for printable characters and the absence of printable characters. Blue and black when there is no content.
       -> When you double click on the graph, it will automatically be saved in the analysis folder.
       -> The executions measure the console mode of the application "-TXT", "-HTML" or "-GREMOVE" include the graph as analysis output.

    • Like 1
    • Thanks 1
    4n0nym0us

    4n0nym0us

    Junior

    4n4lDetector 3.0.0

    Download:

    https://github.com/4n0nym0us/4n4lDetector/releases/tag/v3.0

    [+] The function search code for "Import Table" and "Call Api By Name" has been optimized.
    [+] A general optimization has been performed with one of the largest buffers in memory, this positively affects the stability and speed of the general analysis.
    [+] The size of the file to be analyzed has been increased by default to 50MB.
    [+] An optimization has been made in the search engine for the "Show Offsets" option and in the handling of buffers.
    [+] Searches for generic malware terms, different types of exploitation, APTs and terminologies that may affect the State in "4n4l.Rules" have been included.
    [+] A cleaning of null bytes 0x00 is performed in the variable where the report is stored to avoid bugs in the output of the text box of the main form.
    [+] The tool interface takes on a darker base tone.
    [+] A donation button via (PAYPAL) has been included since I have finally decided to continue with the project publicly for everyone.
    [+] A bug was fixed in which false functions could be included in the "Export Table" list by carving.
    [+] The Interest's Words module includes new internal words for the tool, for ansi and unicode.
    [+] A bug in the web view was fixed that could aesthetically affect the view of the Interest's Words module statement.
    [+] Optimizations were made in the Known IP/Domains module for ansi and unicode.
    [+] New search syntaxes were included in the "Intelligent Strings" module to increase interesting results.
       -> Internal cleanup syntaxes were added to show more stylized results.
       -> An optimization has been made with a direct impact on the variables used in this module.
    [+] A more selective cleaning of the extracted URLs is performed:
       -> URLs with extensions in the context of PKI digital certificates are reconstructed.
       -> Htm extensions are reconstructed.
       -> ".com" domain endings are cleaned.
       -> Possible HTML code cleaning is performed.
    [+] A progression system based on medals has been included.
       -> Brown Padawan Medal, Bronze Medal, Silver Medal, Gold Medal and Platinum Medal.
       -> The process can be slow, don't despair... because it's worth it.
       -> These medals will be earned as you use the tool over the course of days, weeks, months and consequently their functionality will also increase progressively.
       -> The medals will only work on the work machine on which they have been earned, if you want to make it work on another machine of yours try it yourself (You're a hacker, right?).
       -> The features or surprises that come with leveling up are not included in this file, although you can review them in the "Settings" section of the tool.

    • Like 4
    • Thanks 1
    Teddy Rogers

    Teddy Rogers

    Administrator

    @4n0nym0us have you tried updating and attaching the latest file here?

    Ted.

    • Like 2

    Create an account or sign in to comment

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.