Jump to content
Tuts 4 You

4n4lDetector 2.8.0

4n0nym0us

By 4n0nym0us

 Share

4 Screenshots

About This File

This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
  - 32 bits (8086, x86, ARMv7)
  - 64 bits (AMD64, x86-64, x64, ARMv8)

TI and ET Extraction:

Alpha AXP, ARM, ARM Thumb-2 (32-bit Thumb), ARM64, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel i860, Intel Itanium (IA-64), M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS with FPU, MIPS little-endian, MIPS little-endian WCE v2, x64, x86, x86-64.

Buttons code:
  - Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
  - The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
  - Purple buttons announce the activation of online interactions.
  - The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
  - [A] Main analysis tab
  - [W] Analysis tab in modifiable HTML format for report (WebView)
  - [S] Viewer of strings extracted from the parsed file
  - [V] Module with the Virustotal report using its API
  
Detections:
  - PE Information
  - Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
  - Packers
  - Compilations
  - Binders/Joiners/Crypters
  - Architectures
  - Possible malicious functions
  - Registry Keys
  - Files Access
  - Juicy Words
  - Anti-VM/Sandbox/Debug
  - URLs Extractor
  - Payloads
  - AV Services
  - Duplicate Sections
  - IP/Domains List
  - Config RAT (Only In Memory Dumps)
  - Call API By Name
  - Unusual Chars In Description File (Polymorphic Patterns)
  - Rich Signature Analyzer
  - CheckSum Integrity Problem
  - PE Integrity Check
  - SQL Queries
  - Emails
  - Malicious resources
  - PE Carve
  - Exploits
  - File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
  - 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
  - 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
  - 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
  - 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Edited by 4n0nym0us

What's New in Version 2.7.0   See changelog

Released

No changelog available for this version.

  • Like 4
  • Thanks 3
 Share
Previous File RozDll (Advanced Dynamic Proxy DLL Generator)

User Feedback

Recommended Comments

4n0nym0us

4n0nym0us 10

Posted (edited)

I have uploaded the new version to the web.

Edited by 4n0nym0us
  • Thanks 1
Link to comment
Share on other sites
RDGMax

RDGMax 141

Posted

Excellent work. baby malibu

  • Like 2
Link to comment
Share on other sites
4n0nym0us

4n0nym0us 10

Posted

4n4lDetector 2.9.0

Download:

https://github.com/4n0nym0us/4n4lDetector/releases/tag/v2.9

[+] New logo of the application by Sandra Badia Gimeno (www.sandrabadia.com).
[+] Relocated Kernel-mode functions to the Suspicious Functions section.
[+] Surprises are included so you don't get bored with daily use of the tool.
[+] A multitude of tests were carried out focused on providing the greatest stability, speed and effectiveness of the extracted contents.
[+] Optimization during idle state. File creation checks are no longer performed for the PECarve and UPX functionalities.
[+] Detection of sections that allow writing from flags was included.
[+] The extraction of functions from the "Export Table" using Carving has been slightly improved.
[+] The name of the file under analysis has been included in the content of the report.
[+] Added a longer description about the possibilities of the Zombie_AddRef function.
[+] Fixed a bug where the "Show Offsets" tool dump did not allow reading a small portion of the end of the analyzed file.
[+] Now when you click on the Virustotal result in the main form, it will take us to the analysis web page.
[+] Virustotal analysis has been included in the analyzes carried out from console mode.
[+] Review of Shikata_ga_nai detections and update of Payload detection heuristics.
[+] Increased and improved the query extraction functionality of the ASCII and UNICODE records branch.
[+] Increased and improved the ASCII and UNICODE SQL query extraction functionality.
[+] Increased and improved URL extraction functionality, also searches FTP and SFTP in ASCII and UNICODE.
[+] Increased and improved ASCII and UNICODE file name extraction functionality.
   -> .EXE, .DLL, .BAT, .VBS, .VBE, .JSE, .WSF, .WSH, .PS1, .PSM1, .PSC1, .SCR, .HTA, .DLL, .PIF, .MSI , .MSP, .SYS, .CPL, .JAR, .TXT, .INI, .PDF, .WDS, .DOC
[+] The word finder has been completely delimited for any search location of the text boxes.
   -> In web view the browser is now automatically blocked.
[+] Fixed a rare error in the IPs section that could lead the execution thread to a loop without finishing analyzing the files.
   -> This fix also fixed the ability to end analysis with a single active option in the tool's modules panel.
[+] The 4n4l.rules module now internally converts text format rules "T:" to Unicode format.
   -> The rules of this file have been optimized, now search more with less.
[+] The bytes to be reviewed at the Entry Point by the rules file are increased from 100 to 1500.
   -> Revised some of the rules to eliminate false positives after the update.
[+] The reading of the rule files is done only once after starting the application or after the first analysis, then it is loaded into memory for future uses.
   -> The charging status can be checked from the "Settings" section.
[+] Added the tilde (~), the dollar ($), the single quote (') and the double quote (") as characters that can be part of the reports.
   -> A conversion filter is applied to these quotes for the tool's Web view.
[+] Worked on the efficiency of the "Intelligent Strings" module.
   -> The length of strings to be analyzed was increased in all the Strings functionalities of the tool (75% longer strings).
   -> Specific cleanup of anomalous characters is now performed and new ones are allowed.
   -> Search words were extended.
[+] Added a graph in charge of displaying the content of the executables and any analyzed files.
   -> The executable header is displayed in blue.
   -> The identified sections are divided between magenta for the executable sections and black for the rest.
   -> The excess code of the executables will have a red color as in Crypters, Binders, Joiners...
   -> If the analyzed section contains an RSize of zero, its content will not be painted on the graph.
   -> If the file is not a Windows executable, it will be scanned for printable characters and the absence of printable characters. Blue and black when there is no content.
   -> When you double click on the graph, it will automatically be saved in the analysis folder.
   -> The executions measure the console mode of the application "-TXT", "-HTML" or "-GREMOVE" include the graph as analysis output.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...