Jump to content
Tuts 4 You

4n4lDetector 2.8.0

4n0nym0us

By 4n0nym0us

 Share

4 Screenshots

About This File

This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
  - 32 bits (8086, x86, ARMv7)
  - 64 bits (AMD64, x86-64, x64, ARMv8)

TI and ET Extraction:

Alpha AXP, ARM, ARM Thumb-2 (32-bit Thumb), ARM64, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel i860, Intel Itanium (IA-64), M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS with FPU, MIPS little-endian, MIPS little-endian WCE v2, x64, x86, x86-64.

Buttons code:
  - Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
  - The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
  - Purple buttons announce the activation of online interactions.
  - The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
  - [A] Main analysis tab
  - [W] Analysis tab in modifiable HTML format for report (WebView)
  - [S] Viewer of strings extracted from the parsed file
  - [V] Module with the Virustotal report using its API
  
Detections:
  - PE Information
  - Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
  - Packers
  - Compilations
  - Binders/Joiners/Crypters
  - Architectures
  - Possible malicious functions
  - Registry Keys
  - Files Access
  - Juicy Words
  - Anti-VM/Sandbox/Debug
  - URLs Extractor
  - Payloads
  - AV Services
  - Duplicate Sections
  - IP/Domains List
  - Config RAT (Only In Memory Dumps)
  - Call API By Name
  - Unusual Chars In Description File (Polymorphic Patterns)
  - Rich Signature Analyzer
  - CheckSum Integrity Problem
  - PE Integrity Check
  - SQL Queries
  - Emails
  - Malicious resources
  - PE Carve
  - Exploits
  - File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
  - 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
  - 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
  - 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
  - 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Edited by 4n0nym0us

What's New in Version 2.8.0   See changelog

Released

Video tutorial (Spanish):

https://www.youtube.com/watch?v=-zCPk_nuY4c

 

New features added:

[+] A notice is added to the sections section when the identified section is executable.
[+] The SHA-256 and SHA-1 Hashes of all analyzed files are now also calculated.
[+] Including the original name of the analyzed library in the "[Export Table]" button.
[+] Now 4n4lDetector is able to identify content in the Import Table even though the "Original First Thunk" Offset is at "0" as in UPX tablets.
[+] The "Settings" module now has a subtle optimization to avoid freezes when downloading notifications.
[+] The code responsible for resource extraction has been optimized, it is now faster.
[+] Entry Point extraction has been restructured, optimizing its code and improving extraction speed.
[+] Optimized and removed some of the internal rules of 4n4lDetector to avoid some false positives.
[+] The file description extractor algorithm was modified, it is now more effective.
[+] The Carving PE result is now stored in a folder called PECarve within the analysis section.
[+] Virustotal information has been relocated to the main panel. (Use your personal API_KEY).
   -> SORRY MICROSOFT... I think we are at peace after that CobaltStrike detection ❤️
[+] The "IT Functions:" section of the main analysis is now called "Suspicious functions:", this being more accurate.
   -> Functions now have a description of their functionalities.
[+] The "Strings" functionality now runs automatically, visible in the "S" button after scans while "Intelligent Strings" is active.
   -> Increased the effectiveness and speed of the "Intelligent Strings" module and the "Strings" functionality.
[+] The "Sections Info" option is now internal and in its place an optional one has been created to decompress UPX samples.
   -> The unzipped samples are stored in the analysis path, within a folder called UPX.
   -> The UPX binary is located in the root of 4n4lDetector, in a folder called "bin" and can be modified by the user.
[+] The verification of signed executables, the checksum signature and the Rich signature are now grouped in the "Signatures" section.
[+] Changes in the management of the Rich firm.
   -> The entire signature is extracted, not just the first part.
   -> Added a hash for detection.
   -> its integrity is verified with a review of the old algorithm.
[+] A new tool has been added to extract Offsets directly from the executable and view its contents.
   -> It is now possible to manually perform code searches in hexadecimal, ASCII and UNICODE.
   -> A functionality to review the assembly code has also been included.
   -> This tool executes its main functions automatically with the Entry Point after each analysis.
[+] Added extraction of import and export tables from the rest of the existing executable architectures.
   -> Alpha AXP, ARM, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel Itanium (IA-64), Intel i860, M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS little-endian, MIPS little-endian WCE v2, MIPS with FPU.

  • Like 4
  • Thanks 2
 Share
Previous File RozDll (Advanced Dynamic Proxy DLL Generator)

User Feedback

Recommended Comments

4n0nym0us

4n0nym0us 9

Posted (edited)

I have uploaded the new version to the web.

Edited by 4n0nym0us
  • Thanks 1
Link to comment
Share on other sites
RDGMax

RDGMax 141

Posted

Excellent work. baby malibu

  • Like 2
Link to comment
Share on other sites
4n0nym0us

4n0nym0us 9

Posted

4n4lDetector 2.9.0

Download:

https://github.com/4n0nym0us/4n4lDetector/releases/tag/v2.9

[+] New logo of the application by Sandra Badia Gimeno (www.sandrabadia.com).
[+] Relocated Kernel-mode functions to the Suspicious Functions section.
[+] Surprises are included so you don't get bored with daily use of the tool.
[+] A multitude of tests were carried out focused on providing the greatest stability, speed and effectiveness of the extracted contents.
[+] Optimization during idle state. File creation checks are no longer performed for the PECarve and UPX functionalities.
[+] Detection of sections that allow writing from flags was included.
[+] The extraction of functions from the "Export Table" using Carving has been slightly improved.
[+] The name of the file under analysis has been included in the content of the report.
[+] Added a longer description about the possibilities of the Zombie_AddRef function.
[+] Fixed a bug where the "Show Offsets" tool dump did not allow reading a small portion of the end of the analyzed file.
[+] Now when you click on the Virustotal result in the main form, it will take us to the analysis web page.
[+] Virustotal analysis has been included in the analyzes carried out from console mode.
[+] Review of Shikata_ga_nai detections and update of Payload detection heuristics.
[+] Increased and improved the query extraction functionality of the ASCII and UNICODE records branch.
[+] Increased and improved the ASCII and UNICODE SQL query extraction functionality.
[+] Increased and improved URL extraction functionality, also searches FTP and SFTP in ASCII and UNICODE.
[+] Increased and improved ASCII and UNICODE file name extraction functionality.
   -> .EXE, .DLL, .BAT, .VBS, .VBE, .JSE, .WSF, .WSH, .PS1, .PSM1, .PSC1, .SCR, .HTA, .DLL, .PIF, .MSI , .MSP, .SYS, .CPL, .JAR, .TXT, .INI, .PDF, .WDS, .DOC
[+] The word finder has been completely delimited for any search location of the text boxes.
   -> In web view the browser is now automatically blocked.
[+] Fixed a rare error in the IPs section that could lead the execution thread to a loop without finishing analyzing the files.
   -> This fix also fixed the ability to end analysis with a single active option in the tool's modules panel.
[+] The 4n4l.rules module now internally converts text format rules "T:" to Unicode format.
   -> The rules of this file have been optimized, now search more with less.
[+] The bytes to be reviewed at the Entry Point by the rules file are increased from 100 to 1500.
   -> Revised some of the rules to eliminate false positives after the update.
[+] The reading of the rule files is done only once after starting the application or after the first analysis, then it is loaded into memory for future uses.
   -> The charging status can be checked from the "Settings" section.
[+] Added the tilde (~), the dollar ($), the single quote (') and the double quote (") as characters that can be part of the reports.
   -> A conversion filter is applied to these quotes for the tool's Web view.
[+] Worked on the efficiency of the "Intelligent Strings" module.
   -> The length of strings to be analyzed was increased in all the Strings functionalities of the tool (75% longer strings).
   -> Specific cleanup of anomalous characters is now performed and new ones are allowed.
   -> Search words were extended.
[+] Added a graph in charge of displaying the content of the executables and any analyzed files.
   -> The executable header is displayed in blue.
   -> The identified sections are divided between magenta for the executable sections and black for the rest.
   -> The excess code of the executables will have a red color as in Crypters, Binders, Joiners...
   -> If the analyzed section contains an RSize of zero, its content will not be painted on the graph.
   -> If the file is not a Windows executable, it will be scanned for printable characters and the absence of printable characters. Blue and black when there is no content.
   -> When you double click on the graph, it will automatically be saved in the analysis folder.
   -> The executions measure the console mode of the application "-TXT", "-HTML" or "-GREMOVE" include the graph as analysis output.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...