风吹屁屁凉 发表于 2023-6-14 17:42

4n4lDetector v2.4


![](https://user-images.githubusercontent.com/76454196/168347380-fc575373-40d8-4e7d-b755-7167ef23fe98.jpg)

## Advanced static analysis tool

4n4lDetector is an analysis tool for Microsoft Windows executable files, libraries, drivers and mdumps for x86 and x64. As of v1.8 an extended use for analyzing anomalies in Linux ELF executables was also included. Its main objective is to collect the necessary information to facilitate the identification of malicious code inside the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.
## (http://www.enelpc.com/p/4n4ldetector.html)

### Some Images:
      
!(https://user-images.githubusercontent.com/76454196/174343536-6832d5c2-b9b0-4fac-afc6-c31e9bc1617b.png)
   

!(https://user-images.githubusercontent.com/76454196/165567392-43a4393f-09e1-4de7-bf5c-85fafeb5718c.png)   
      
!(https://user-images.githubusercontent.com/76454196/165567354-124a64e9-d6b7-445c-9fb7-d2855490b2ef.png)

      
### v2.4      
   [+] Unlimited the number of characters shown in the String viewer, also affecting the Export and Import Table.
   [+] Optimizations have been made prioritizing the stability of the tool at the expense of the minimum loss of speed during the analysis.
   [+] Added extraction of the SYSTEM branch of the registry.
   [+] The Strings tool has been optimized, having a very positive impact on its speed.
   [+] Expanded the Strings tool's collection of new strings.
   [+] Added a new string search module called Inlligent Strings. (Search for keywords just like a malware analyst would)
         -> Included a cleanup function for routes and internet addresses that affects this module.
   [+] Included a time control after finishing the analysis in the title of the main form.
   [+] Blocked the option to drag samples over the Web code avoiding the option to execute.
      
### v2.3
   [+] Added a new functionality that allows choosing the sizes of the files to analyze.
         -> Analysis times are higher with settings well above the default in the MaxFileLen(MB) field.
         -> It is recommended to disable options in files larger than usual.
   [+] The process runs with high priority during the scan time and while some demanding tasks are performed.
   [+] Fixed a bug that could lead to an unexpected application crash after parsing a malformed executable type.
   [+] Fixed a bug that could lead to an unexpected application crash after parsing a malformed header type.
   [+] Unlimited the number of characters shown in the analysis viewer by default, affecting the web view and the analysis from the console.
   [+] Unlimited the number of characters shown in the HTML code viewer from the web view.
   [+] The extraction of functions in the export table is now increased from 130 to 400 in the carving section.
   [+] Fixed a bug that could hang the program during the extraction of the name of the sections.
   [+] The use of the Timers of the tool during the analysis time was optimized.
   [+] Added multitude of detections in Unicode format for the "4n4l.rules" rules file.
   [+] Fixed a bug that could disable the Export Table button for some libraries.
   [+] Fixed a bug that could generate a lot of junk characters after parsing certain UPX files.
   [+] Optimizations have been made with the application's memory usage.
   [+] The program bar now shows the number of characters in the analysis report.
      
### v2.2
   [+] Correction of slight visual defects in the interface.
   [+] Correction in the URL extraction module.
   [+] Including the detection of APIs referring to the following points in the "4n4l.rules" file:
            -> Networks
            -> Persistence
            -> Encryption
            -> Anti-analysis virtual machine
            -> Stealth
            -> Execution
            -> Antivirus
            -> Privileges
            -> Keyboard keys
            -> WMI executions
   [+] Reorganization of files:
            -> Configuration "cnf" and "vtapi" (Virustotal) in the folder
            -> Dictionaries in the ".\db\rules" folder.
   [+] Improved the integration of the "Strings" tab along with the "Export table" and "Import table" functions.
   [+] Included in the analysis tab the Virustotal detection rate if the sample is detected by any antivirus.
   [+] Mobile interface with magical surprises.
   
### v2.1
   [+] Labels displayed in the report section that may come from the analytics tab will now be converted to HTML entities.
   [+] Included in the internal list of 4n4lDetector new words of interest.
   [+] Added the extraction of new execution statements from the analyzed binaries.
   [+] Eliminated null detections (PE: 0) by DIE.
   [+] Reorganization of Packer/Compiler/Entropy detections.
   [+] Currently the entropy calculation is done from the DIE section next to the Entropy/count option activated.
   [+] Including checking all resources for malicious executables.

### v2.0
[+] From the command line by default and without the need to use any parameter, the files will be analyzed by opening the graphical interface as if "-GUI" is used.
[+] Updated Detect It Easy "DIE" application database included for all file types.
[+] Included the entropy analysis of the analyzed file in the "Extra 4n4lysis" section.
[+] Drag and add file options are now blocked while performing a scan.
[+] ImpHash calculation included (x86/x64).
[+] Analyze the assembled code for x64 binaries with Capstone Disassembler.
[+] The extraction is extended to 40 bytes of the Entry Point, improving the detections with "EPRules" (x86/x64).
[+] The TimeDateStamp field now defaults to hexadecimal.
[+] Fixed Epoch conversion failing for some TimeDateStamp.
[+] Raw Entry Point detection for all x64 binaries.
[+] Improved the extraction of information from the XML resource for the UAC execution level.
[+] Improved the reading of the characteristics field in x64 binaries to identify EXE/DLL.

### v1.9
[+] Included a modifiable dictionary of wildcard rules for the first 25 bytes of the EP, with over 3.700 compiler and packer detection lines.
[+] Details and settings in the interface.
[+] The form opens in the center of the screen to improve viewing at unusual resolutions.
[+] Added list of thanks ;)
[+] Fixed a bug in opening executables blocked by the system observed in Windows 11.
[+] Fixed current folder crash when manually dragging a sample for analysis.
[+] Improved the stability of the application form.
[+] Added two buttons that will be activated automatically when identifying functions in the import/export tables.
[+] Several bugs related to the extraction of opcodes in some Entry Points have been corrected.
[+] Fixed a bug that could unexpectedly close the application after parsing certain UPX files.
[+] A warning is included for when a user executes 4n4lDetector.exe without the necessary files for its correct operation.
[+] UPX compression version detector updated.
[+] The "Emails" module is included as (optional disabled) by default, due to the delay it could cause in some rare binaries.
### v1.8
[+] Double header detection in ELF Linux executables
[+] Added UPX version number extraction for ELF Linux executables (Widely used in malware these days)
[+] Added identification of all ELF Linux executable types
[+] The user interface is friendlier than ever.
[+] The first fragment of the Rich signature is included in case you find it.
[+] It's taken 9 versions of 4n4lDetector... but it's here, you can now maximize the form!
[+] Improved email identification algorithm to avoid duplicate addresses.
[+] Fixed a bug that could unexpectedly close the application after opening a specific type of file.
[+] Improved string cleaning after extracting libraries in UNICODE format.
[+] Fixed a bug when showing the available functions and their count in the export table.
[+] Added functionality to view reports "" from a Web viewer with the following tools
          -> Options for modifying the title and content of the report
          -> A viewer of the generated HTML code for display
          -> A button to save the report to a document
          -> Integrated a button to open the folder that houses all the saved reports
[+] Added the "-HTML" parameter for extracting reports in HTML format by console:
          -> 4n4lDetector.exe Path\App.exe -HTML
### v1.7
[+] Added new functionality to identify ASLR-enabled binaries.
[+] Fixed a bug that could lead to the application crashing in some binaries.
[+] Improved the integration of the debugger for reading the Entry Point of the x86 binaries.
[+] Smoothed out the design of the form interface and repositioning of controls.
[+] The process execution functionality is eliminated, although the possibility of analyzing MDUMPS is maintained.
### v1.6
[+] Added new functionality to view the Entry Point code in ASM for x86 binary.
[+] Added combined rules for strings in hexadecimal and text, with multiple matches.
         -> The end of the rule description field contains the rule number separated by "-" from the total number of rules belonging to the same combination.
         Example: H:1A6C6488F2736988:Rich Signature Found 1-2
         (Currently it only allows a maximum of 9 matches...) ;)
### v1.5 new revision for Enelpc_debugger
[+] Fixed a bug in the word search engine of the main interface.
[+] Changed the cleanup function that removes extraneous characters from the output.
[+] Added section name extraction.
[+] Added the option to select a dictionary of words and codes in hexadecimal to search in the binary in a personalized way.
         -> "H" Defines the string in hexadecimal.
         -> "T" Defines the string as text.
         -> The last field separated by ":" is the description used in the 4n4lDetector output.
### v1.4 new revision for Enelpc_debugger
[+] Fixed a bug (fucked up) with the "-TXT" option for console executions.
[+] Added the ability to open LNK files to automatically resolve the executable path.
[+] The "Add File" button allows for a simpler file search.
### v1.4
[+] Small bug fixes.
[+] Added the identification of the version of the operating system where the sample can run in "Information".
[+] Added , and buttons to the interface. Analysis, Strings and Virustotal.
[+] Added the Virustotal option to the list of checks, along with a button to select the ApiKey.
[+] Added a "Check" to extract emails.
### v1.3
[+] Fixed a bug in the extraction of some versions of UPX.
[+] Extraction of the SQL Queries contained in the binary.
[+] The number of blocks of 5 existing NOPs are counted, in search of Code Caves.
[+] More unusual codes are checked after the Entry Point.
[+] Added Zw function extraction (Kernel Mode).
[+] Added polymorphism detections. (PEScrambler)
[+] Added a counting routine for Ascii characters and null characters.
[+] Added the "Show Options" button, where many of the features are found.
[+] Added a module for email extraction.
[+] Added a module for IP address extraction.
[+] Added a warning when finding a digital signature.
[+] Added Drag&Drop to the text box where the information is displayed.
[+] Added a DOS Header check algorithm to the Heuristics module.
[+] Improved the cleanliness in which the extracted strings are displayed.
[+] Added a new button to the main interface, in order to view the strings that the binary contains.
[+] Added a word search engine.
[+] Added two buttons that are activated after using the "Strings" button, which allow you to navigate between the main information and that obtained with said button.
### v1.2
[+] Fixed a bug showing old versions of UPX.
[+] Fixed a bug that affected the detection of some Entry Points.
[+] Added the word EOF, in the description of the Dropper detections.
[+] Increased the effectiveness of the Shikata Ga Nai detection routine.
[+] Removed extracted executables with asterisks·
[+] Review of the integrity of the PE format.
[+] Microsot Rich Signature Integrity Review.
[+] CheckSum integrity check.
[+] Added TimeDateStamp field and build date.
[+] Detection of migrations from the Entry Point to other areas of executable code.
[+] Added an icon viewer.
[+] Added detection routine for Visual Basic 5/6 applications with unusual codes after their Entry Point.
[+] Expanded Packers detection.
[+] Added incomplete (truncated) executable detection routine.
[+] Added the creation of a registry file "Add4n4lMenu.reg", to include the analyzes quickly to the explorer dropdown.
[+] Added library extraction.
[+] Added parameter detection for the 4n4lDetector.exe executable
          -> 4n4lDetector.exe Path\App.exe -GUI
          -> 4n4lDetector.exe Path\App.exe -TXT
          -> 4n4lDetector.exe Path\App.exe -GREMOVE (Deletion of the binary after its analysis)

## Down:
https://github.com/4n0nym0us/4n4lDetector/releases/download/v2.4/4n4lDetectorV2.4.zip

29176413 发表于 2023-6-14 19:17

高级静态分析工具
4n4lDetector 是针对 x86 和 x64 的 Microsoft Windows 可执行文件、库、驱动程序和 mdump 的分析工具。从 v1.8 开始,还包括用于分析 Linux ELF 可执行文件异常的扩展用途。其主要目的是收集必要的信息,以便于识别所分析文件中的恶意代码。该工具分析 PE 标头及其结构、节的内容、不同类型的字符串等等。它还结合了许多自己的想法来识别文件构造中的异常和检测当前恶意软件使用的机制。

v2.4
[+] 字符串查看器中显示的字符数不受限制,也影响导出和导入表。
[+] 已进行优化,以分析过程中的最小速度损失为代价,优先考虑工具的稳定性。
[+] 添加了注册表系统分支的提取。
[+] 字符串工具已经过优化,对其速度产生了非常积极的影响。
[+] 扩展了字符串工具的新字符串集合。
[+] 添加了一个名为 Inlligent Strings 的新字符串搜索模块。(像恶意软件分析师一样搜索关键字)
-> 包括影响此模块的路由和互联网地址的清理功能。
[+] 在主窗体的标题中完成分析后包含一个时间控件。
[+] 阻止了将示例拖到 Web 代码上的选项,避免了执行选项。

v2.3
[+] 添加了一个新功能,允许选择要分析的文件的大小。
-> 如果设置远高于 MaxFileLen(MB) 字段中的默认值,则分析时间会更长。
-> 建议在比平常大的文件中禁用选项。
[+] 该进程在扫描期间以高优先级运行,同时执行一些要求很高的任务。
[+] 修复了一个错误,该错误可能会在解析格式错误的可执行文件类型后导致应用程序意外崩溃。
[+] 修复了一个错误,该错误可能会在解析格式错误的标头类型后导致应用程序意外崩溃。
[+] 默认情况下分析查看器中显示的字符数不受限制,影响 web 视图和控制台的分析。
[+] 在 HTML 代码查看器中从 Web 视图中显示的字符数不受限制。
[+] 导出表中提取的功能现在在雕刻部分从 130 增加到 400。
[+] 修复了一个错误,该错误可能会在提取部分名称期间挂起程序。
[+] 优化了分析期间工具计时器的使用。
[+] 为“4n4l.rules”规则文件添加了Unicode 格式的大量检测。
[+] 修复了一个错误,该错误可能会禁用某些库的导出表按钮。
[+] 修复了在解析某些 UPX 文件后可能生成大量垃圾字符的错误。
[+] 对应用程序的内存使用进行了优化。
[+] 程序栏现在显示分析报告中的字符数。

v2.0
[+] 默认情况下从命令行无需使用任何参数,文件将通过打开图形界面进行分析,就像使用“-GUI”一样。
[+] 更新了包含所有文件类型的 Detect It Easy “DIE” 应用程序数据库。
[+] 在“Extra 4n4lysis”部分包含了分析文件的熵分析。
[+] 拖动和添加文件选项现在在执行扫描时被阻止。
[+] 包含 ImpHash 计算 (x86/x64)。
[+] 使用 Capstone 反汇编器分析 x64 二进制文件的汇编代码。
[+] 提取扩展到入口点的 40 个字节,改进了“EPRules”(x86/x64) 的检测。
[+] TimeDateStamp 字段现在默认为十六进制。
[+] 修复了某些 TimeDateStamp 的 Epoch 转换失败。
[+] 所有 x64 二进制文件的原始入口点检测。
[+] 改进了从 UAC 执行级别的 XML 资源中提取信息。
[+] 改进了 x64 二进制文件中特征字段的读取以识别 EXE/DLL。

v1.9
[+] 为 EP 的前 25 个字节包含一个可修改的通配符规则字典,以及超过 3.700 条编译器和加壳器检测行。
[+] 界面中的详细信息和设置。
[+] 表单在屏幕中央打开,以改善异常分辨率下的查看效果。
[+] 添加感谢列表 ;)
[+] 修复了在 Windows 11 中观察到的打开被系统阻止的可执行文件的错误。
[+] 修复了手动拖动样本进行分析时当前文件夹崩溃的问题。
[+] 提高了申请表的稳定性。
[+] 添加了两个按钮,在导入/导出表中识别功能时会自动激活。
[+] 在某些入口点中与提取操作码相关的几个错误已得到纠正。
[+] 修复了在解析某些 UPX 文件后可能意外关闭应用程序的错误。
[+] 当用户在没有正确操作所需文件的情况下执行 4n4lDetector.exe 时,会包含一条警告。
[+] 更新了 UPX 压缩版本检测器。
[+] 默认情况下,“电子邮件”模块被包含为(可选禁用),因为它可能在一些罕见的二进制文件中造成延迟。

v1.8
[+] ELF Linux 可执行文件中的双标头检测
[+] 为 ELF Linux 可执行文件添加了 UPX 版本号提取(如今在恶意软件中广泛使用)
[+] 添加了对所有 ELF Linux 可执行文件类型的识别
[+] 用户界面比曾经。
[+] 包含了 Rich 签名的第一个片段,以防您找到它。
[+] 它采用了 4n4lDetector 的 9 个版本...但它就在这里,您现在可以最大化表单!
[+] 改进了电子邮件识别算法以避免重复地址。
[+] 修复了打开特定类型文件后可能意外关闭应用程序的错误。
[+] 改进了以 UNICODE 格式提取库后的字符串清理。
[+] 修复了在导出表中显示可用函数及其计数时的错误。
[+] 添加了使用以下工具从 Web 查看器查看报告“”的功能
-> 修改报告标题和内容的选项
-> 生成的用于显示的 HTML 代码的查看器
-> 保存按钮报告到文档
-> 集成一个按钮来打开包含所有已保存报告的文件夹
[+] 添加了“-HTML”参数,用于通过控制台以 HTML 格式提取报告:
-> 4n4lDetector.exe Path\App.exe - HTML

v1.7
[+] 添加了新功能来识别启用 ASLR 的二进制文件。
[+] 修复了一个可能导致应用程序在某些二进制文件中崩溃的错误。
[+] 改进了用于读取 x86 二进制文件入口点的调试器的集成。
[+] 平滑了表单界面的设计和控件的重新定位。
[+] 虽然保留了分析 MDUMPS 的可能性,但消除了流程执行功能。

v1.6
[+] 添加了新功能来查看 ASM 中 x86 二进制文件的入口点代码。
[+] 添加了十六进制和文本字符串的组合规则,具有多个匹配项。
-> 规则描述字段的末尾包含属于同一组合的规则总数中以“-”分隔的规则编号。
示例:H:1A6C6488F2736988:Rich Signature Found 1-2
(目前最多只允许匹配 9 次……);)

Enelpc_debugger v1.5 新改版
[+] 修复了主界面词搜索引擎的一个bug。
[+] 更改了从输出中删除无关字符的清理功能。
[+] 添加了部分名称提取。
[+] 添加了选择十六进制单词和代码字典的选项,以个性化方式在二进制中搜索。
-> "H" 以十六进制定义字符串。
-> "T" 将字符串定义为文本。
-> 以“:”分隔的最后一个字段是 4n4lDetector 输出中使用的描述。

v1.4 Enelpc_debugger 的新修订
[+] 修复了控制台执行的“-TXT”选项的错误(搞砸了)。


twl288 发表于 2023-6-14 23:33

全英文,看不懂哎

homehome 发表于 2023-6-15 08:10

谢谢楼主的分享,谢谢沙发的翻译{:1_932:}

zghsgi 发表于 2023-6-15 08:38

认识26个豆芽菜,但不认识26个豆芽菜的组合

gcode 发表于 2023-6-15 09:36

29176413 发表于 2023-6-14 19:17
高级静态分析工具
4n4lDetector 是针对 x86 和 x64 的 Microsoft Windows 可执行文件、库、驱动程序和 mdu ...

感谢提供中文的

erui 发表于 2023-6-15 18:10

29176413 发表于 2023-6-14 19:17
高级静态分析工具
4n4lDetector 是针对 x86 和 x64 的 Microsoft Windows 可执行文件、库、驱动程序和 mdu ...

谢谢你的分享,这翻译真给力。

flyingdancex 发表于 2023-6-15 18:57

和IDA类似??

鹏飞 发表于 2023-6-16 12:31

很不错的工具啊 收藏用

xixicoco 发表于 2023-6-17 00:48

有点厉害的样子
页: [1] 2
查看完整版本: 4n4lDetector v2.4