4n4lDetector is an analysis tool for Microsoft Windows executable files, libraries, drivers and mdumps for x86 and x64. As of v1.8 an extended use for analyzing anomalies in Linux ELF executables was also included. Its main objective is to collect the necessary information to facilitate the identification of malicious code inside the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.
Some Images:
v2.4
[+] Unlimited the number of characters shown in the String viewer, also affecting the Export and Import Table.
[+] Optimizations have been made prioritizing the stability of the tool at the expense of the minimum loss of speed during the analysis.
[+] Added extraction of the SYSTEM branch of the registry.
[+] The Strings tool has been optimized, having a very positive impact on its speed.
[+] Expanded the Strings tool's collection of new strings.
[+] Added a new string search module called Inlligent Strings. (Search for keywords just like a malware analyst would)
-> Included a cleanup function for routes and internet addresses that affects this module.
[+] Included a time control after finishing the analysis in the title of the main form.
[+] Blocked the option to drag samples over the Web code avoiding the option to execute.
v2.3
[+] Added a new functionality that allows choosing the sizes of the files to analyze.
-> Analysis times are higher with settings well above the default in the MaxFileLen(MB) field.
-> It is recommended to disable options in files larger than usual.
[+] The process runs with high priority during the scan time and while some demanding tasks are performed.
[+] Fixed a bug that could lead to an unexpected application crash after parsing a malformed executable type.
[+] Fixed a bug that could lead to an unexpected application crash after parsing a malformed header type.
[+] Unlimited the number of characters shown in the analysis viewer by default, affecting the web view and the analysis from the console.
[+] Unlimited the number of characters shown in the HTML code viewer from the web view.
[+] The extraction of functions in the export table is now increased from 130 to 400 in the carving section.
[+] Fixed a bug that could hang the program during the extraction of the name of the sections.
[+] The use of the Timers of the tool during the analysis time was optimized.
[+] Added multitude of detections in Unicode format for the "4n4l.rules" rules file.
[+] Fixed a bug that could disable the Export Table button for some libraries.
[+] Fixed a bug that could generate a lot of junk characters after parsing certain UPX files.
[+] Optimizations have been made with the application's memory usage.
[+] The program bar now shows the number of characters in the analysis report.
v2.2
[+] Correction of slight visual defects in the interface.
[+] Correction in the URL extraction module.
[+] Including the detection of APIs referring to the following points in the "4n4l.rules" file:
-> Networks
-> Persistence
-> Encryption
-> Anti-analysis virtual machine
-> Stealth
-> Execution
-> Antivirus
-> Privileges
-> Keyboard keys
-> WMI executions
[+] Reorganization of files:
-> Configuration "cnf" and "vtapi" (Virustotal) in the folder
-> Dictionaries in the ".\db\rules" folder.
[+] Improved the integration of the "Strings" tab along with the "Export table" and "Import table" functions.
[+] Included in the analysis tab the Virustotal detection rate if the sample is detected by any antivirus.
[+] Mobile interface with magical surprises.
v2.1
[+] Labels displayed in the report section that may come from the analytics tab will now be converted to HTML entities.
[+] Included in the internal list of 4n4lDetector new words of interest.
[+] Added the extraction of new execution statements from the analyzed binaries.
[+] Eliminated null detections (PE: 0) by DIE.
[+] Reorganization of Packer/Compiler/Entropy detections.
[+] Currently the entropy calculation is done from the DIE section next to the Entropy/count option activated.
[+] Including checking all resources for malicious executables.
v2.0
[+] From the command line by default and without the need to use any parameter, the files will be analyzed by opening the graphical interface as if "-GUI" is used.
[+] Updated Detect It Easy "DIE" application database included for all file types.
[+] Included the entropy analysis of the analyzed file in the "Extra 4n4lysis" section.
[+] Drag and add file options are now blocked while performing a scan.
[+] ImpHash calculation included (x86/x64).
[+] Analyze the assembled code for x64 binaries with Capstone Disassembler.
[+] The extraction is extended to 40 bytes of the Entry Point, improving the detections with "EPRules" (x86/x64).
[+] The TimeDateStamp field now defaults to hexadecimal.
[+] Fixed Epoch conversion failing for some TimeDateStamp.
[+] Raw Entry Point detection for all x64 binaries.
[+] Improved the extraction of information from the XML resource for the UAC execution level.
[+] Improved the reading of the characteristics field in x64 binaries to identify EXE/DLL.
v1.9
[+] Included a modifiable dictionary of wildcard rules for the first 25 bytes of the EP, with over 3.700 compiler and packer detection lines.
[+] Details and settings in the interface.
[+] The form opens in the center of the screen to improve viewing at unusual resolutions.
[+] Added list of thanks ;)
[+] Fixed a bug in opening executables blocked by the system observed in Windows 11.
[+] Fixed current folder crash when manually dragging a sample for analysis.
[+] Improved the stability of the application form.
[+] Added two buttons that will be activated automatically when identifying functions in the import/export tables.
[+] Several bugs related to the extraction of opcodes in some Entry Points have been corrected.
[+] Fixed a bug that could unexpectedly close the application after parsing certain UPX files.
[+] A warning is included for when a user executes 4n4lDetector.exe without the necessary files for its correct operation.
[+] UPX compression version detector updated.
[+] The "Emails" module is included as (optional disabled) by default, due to the delay it could cause in some rare binaries.
v1.8
[+] Double header detection in ELF Linux executables
[+] Added UPX version number extraction for ELF Linux executables (Widely used in malware these days)
[+] Added identification of all ELF Linux executable types
[+] The user interface is friendlier than ever.
[+] The first fragment of the Rich signature is included in case you find it.
[+] It's taken 9 versions of 4n4lDetector... but it's here, you can now maximize the form!
[+] Improved email identification algorithm to avoid duplicate addresses.
[+] Fixed a bug that could unexpectedly close the application after opening a specific type of file.
[+] Improved string cleaning after extracting libraries in UNICODE format.
[+] Fixed a bug when showing the available functions and their count in the export table.
[+] Added functionality to view reports "[W]" from a Web viewer with the following tools
-> Options for modifying the title and content of the report
-> A viewer of the generated HTML code for display
-> A button to save the report to a document
-> Integrated a button to open the folder that houses all the saved reports
[+] Added the "-HTML" parameter for extracting reports in HTML format by console:
-> 4n4lDetector.exe Path\App.exe -HTML
v1.7
[+] Added new functionality to identify ASLR-enabled binaries.
[+] Fixed a bug that could lead to the application crashing in some binaries.
[+] Improved the integration of the debugger for reading the Entry Point of the x86 binaries.
[+] Smoothed out the design of the form interface and repositioning of controls.
[+] The process execution functionality is eliminated, although the possibility of analyzing MDUMPS is maintained.
v1.6
[+] Added new functionality to view the Entry Point code in ASM for x86 binary.
[+] Added combined rules for strings in hexadecimal and text, with multiple matches.
-> The end of the rule description field contains the rule number separated by "-" from the total number of rules belonging to the same combination.
Example: H:1A6C6488F2736988:Rich Signature Found 1-2
(Currently it only allows a maximum of 9 matches...) ;)
v1.5 new revision for Enelpc_debugger
[+] Fixed a bug in the word search engine of the main interface.
[+] Changed the cleanup function that removes extraneous characters from the output.
[+] Added section name extraction.
[+] Added the option to select a dictionary of words and codes in hexadecimal to search in the binary in a personalized way.
-> "H" Defines the string in hexadecimal.
-> "T" Defines the string as text.
-> The last field separated by ":" is the description used in the 4n4lDetector output.
v1.4 new revision for Enelpc_debugger
[+] Fixed a bug (fucked up) with the "-TXT" option for console executions.
[+] Added the ability to open LNK files to automatically resolve the executable path.
[+] The "Add File" button allows for a simpler file search.
v1.4
[+] Small bug fixes.
[+] Added the identification of the version of the operating system where the sample can run in "Information".
[+] Added [A], [S] and [V] buttons to the interface. Analysis, Strings and Virustotal.
[+] Added the Virustotal option to the list of checks, along with a button to select the ApiKey.
[+] Added a "Check" to extract emails.
v1.3
[+] Fixed a bug in the extraction of some versions of UPX.
[+] Extraction of the SQL Queries contained in the binary.
[+] The number of blocks of 5 existing NOPs are counted, in search of Code Caves.
[+] More unusual codes are checked after the Entry Point.
[+] Added Zw function extraction (Kernel Mode).
[+] Added polymorphism detections. (PEScrambler)
[+] Added a counting routine for Ascii characters and null characters.
[+] Added the "Show Options" button, where many of the features are found.
[+] Added a module for email extraction.
[+] Added a module for IP address extraction.
[+] Added a warning when finding a digital signature.
[+] Added Drag&Drop to the text box where the information is displayed.
[+] Added a DOS Header check algorithm to the Heuristics module.
[+] Improved the cleanliness in which the extracted strings are displayed.
[+] Added a new button to the main interface, in order to view the strings that the binary contains.
[+] Added a word search engine.
[+] Added two buttons that are activated after using the "Strings" button, which allow you to navigate between the main information and that obtained with said button.
v1.2
[+] Fixed a bug showing old versions of UPX.
[+] Fixed a bug that affected the detection of some Entry Points.
[+] Added the word EOF, in the description of the Dropper detections.
[+] Increased the effectiveness of the Shikata Ga Nai detection routine.
[+] Removed extracted executables with asterisks·
[+] Review of the integrity of the PE format.
[+] Microsot Rich Signature Integrity Review.
[+] CheckSum integrity check.
[+] Added TimeDateStamp field and build date.
[+] Detection of migrations from the Entry Point to other areas of executable code.
[+] Added an icon viewer.
[+] Added detection routine for Visual Basic 5/6 applications with unusual codes after their Entry Point.
[+] Expanded Packers detection.
[+] Added incomplete (truncated) executable detection routine.
[+] Added the creation of a registry file "Add4n4lMenu.reg", to include the analyzes quickly to the explorer dropdown.
[+] Added library extraction.
[+] Added parameter detection for the 4n4lDetector.exe executable
-> 4n4lDetector.exe Path\App.exe -GUI
-> 4n4lDetector.exe Path\App.exe -TXT
-> 4n4lDetector.exe Path\App.exe -GREMOVE (Deletion of the binary after its analysis)
Down:
https://github.com/4n0nym0us/4n4lDetector/releases/download/v2.4/4n4lDetectorV2.4.zip
[复制链接]
发表于 2023-6-14 17:42
