4n4lDetector is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.
- 64 bits (AMD64, x86-64, x64, ARMv8)
Alpha AXP, ARM, ARM Thumb-2 (32-bit Thumb), ARM64, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel i860, Intel Itanium (IA-64), M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS with FPU, MIPS little-endian, MIPS little-endian WCE v2, x64, x86, x86-64.
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- [S] Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API
Start the graphical interface parsing a file from the console:
4n4lDetector.exe Path\App.exe -GUIRemove binary after scan:
4n4lDetector.exe Path\App.exe -GREMOVEParse a file from the console and the output is written to a TXT file:
4n4lDetector.exe Path\App.exe -TXTParse a file from the console and the output is written to HTML file:
4n4lDetector.exe Path\App.exe -HTML
PE Information, Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... ), Packers, Compilations, Binders/Joiners/Crypters, Architectures, Possible malicious functions, Registry Keys, Files Access, Juicy Words, Anti-VM/Sandbox/Debug, URLs Extractor, Payloads, AV Services, Duplicate Sections, IP/Domains List, Config RAT (Only In Memory Dumps), Call API By Name, Unusual Chars In Description File (Polymorphic Patterns), Rich Signature Analyzer, CheckSum Integrity Problem, PE Integrity Check, SQL Queries, Emails, Malicious resources, PE Carve, Exploits, File Rules for Entry Points and more... 😃
It is recommended to delete the contents of the old 4n4lDetector directory to include the new version files.
[+] The SHA-256 and SHA-1 Hashes of all analyzed files are now also calculated.
[+] Including the original name of the analyzed library in the "[Export Table]" button.
[+] Now 4n4lDetector is able to identify content in the Import Table even though the "Original First Thunk" Offset is at "0" as in UPX tablets.
[+] The "Settings" module now has a subtle optimization to avoid freezes when downloading notifications.
[+] The code responsible for resource extraction has been optimized, it is now faster.
[+] Entry Point extraction has been restructured, optimizing its code and improving extraction speed.
[+] Optimized and removed some of the internal rules of 4n4lDetector to avoid some false positives.
[+] The file description extractor algorithm was modified, it is now more effective.
[+] The Carving PE result is now stored in a folder called PECarve within the analysis section.
[+] Virustotal information has been relocated to the main panel. (Use your personal API_KEY).
-> SORRY MICROSOFT... I think we are at peace after that CobaltStrike detection <3
[+] The "IT Functions:" section of the main analysis is now called "Suspicious functions:", this being more accurate.
-> Functions now have a description of their functionalities.
[+] The "Strings" functionality now runs automatically, visible in the "[s]" button after scans while "Intelligent Strings" is active.
-> Increased the effectiveness and speed of the "Intelligent Strings" module and the "Strings" functionality.
[+] The "Sections Info" option is now internal and in its place an optional one has been created to decompress UPX samples.
-> The unzipped samples are stored in the analysis path, within a folder called UPX.
-> The UPX binary is located in the root of 4n4lDetector, in a folder called "bin" and can be modified by the user.
[+] The verification of signed executables, the checksum signature and the Rich signature are now grouped in the "Signatures" section.
[+] Changes in the management of the Rich firm.
-> The entire signature is extracted, not just the first part.
-> Added a hash for detection.
-> its integrity is verified with a review of the old algorithm.
[+] A new tool has been added to extract Offsets directly from the executable and view its contents.
-> It is now possible to manually perform code searches in hexadecimal, ASCII and UNICODE.
-> A functionality to review the assembly code has also been included.
-> This tool executes its main functions automatically with the Entry Point after each analysis.
[+] Added extraction of import and export tables from the rest of the existing executable architectures.
-> Alpha AXP, ARM, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel Itanium (IA-64), Intel i860, M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS little-endian, MIPS little-endian WCE v2, MIPS with FPU.
[+] Executable analysis for 32- and 64-bit ARM architectures (ARMv7 and ARMv8) has been implemented.
[+] Added an option called "Sections Info" that includes additional information about sections.
[+] Corrected tabulations that could not appear in some lines of reports in several modules.
[+] Added the capture of possible Logins to "Intelligent Strings".
[+] The "Intelligent Strings" module now correctly separates library names from the "Import Table".
[+] Fixed a bug in a rare case that could hide the "Export Table" button after viewing its contents.
[+] Eliminated the extra line breaks that were included at the end of all reports.
[+] Improved the collection of SQL queries from the selectable module in the right options panel.
[+] Optimization of the code of the old "Online Area" and the rest of the new options of the now called "Settings" were carried out.
[+] Organized and included new rules for reviewing entry points from the "EP.rules" file.
[+] Included the "[C]" button to select the color of the application's letters with auto-save function.
[+] Restructured and adjusted the main form panel options.
[+] The Virustotal result was included as an active part of the right panel of the main form.
[+] The maximum file size to be analyzed is increased to 10MB by default.
[+] Added the extraction of IT, ET and IAT disk addresses in the Information section.
[+] Added a progress bar that appears during scans to the left of the main form.
[+] Better control of files to be analyzed was developed and error control was improved.
[+] Moved the counter functionality from "NOP Caves" to the "Entropy/Recount" option.
[+] The "Rich Signature" option becomes "Signatures" as it also includes signed executables.
[+] Verification of executable signatures has been added and we can now find the following types.
-> Signed executables.
-> Unsigned executables.
-> Signed but modified executables.
-> Others... 0.0
[+] An error that prevented console analysis in the previous version was corrected and the code for this functionality was improved.
-> The "-HELP" or "?" parameter was included. to display help from console mode.
-> Made case-sensitive.
[+] Increased the extraction of the first 40 bytes of the Entry Point to a total of 50 bytes.
-> This also increases the effectiveness of the rules file "EP.rules".
[+] A new form has been included with access to an Online Area.
-> The "[Online Area]" button opens a form with real-time notifications that can be modified by me at any time.
-> It is possible to respond to the contents of the notifications through the "Reply" button via email.
-> The content of the notifications will be merely informative about the development status of the tool or current malware alerts.
-> From the File Rules section it is possible to download and modify the new "4n4l.rules" and "EP.rules" files with ease.
-> The current date and time is included at the beginning of the files after each download to record their modification.
[+] A carving functionality is included to review PE headers inside the analyzed files.
-> If executables are identified, the size of their PEs is calculated and they are extracted to disk.
-> Extracted files are stored with the name of the Start Offset from which they were extracted and assigned a non-executable extension.
-> The storage folder of the extracted PE files is the same as the HTML parsing storage folder.
[+] A "[GO]" button is included in the "PE Carve" module that will open the created files folder, otherwise it will open the analysis folder.
-> A flashing light on the "[GO]" button will notify the user when the folder containing the files is generated.
[+] A section of rules for exploit detection is included.
-> In the Entry Point from the "EP.Rules" dictionary
-> In the "4n4l.Rules" dictionary
-> In the resources
[+] A multitude of optimizations have been included to improve analysis times.
[+] The file cutter functionality has been removed due to lack of community use due to larger samples being analyzed.
[+] A change has been made to the icon of the main form and that of the application executable.
[+] Fixed small visual defects that occurred in some unusual system configuration of Windows 10 and Windows 11 systems.
[+] The "Show Options" button is launched with a delay of one second on the first execution.
[+] The storage path of the HTML documents is now located within a folder named after the MD5 hash of the analyzed file.
[+] The RAT configuration module becomes part of the Heuristics module disabled by default.
[+] Increased the effectiveness of the carving algorithm for extracting functions from the Export Table that may be missing.
[+] Analysis content size and time statistics are kept in the WebView tab title.
[+] From the WebView tab you can now apply another background color for the generation of the HTML file.
[+] The code that performs the extraction of IP addresses has been reviewed, improved and optimized prioritizing its speed and effectiveness.
[+] The internal "Known IP/Domains" module now has an expanded list of DNS service detections.
[+] Fixed a small bug that painted one of the modules yellow without the analysis option being enabled.
[+] Fixed a small bug that omitted the first string from the "Intelligent Strings" buffer and from the "Strings" functionality.
[+] The tool's color code now marks purple buttons as a (direct internet connection).
[+] Form buttons now show an indication of their action.
[+] Increased detection of new syntaxes in the "Intelligent Strings" module.
[+] Mimikatz detection by dictionary "4n4l.Rules".
[+] Correction of some rules of the known Entry points detection dictionary and the "4n4l.Rules" dictionary.
[+] SysCall detection from "4n4l.Rules" by Miguel Ángel Arenas.
[+] Sample reanalysis option in the main form, idea of Miguel Ángel Arenas.
[+] Greater effectiveness and detection of new syntaxes in the "Inlligent Strings" module and in the "Strings" functionality.
[+] The analysis tab stores the statistical information in the form title of the current session.
[+] A warning is included to detect strings that are too long for the search engine and the singular is assigned for a match.
[+] The entire Detect It Easy “DIE” database was updated with the new rules as of December 5, 2023.
[+] Added new rules to the "4n4l.rules" file.
[+] The add file button has been removed from the main interface, now the graphical interface will only have the possibility of dragging files to analyze them.
[+] Included a new option to parse the content of "LNK" shortcuts with or without their default extension.
[+] Fixed a cosmetic bug affecting some high-resolution UltraWide displays.
[+] Improved integration of the window resizing module for Windows 7, 10 and 11 operating systems.
[+] Included a quick access button to the default "Show Options" view in case the window has been resized.
[+] The "Show Options" button now changes to "Hide Options" based on the size of the main form and when the button is activated.
[+] The app now opens options on every startup to keep them in view during use.
[+] The analysis progress changes the color of the modules name, within the options section in real time as it progresses.
-> Red indicates the module in which the tool is being analyzed.
-> Yellow indicates the end of the analysis of that module.
-> White indicates that the tool has not analyzed with that module.
[+] Please don't touch the red button or Beelzebub will come, Thank you.
[+] Unlimited the number of characters shown in the String viewer, also affecting the Export and Import Table.
[+] Optimizations have been made prioritizing the stability of the tool at the expense of the minimum loss of speed during the analysis.
[+] Added extraction of the SYSTEM branch of the registry.
[+] The Strings tool has been optimized, having a very positive impact on its speed.
[+] Expanded the Strings tool's collection of new strings.
[+] Added a new string search module called Inlligent Strings. (Search for keywords just like a malware analyst would)
-> Included a cleanup function for routes and internet addresses that affects this module.
[+] Included a time control after finishing the analysis in the title of the main form.
[+] Blocked the option to drag samples over the Web code avoiding the option to execute.
[+] Added a new functionality that allows choosing the sizes of the files to analyze.
-> Analysis times are higher with settings well above the default in the MaxFileLen(MB) field.
-> It is recommended to disable options in files larger than usual.
[+] The process runs with high priority during the scan time and while some demanding tasks are performed.
[+] Fixed a bug that could lead to an unexpected application crash after parsing a malformed executable type.
[+] Fixed a bug that could lead to an unexpected application crash after parsing a malformed header type.
[+] Unlimited the number of characters shown in the analysis viewer by default, affecting the web view and the analysis from the console.
[+] Unlimited the number of characters shown in the HTML code viewer from the web view.
[+] The extraction of functions in the export table is now increased from 130 to 400 in the carving section.
[+] Fixed a bug that could hang the program during the extraction of the name of the sections.
[+] The use of the Timers of the tool during the analysis time was optimized.
[+] Added multitude of detections in Unicode format for the "4n4l.rules" rules file.
[+] Fixed a bug that could disable the Export Table button for some libraries.
[+] Fixed a bug that could generate a lot of junk characters after parsing certain UPX files.
[+] Optimizations have been made with the application's memory usage.
[+] The program bar now shows the number of characters in the analysis report.
[+] Correction of slight visual defects in the interface.
[+] Correction in the URL extraction module.
[+] Including the detection of APIs referring to the following points in the "4n4l.rules" file:
-> Networks
-> Persistence
-> Encryption
-> Anti-analysis virtual machine
-> Stealth
-> Execution
-> Antivirus
-> Privileges
-> Keyboard keys
-> WMI executions
[+] Reorganization of files:
-> Configuration "cnf" and "vtapi" (Virustotal) in the folder
-> Dictionaries in the ".\db\rules" folder.
[+] Improved the integration of the "Strings" tab along with the "Export table" and "Import table" functions.
[+] Included in the analysis tab the Virustotal detection rate if the sample is detected by any antivirus.
[+] Mobile interface with magical surprises.
[+] Labels displayed in the report section that may come from the analytics tab will now be converted to HTML entities.
[+] Included in the internal list of 4n4lDetector new words of interest.
[+] Added the extraction of new execution statements from the analyzed binaries.
[+] Eliminated null detections (PE: 0) by DIE.
[+] Reorganization of Packer/Compiler/Entropy detections.
[+] Currently the entropy calculation is done from the DIE section next to the Entropy/count option activated.
[+] Including checking all resources for malicious executables.
[+] From the command line by default and without the need to use any parameter, the files will be analyzed by opening the graphical interface as if "-GUI" is used.
[+] Updated Detect It Easy "DIE" application database included for all file types.
[+] Included the entropy analysis of the analyzed file in the "Extra 4n4lysis" section.
[+] Drag and add file options are now blocked while performing a scan.
[+] ImpHash calculation included (x86/x64).
[+] Analyze the assembled code for x64 binaries with Capstone Disassembler.
[+] The extraction is extended to 40 bytes of the Entry Point, improving the detections with "EPRules" (x86/x64).
[+] The TimeDateStamp field now defaults to hexadecimal.
[+] Fixed Epoch conversion failing for some TimeDateStamp.
[+] Raw Entry Point detection for all x64 binaries.
[+] Improved the extraction of information from the XML resource for the UAC execution level.
[+] Improved the reading of the characteristics field in x64 binaries to identify EXE/DLL.
[+] Included a modifiable dictionary of wildcard rules for the first 25 bytes of the EP, with over 3.700 compiler and packer detection lines.
[+] Details and settings in the interface.
[+] The form opens in the center of the screen to improve viewing at unusual resolutions.
[+] Added list of thanks ;)
[+] Fixed a bug in opening executables blocked by the system observed in Windows 11.
[+] Fixed current folder crash when manually dragging a sample for analysis.
[+] Improved the stability of the application form.
[+] Added two buttons that will be activated automatically when identifying functions in the import/export tables.
[+] Several bugs related to the extraction of opcodes in some Entry Points have been corrected.
[+] Fixed a bug that could unexpectedly close the application after parsing certain UPX files.
[+] A warning is included for when a user executes 4n4lDetector.exe without the necessary files for its correct operation.
[+] UPX compression version detector updated.
[+] The "Emails" module is included as (optional disabled) by default, due to the delay it could cause in some rare binaries.
[+] Double header detection in ELF Linux executables
[+] Added UPX version number extraction for ELF Linux executables (Widely used in malware these days)
[+] Added identification of all ELF Linux executable types
[+] The user interface is friendlier than ever.
[+] The first fragment of the Rich signature is included in case you find it.
[+] It's taken 9 versions of 4n4lDetector... but it's here, you can now maximize the form!
[+] Improved email identification algorithm to avoid duplicate addresses.
[+] Fixed a bug that could unexpectedly close the application after opening a specific type of file.
[+] Improved string cleaning after extracting libraries in UNICODE format.
[+] Fixed a bug when showing the available functions and their count in the export table.
[+] Added functionality to view reports "[W]" from a Web viewer with the following tools
-> Options for modifying the title and content of the report
-> A viewer of the generated HTML code for display
-> A button to save the report to a document
-> Integrated a button to open the folder that houses all the saved reports
[+] Added the "-HTML" parameter for extracting reports in HTML format by console:
-> 4n4lDetector.exe Path\App.exe -HTML
[+] Added new functionality to identify ASLR-enabled binaries.
[+] Fixed a bug that could lead to the application crashing in some binaries.
[+] Improved the integration of the debugger for reading the Entry Point of the x86 binaries.
[+] Smoothed out the design of the form interface and repositioning of controls.
[+] The process execution functionality is eliminated, although the possibility of analyzing MDUMPS is maintained.
[+] Added new functionality to view the Entry Point code in ASM for x86 binary.
[+] Added combined rules for strings in hexadecimal and text, with multiple matches.
-> The end of the rule description field contains the rule number separated by "-" from the total number of rules belonging to the same combination.
Example: H:1A6C6488F2736988:Rich Signature Found 1-2
(Currently it only allows a maximum of 9 matches...) ;)
[+] Fixed a bug in the word search engine of the main interface.
[+] Changed the cleanup function that removes extraneous characters from the output.
[+] Added section name extraction.
[+] Added the option to select a dictionary of words and codes in hexadecimal to search in the binary in a personalized way.
-> "H" Defines the string in hexadecimal.
-> "T" Defines the string as text.
-> The last field separated by ":" is the description used in the 4n4lDetector output.
[+] Fixed a bug (fucked up) with the "-TXT" option for console executions.
[+] Added the ability to open LNK files to automatically resolve the executable path.
[+] The "Add File" button allows for a simpler file search.
[+] Small bug fixes.
[+] Added the identification of the version of the operating system where the sample can run in "Information".
[+] Added [A], [S] and [V] buttons to the interface. Analysis, Strings and Virustotal.
[+] Added the Virustotal option to the list of checks, along with a button to select the ApiKey.
[+] Added a "Check" to extract emails.
[+] Fixed a bug in the extraction of some versions of UPX.
[+] Extraction of the SQL Queries contained in the binary.
[+] The number of blocks of 5 existing NOPs are counted, in search of Code Caves.
[+] More unusual codes are checked after the Entry Point.
[+] Added Zw function extraction (Kernel Mode).
[+] Added polymorphism detections. (PEScrambler)
[+] Added a counting routine for Ascii characters and null characters.
[+] Added the "Show Options" button, where many of the features are found.
[+] Added a module for email extraction.
[+] Added a module for IP address extraction.
[+] Added a warning when finding a digital signature.
[+] Added Drag&Drop to the text box where the information is displayed.
[+] Added a DOS Header check algorithm to the Heuristics module.
[+] Improved the cleanliness in which the extracted strings are displayed.
[+] Added a new button to the main interface, in order to view the strings that the binary contains.
[+] Added a word search engine.
[+] Added two buttons that are activated after using the "Strings" button, which allow you to navigate between the main information and that obtained with said button.
[+] Fixed a bug showing old versions of UPX.
[+] Fixed a bug that affected the detection of some Entry Points.
[+] Added the word EOF, in the description of the Dropper detections.
[+] Increased the effectiveness of the Shikata Ga Nai detection routine.
[+] Removed extracted executables with asterisks·
[+] Review of the integrity of the PE format.
[+] Microsot Rich Signature Integrity Review.
[+] CheckSum integrity check.
[+] Added TimeDateStamp field and build date.
[+] Detection of migrations from the Entry Point to other areas of executable code.
[+] Added an icon viewer.
[+] Added detection routine for Visual Basic 5/6 applications with unusual codes after their Entry Point.
[+] Expanded Packers detection.
[+] Added incomplete (truncated) executable detection routine.
[+] Added the creation of a registry file "Add4n4lMenu.reg", to include the analyzes quickly to the explorer dropdown.
[+] Added library extraction.
[+] Added parameter detection for the 4n4lDetector.exe executable
-> 4n4lDetector.exe Path\App.exe -GUI
-> 4n4lDetector.exe Path\App.exe -TXT
-> 4n4lDetector.exe Path\App.exe -GREMOVE (Deletion of the binary after its analysis)