horsicq / nauz-file-detector Goto Github PK

Linker/Compiler/Tool detector for Windows, Linux and MacOS.

License: MIT License

QMake 12.87% Shell 19.08% Batchfile 4.16% C++ 48.42% Dockerfile 0.70% C 2.37% M4 1.67% Inno Setup 2.12% CMake 8.61%

detect hacktoberfest hacktoberfest2023 malware-analysis malware-detection malware-research reverse-engineering signature

nauz-file-detector's Introduction

About Me

C/C++
Python
Assembler
Reverse engineering

🔭 I’m currently working on https://github.com/horsicq/Detect-It-Easy

🌱 I’m currently learning: ELF

🤔 I’m looking for help with translation:

📫 How to reach me: e-mail: [email protected] TG: @horsicq Twitter: @horsicq

My current projects:

Detect It Easy is a program for determining types of files for Windows, Linux and MacOS.
XAPKDetector is Android/APK/DEX detector for Windows, Linux and MacOS.
XOpcodeCalc is Opcode calculator for Windows, Linux and MacOS.
PDBRipper is an utility for extract an information from PDB-files for Windows.
XNTSV is a program for detailed viewing of system structures for Windows.
XELFViewer is a ELF file viewer/editor for Windows, Linux and MacOS.
XPEViewer is a PE file viewer/editor for Windows, Linux and MacOS.
XMachOViewer is a MachO file viewer/editor for Windows, Linux and MacOS.
Nauz File Detector is a portable linker/compiler/packer identifier utility for Windows, Linux and MacOS.
x64dbg Plugin Manager for Windows.
Plugin for x64dbg: Strings
Plugin for x64dbg: Linker/Compiler/Tool detector.
Plugin for x64dbg: PE viewer.

Special Thanks

PELock Software Protection & Reverse Engineering

nauz-file-detector's People

Contributors

Stargazers

Watchers

Forkers

peterg75 explife0011 crackercat progray fcccode pharazone heruix avatarchik mrviliam trietptm-on-coding-algorithms mbr001 pombredanne wgwjifeng techlord-rce marciopocebon eaglexmw-gmail jeffli678 njmube stlcours zanzo420 blakereyes sstatev luntan365 5l1v3r1 warmduscher killvxk codingman xu7103224 rocker9527 besimbicer89 blockspacer modulexcite midi-in failuresx gitmesam ylkcy null0b actorexpose etherx-dev superegg9562 zha0 harry1080 icodein hecg119 newmai vg1009 lalan-kumar-alt chaoscalm imaro jackbro kataki fiappy wmxdjm asdlei99 gmh5225 cagivajsp y0d4a neutronar nasingfaund c00139891 qyouqme oldyang1983 woozoo86 rnshah9 gitplaya rajsushil hartl3y94 0xsojalsec gema-arta vaginessa fengjixuchui jhssugi yzcaimz stnert cutff dfkiki clayne webstorage119 43n51c sysfce2

nauz-file-detector's Issues

Compilation of StaticScan fails

I'm on ArchLinux with gcc 9.1.0

Should I disable the compile warning for missing-field-initializers?

g++ -c -pipe -O2 -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -std=gnu++11 -Wall -W -D_REENTRANT -fPIC -DQT_NO_DEBUG -DQT_CORE_LIB -I. -I../StaticScan -I../SpecAbstract -I../Formats -I../Formats -I../Formats -I../Formats -I../Formats -I../XArchive -I../XArchive/3rdparty/zlib/include -I../XArchive/3rdparty/bzip2/include -I../XArchive/3rdparty/lzma/include -isystem /usr/include/qt -isystem /usr/include/qt/QtCore -I. -I/usr/lib/qt/mkspecs/linux-g++ -o xzip.o ../XArchive/xzip.cpp
../StaticScan/staticscan.cpp: In member function 'SpecAbstract::SCAN_RESULT StaticScan::scanFile(QString)':
../StaticScan/staticscan.cpp:164:41: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::sFileName' [-Wmissing-field-initializers]
  164 |     SpecAbstract::SCAN_RESULT result= {0};
      |                                         ^
../StaticScan/staticscan.cpp:164:41: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::listRecords' [-Wmissing-field-initializers]
../StaticScan/staticscan.cpp: In member function 'SpecAbstract::SCAN_RESULT StaticScan::scanDevice(QIODevice*)':
../StaticScan/staticscan.cpp:181:41: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::sFileName' [-Wmissing-field-initializers]
  181 |     SpecAbstract::SCAN_RESULT result= {0};
      |                                         ^
../StaticScan/staticscan.cpp:181:41: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::listRecords' [-Wmissing-field-initializers]
../Formats/xelf.cpp: In member function 'virtual QList<XBinary::MEMORY_MAP> XELF::getMemoryMapList()':
../Formats/xelf.cpp:2724:10: warning: unused variable 'bIs64' [-Wunused-variable]
 2724 |     bool bIs64=is64();
      |          ^~~~~
main_console.cpp: In function 'int main(int, char**)':
main_console.cpp:120:46: warning: missing initializer for member 'SpecAbstract::SCAN_OPTIONS::bDeepScan' [-Wmissing-field-initializers]
  120 |     SpecAbstract::SCAN_OPTIONS scanOptions={0};
      |                                              ^
main_console.cpp:120:46: warning: missing initializer for member 'SpecAbstract::SCAN_OPTIONS::bResultAsXML' [-Wmissing-field-initializers]
main_console.cpp:120:46: warning: missing initializer for member 'SpecAbstract::SCAN_OPTIONS::bSubdirectories' [-Wmissing-field-initializers]
main_console.cpp:120:46: warning: missing initializer for member 'SpecAbstract::SCAN_OPTIONS::bIsImage' [-Wmissing-field-initializers]
main_console.cpp:122:17: error: 'struct SpecAbstract::SCAN_OPTIONS' has no member named 'bScanOverlay'
  122 |     scanOptions.bScanOverlay=parser.isSet(clScanOverlay);
      |                 ^~~~~~~~~~~~
../Formats/xpe.cpp: In static member function 'static XPE::RESOURCE_RECORD XPE::getResourceRecord(QString, quint32, QList<XPE::RESOURCE_RECORD>*)':
../Formats/xpe.cpp:2582:57: warning: comparison of integer expressions of different signedness: 'quint32' {aka 'unsigned int'} and 'int' [-Wsign-compare]
 2582 |             if((pListRecords->at(i).nID[1]==nID2)||(nID2==-1))
      |                                                     ~~~~^~~~
../Formats/xpe.cpp: In member function 'QList<XPE::RELOCS_HEADER> XPE::getRelocsHeaders()':
../Formats/xpe.cpp:5027:37: warning: missing initializer for member 'XPE::RELOCS_HEADER::ibr' [-Wmissing-field-initializers]
 5027 |             RELOCS_HEADER record= {0};
      |                                     ^
../Formats/xpe.cpp:5027:37: warning: missing initializer for member 'XPE::RELOCS_HEADER::nCount' [-Wmissing-field-initializers]
../Formats/xpe.cpp: In member function 'QList<XPE::RELOCS_POSITION> XPE::getRelocsPositions(qint64)':
../Formats/xpe.cpp:5058:43: warning: missing initializer for member 'XPE_DEF::IMAGE_BASE_RELOCATION::SizeOfBlock' [-Wmissing-field-initializers]
 5058 |     XPE_DEF::IMAGE_BASE_RELOCATION ibr= {0};
      |                                           ^
../Formats/xpe.cpp:5072:43: warning: missing initializer for member 'XPE::RELOCS_POSITION::nType' [-Wmissing-field-initializers]
 5072 |                 RELOCS_POSITION record= {0};
      |                                           ^
../Formats/xpe.cpp:5072:43: warning: missing initializer for member 'XPE::RELOCS_POSITION::nAddress' [-Wmissing-field-initializers]
make: *** [Makefile:898: main_console.o] Error 1
make: *** Waiting for unfinished jobs....
../XArchive/xarchive.cpp: In static member function 'static XArchive::COMPRESS_RESULT XArchive::decompress(XArchive::COMPRESS_METHOD, QIODevice*, QIODevice*)':
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::avail_in' [-Wmissing-field-initializers]
  172 |         bz_stream strm= {0};
      |                           ^
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::total_in_lo32' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::total_in_hi32' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::next_out' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::avail_out' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::total_out_lo32' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::total_out_hi32' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::state' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::bzalloc' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::bzfree' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:172:27: warning: missing initializer for member 'bz_stream::opaque' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member '_CLzmaProps::lp' [-Wmissing-field-initializers]
  250 |             CLzmaDec state= {0};
      |                               ^
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member '_CLzmaProps::pb' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member '_CLzmaProps::_pad_' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member '_CLzmaProps::dicSize' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::probs' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::probs_1664' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::dic' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::dicBufSize' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::dicPos' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::buf' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::range' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::code' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::processedPos' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::checkDicSize' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::reps' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::state' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::remainLen' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::numProbs' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::tempBufSize' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:250:31: warning: missing initializer for member 'CLzmaDec::tempBuf' [-Wmissing-field-initializers]
../XArchive/xarchive.cpp:290:80: warning: comparison of integer expressions of different signedness: 'qint64' {aka 'long long int'} and 'SizeT' {aka 'long unsigned int'} [-Wsign-compare]
  290 |                                 if(pDestDevice->write((char *)out,outProcessed)!=outProcessed)
      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
../XArchive/xarchive.cpp: In member function 'bool XArchive::dumpToFile(XArchive::RECORD*, QString)':
../XArchive/xarchive.cpp:371:45: warning: unused parameter 'pRecord' [-Wunused-parameter]
  371 | bool XArchive::dumpToFile(XArchive::RECORD *pRecord, QString sFileName)
      |                           ~~~~~~~~~~~~~~~~~~^~~~~~~
../XArchive/xarchive.cpp:371:62: warning: unused parameter 'sFileName' [-Wunused-parameter]
  371 | bool XArchive::dumpToFile(XArchive::RECORD *pRecord, QString sFileName)
      |                                                      ~~~~~~~~^~~~~~~~~
../SpecAbstract/specabstract.cpp: In static member function 'static void SpecAbstract::PE_handle_Recursive(QIODevice*, bool, SpecAbstract::PEINFO_STRUCT*, SpecAbstract::SCAN_OPTIONS*)':
../SpecAbstract/specabstract.cpp:6360:57: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::sFileName' [-Wmissing-field-initializers]
 6360 |                 SpecAbstract::SCAN_RESULT scanResult= {0};
      |                                                         ^
../SpecAbstract/specabstract.cpp:6360:57: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::listRecords' [-Wmissing-field-initializers]
../SpecAbstract/specabstract.cpp: In static member function 'static void SpecAbstract::Binary_handle_Formats(QIODevice*, bool, SpecAbstract::BINARYINFO_STRUCT*)':
../SpecAbstract/specabstract.cpp:6652:14: warning: variable 'bDetected' set but not used [-Wunused-but-set-variable]
 6652 |         bool bDetected=false;
      |              ^~~~~~~~~
../SpecAbstract/specabstract.cpp: In static member function 'static void SpecAbstract::Binary_handle_JAR(QIODevice*, bool, SpecAbstract::BINARYINFO_STRUCT*, SpecAbstract::SCAN_OPTIONS*)':
../SpecAbstract/specabstract.cpp:7034:69: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::sFileName' [-Wmissing-field-initializers]
 7034 |                             SpecAbstract::SCAN_RESULT scanResult= {0};
      |                                                                     ^
../SpecAbstract/specabstract.cpp:7034:69: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::listRecords' [-Wmissing-field-initializers]
../SpecAbstract/specabstract.cpp: In static member function 'static void SpecAbstract::MSDOS_handle_Recursive(QIODevice*, bool, SpecAbstract::MSDOSINFO_STRUCT*, SpecAbstract::SCAN_OPTIONS*)':
../SpecAbstract/specabstract.cpp:7289:57: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::sFileName' [-Wmissing-field-initializers]
 7289 |                 SpecAbstract::SCAN_RESULT scanResult= {0};
      |                                                         ^
../SpecAbstract/specabstract.cpp:7289:57: warning: missing initializer for member 'SpecAbstract::SCAN_RESULT::listRecords' [-Wmissing-field-initializers]
../SpecAbstract/specabstract.cpp: In static member function 'static void SpecAbstract::ELF_handle_Protection(QIODevice*, bool, SpecAbstract::ELFINFO_STRUCT*)':
../SpecAbstract/specabstract.cpp:7377:107: warning: unused parameter 'pELFInfo' [-Wunused-parameter]
 7377 | void SpecAbstract::ELF_handle_Protection(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
      |                                                                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~

how about a unofficial user repository.

I found that there is an arch pkg in release, then I find this:

https://bbs.archlinux.org/viewtopic.php?id=270937

so maybe can have a https://wiki.archlinux.org/title/unofficial_user_repositories

then the users can have auto update since aur sometimes out-of-date

it seems that there is a choice to directly use the GitHub release as the source: (so the server's fee is reduced).

for example:

https://github.com/Redecorating/archlinux-t2-packages/releases/tag/packages

Detect binaries linked using mold

I'd PR this myself, but I can't figure out where to PR it to.

The mold linker will leave an identification string in the .comment section of an ELF file. Example from the readme:

readelf -p .comment <executable-file>

String dump of section '.comment':
  [     0]  GCC: (Ubuntu 10.2.0-5ubuntu1~20.04) 10.2.0
  [    2b]  mold 9a1679b47d9b22012ec7dfbda97c8983956716f7

Analyzing GOLANG compiled binaries not possible

Hi,

when uzing Nauz on a binary compiled from GOLANG, it fails to detect the language and the involved compiler. But when analyzing the same sample with DIE, at least the language is detected. (both using the CLI version)

Nauz output:

PE 32
    Unknown: Unknown

DIE output:

PE: compiler: Go(1.x)
PE: linker: unknown(3.0)[EXE32,console]

i prefer using Nauz over DIE, as Nauz seems to include build numbers from the tool chain involved. For example using it on a locky

Nauz:

PE 32
    Linker: Microsoft linker(14.00.23918)
    Compiler: Visual C/C++(19.00.23918)[C++]
    Tool: Microsoft Visual Studio(2015 Update 2)

DIE:

PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-]
PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32]

so switching to DIE isn't an option for me.

Some (chinese?) characters in filename not possible

We have an odd case with a sample containing some strange characters inside the filename: loader表能点分析功.xlsx (filename redacted by me).

When i start nauz --deepscan --json /sample/loader表能点分析功.xlsx i get an error:

Cannot find: /sample/loader??????????????????.xlsx

nauz --version is showing Nauz File Detector 0.05alpha

PureBasic Support

already reported as an DIE issue here

Language color issue

Hi please consider changing the color, I almost cannot read it. thanks.

.

Wrong installation

make install is putting the applications, icon and xpeviewer in the wrong place. I set the prefix to /usr but it's installing in /

Problem when using Ukrainian language

Renaming the "operating system" output?

First of all I really like your tools and I appreciate the time and effort you put into developing them.

I was wondering about the "operation system" output by Nauz. By looking at the code it appears that the OS result for PE files is calculated by parsing the Major/MinorOperatingSystemVersion field of the Optional Header. My understanding of the PE format was, that those fields are like a "required minimum version" to run the file. I did some tests using legacy compilers (VS 05/08) running Windows XP SP3 and Win7 and had varying results (see attachment). Just by looking at the Nauz output some could think that "Operation system" refers to the OS Version used to build the file and not some arbitrary version number set by VS. Maybe it's best to rename the output to clear up the confusion.

results_vs.log

Crashes when opened on Mac OS

Hello!

Tried to use it today on Mac OS 10.15, but it crashes straight up on startup.

Here's the crash log:

https://pastebin.com/fZ8YHBf1

Downloading submodules during CMake configure time

You might want to look in to adding support for CMake to download all the extra submodules during configure time to correct for the lack of Github doing this with the release source tarball.

Nauz File Detector v0.09 It hangs (NFD v0.08 vs v0.09)

Hi horsicq,

The NFD releases prior to the V0.09 work correctly, however, the V0.09 is hung and stops responding. The console versions if they work correctly.

It happens on Windows XP SP3 x86-32bit.

Thanks you in advanced.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.