It is paid-only service?
I never said you were doing it to make money.
Enjoy it, here’s to my hacker’s health!
You must have hit the "Strike through" button in "More option" in the editor.Hello, I don't know why the publication appears like this. Some character I use must have drawn the line on this forum
Yes, I was lucky enough to work with him. I was developing Insanity Protector, and he needed to bypass antivirus software for some conferences. He contacted me via email, and eventually, we met in person. I spent several years helping him with some of his ideas he was a truly endearing person.
a break… and I know it will be your best ally for reversing and security incidents that, unfortunately, are ahead of us. The integrated Flow Anomalies module works seamlessly with the [Show Offsets] tool, allowing you to track the execution flow of different code fragments and locate their strings. Enjoy it! 
I bring you a major innovation in static malware analysis, along with highly optimized performance and stability. Both the Professional version and PEscan have been updated with the latest enhancements. This version will give my neurons
(...)
Hey! First of all, I really like what you’re doing with 4n4lDetector
For the next major release(s), I had a few ideas that might make your tool even stronger in terms of trust :
-------
1) Official handbook / educational guide — a structured manual (or short book) so people can learn PE basics and use 4n4lDetector step by step. I’d be happy to help draft/structure it (the GitHub docs are a bit inconsistent right now).
2) Integrated sandbox with hypervisor-based stealth — run samples in a disposable, lightweight VM launched directly from 4n4lDetector. Execution stays in isolated guest RAM, so the sample can’t touch the host OS or real temp folders; this also reduces your direct responsibility as the developer. Virtualization keeps the sample believing it’s on a normal OS while you monitor it “underneath,” and avoids kernel-patching approaches that Windows 11 blocks.
3) Debug Mode (inside the VM) — to stay safe while gaining deeper insights
- LTSC compatibility: Some Windows 11 Enterprise LTSC editions don’t include Windows Sandbox. Detect this at runtime and fall back to a Managed VM (e.g., Hyper-V): launch a disposable VM with networking disabled, map a read-only samples folder and a writable logs folder, and (optionally) attach a debugger inside the VM. Windows Sandbox is handy, but not a silver bullet — hence the managed fallback.
- Note: certain builds of Sandboxie (SbieDrv.sys) can no longer load in kernel mode on Windows 11 when Memory Integrity (HVCI) is enabled (“A driver can’t load on this device”). That’s why sticking to Windows Sandbox or Hyper-V VMs keeps compatibility with modern Windows protections.
Scope note: I’m focusing on driver-based threats, including legitimately signed drivers (BYOVD).
- Automatically attach WinDbg inside the VM; for driver analysis, support loading and debugging signed .sys drivers.
- Provide a simple UI to set breakpoints on common APIs (file, registry, crypto, networking) and capture arguments/return values.
- Keep networking disabled by default, and write outputs only to a mapped logs folder.
- Optional presets (“Ransomware”, “Stealer”, etc.) that preconfigure typical API breakpoints.
Even signed drivers — and those later revoked or listed on Microsoft’s Vulnerable Driver Blocklist — can slip past defenses in some configurations, which is why hardening (WDAC allow-listing, HVCI/Memory Integrity, Secure Boot) is non-negotiable. My role is to help legitimate drivers be allowed without weakening protections. I’ll work with vendors to ship HVCI-compliant, properly signed drivers (EV/attestation). If a known-good driver is blocked, I’ll open a case with Microsoft’s Hardware Dev Center to resolve a false block. Policies/blocklists can be conservative; I’ll push for a fix while keeping security intact.
Only for information - if you want to learn something useful :
4) Certificate & OCSP analysis – check the PE’s code-signing certificate and extract OCSP/CRL URLs. Flag valid/expired/revoked status and suspicious cases where malware abuses or bypasses code signing. This adds a PKI-aware trust layer to reports.
--------
For transparency: I’m not a developer; my background is in security auditing and law (mostly in Europe, and I’m also learning global cyber law). I’d describe myself as more “grey hat” than strictly ethical-only, but my focus here is educational and security-oriented — to help legitimate users learn, not to support criminal purposes who are not legitimate.
but it's ok we /you don’t have to do everything at once — starting with the educational handbook makes sense to me.
Why ?
After a lot of mismatched virtual discussions lately even with people who pretend to be implicitely expert, I’d prefer a step-by-step approach.
What do you think?
PS: If you (or anyone else) choose not to sell the book, I’m not asking for any payment. I’m offering my help because I take trust very seriously in my day-to-day work, and I used ChatGPT-5 to help me to make this encouragement to you clearly in English
, I just don’t have enough hours in the day.
It compares to Analyse-It.have you compared it to @Trident's Orion? If not, please do and give us some feedback...
