Anya (meaning "eye" in Igbo) performs static analysis on binary files to identify suspicious characteristics without executing them. It's built in Rust for memory safety and performance (pretty important when you're deliberately parsing potentially hostile input)
Current capabilities:
- Cryptographic hashing (MD5, SHA1, SHA256)
- Batch directory scanning with progress tracking
- Configurable analysis via TOML config files
- Multiple output modes (quiet, normal, verbose)
- File output with append mode
- ASCII string extraction with configurable minimum length
- Shannon entropy calculation (file-level and per-section)
- PE (Portable Executable) structure parsing
- Import/export table analysis
- Suspicious Windows API detection
- Security mitigation analysis (ASLR, DEP/NX)
Requirements:
- Rust 1.75+ (for building from source)
Via Cargo:
cargo install anya-security-coreVia Docker (Coming Soon):
# Pull from Docker Hub
docker pull anya-security/anya:latest
# Analyze a file
docker run -v ./samples:/samples anya --file /samples/malware.exe
# Interactive TUI (coming soon)
docker run -it anya-tuiPre-built binaries: Available for Linux, Windows, and macOS on the releases page.
From source:
git clone https://github.com/elementmerc/anya
cd anya
cargo build --release
# Binary will be in target/release/anya-security-core# Basic analysis
anya --file suspicious.exe
# Verbose output
anya --file suspicious.exe --verbose
# Quiet mode (errors only)
anya --file suspicious.exe --quiet# Analyze directory
anya --directory ./samples
# Recursive scanning
anya --directory ./samples --recursiveAnya supports persistent configuration via TOML files:
# Create default config
anya --init-configConfig file location:
- Linux/macOS:
~/.config/anya/config.toml - Windows:
%APPDATA%\anya\config.toml
Example config:
[analysis]
min_string_length = 4
entropy_threshold = 7.5
show_progress = true
[output]
use_colours = true
format = "text"
verbosity = "normal"CLI arguments always override config file settings.
# Output as JSON
anya --file malware.exe --json
# Save to file
anya --file malware.exe --json --output report.json
# Append to existing file (batch processing)
anya --file sample1.exe --json --output batch.jsonl --append# Create default config file
anya --init-config
# Edit: ~/.config/anya/config.toml (Linux/macOS)
# or: %APPDATA%\anya\config.toml (Windows)
# Use custom config
anya --config ./custom-config.toml --file malware.exeanya --helpGenerates MD5, SHA1, and SHA256 hashes for file identification and comparison against known malware databases like VirusTotal
Scans for printable ASCII strings that might reveal:
- Hardcoded IP addresses or domains
- File paths and registry keys
- Command-line arguments
- Error messages and debug strings
- Obfuscated or cleartext credentials
Calculates Shannon entropy to identify:
- High entropy (> 7.5): Encrypted or packed sections (common obfuscation technique)
- Moderate entropy (4.0-7.5): Normal compiled code
- Low entropy (< 4.0): Plain text or simple data structures
Header Information:
- Architecture (32-bit vs 64-bit)
- Entry point and image base addresses
- Compilation timestamp (can be forged)
Security Features:
- ASLR status (disabled = easier exploitation)
- DEP/NX status (disabled = code execution in data sections)
Section Analysis:
- Per-section entropy (spots packed/encrypted regions)
- Unusual section names (e.g., UPX packers)
- Executable + writable sections (major red flag)
Import Analysis: Detects 40+ suspicious Windows APIs categorised by:
- Code injection techniques
- Anti-analysis/debugging
- Persistence mechanisms
- Network operations
- Cryptography
- Keylogging/input monitoring
- Privilege escalation
Anya provides indicators, not verdicts. Always consider the full context:
Highly suspicious combinations:
- High section entropy + disabled ASLR/DEP + code injection APIs
- Anti-debugging APIs + obfuscated strings + unusual sections
- Persistence APIs + network APIs + no digital signature
Might be legitimate:
- Popular packers (UPX) on commercial software
- Debug-related APIs in development builds
- Registry access in installers
When in doubt, check hashes against VirusTotal or submit to a sandbox.
Static analysis is safer than dynamic analysis but not risk-free:
- Parse bugs could be exploited (I used well-tested libraries, but still)
- Always work in isolated environments (VMs, air-gapped machines)
- Don't analyse on production systems
- Maintain VM snapshots for quick recovery
Built with:
- Rust 1.75+
- Dependencies: See Cargo.toml
Tested on:
- Linux (Ubuntu 22.04+)
- Windows 10/11
- Docker (multi-arch: amd64, arm64)
Contributions are always welcome. Please:
- Fork the repository
- Create a feature branch
- Run
cargo fmtandcargo clippy - Submit a pull request
AGPL-3.0-or-later
For commercial licensing inquiries, contact: daniel@themalwarefiles.com
Anya (pronounced AHN-yah) means "eye" in Igbo, a language spoken in southeastern Nigeria. The name reflects the tool's purpose to see into the inner workings of potentially malicious software.
Coming Soon:
- 🚀 Terminal User Interface (TUI) for interactive analysis
- 🐳 Docker support with pre-built images
- 🤫 Secret stuff