Pentest Tools

Published on May 24th, 2016 📆 | 1607 Views ⚑

0

Manalyze — A Static Analyzer For PE Executables


iSpeech

Manalyze was designed in C++ for Windows as well as for Linux and it is introduced under the terms of the GPLv3 license. It is a strong parser for PE files with an architecture of flexible plugin that permits users to statically analyze the files in-depth.

Features:
 
Manalyze has some new features which are as follows:
  • It identifies a PE's compiler
  • It can detect packed executables
  • Applies ClamAV signatures
  • It can identify for suspicious strings
  • Looks for malicious import combinations i.e. WriteProcessMemory + CreateRemoteThread
  • It can detect cryptographic constants such as IDA's find crypto plugin
  • Manalyze can submit hashes to VirusTotal
  • Verifies Authenticode signatures only on Windows.

Installation:

Manalyze as simple to build as possible.
On Linux and BSD (tested on Debian Jessie and FreeBSD 10.2)
 
$> [sudo or as root] apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev build-essential cmake git
$> [alternatively, also sudo or as root] pkg install boost-libs-1.55.0_8 cmake
$> git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze
$> cmake .
$> make
$> cd bin && ./manalyze --version
 
On Windows-
  • Get the Boost libraries from boost.org and install CMake.
  • Build the boost libraries
  1. cd boost_1_XX_0 && ./bootstrap.bat && ./b2.exe --build-type=complete --with-regex --with-program_options --with-system --with-filesystem.
  2. Add an environment variable BOOST_ROOT which contains the path to your boost_1_XX_0 folder.
  • Download and install Git
  • git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze && cmake .
  • A Visual Studio project manalyze.sln should have appeared in the Manalyze folder.

Offline Builds-
If you need to build Manalyze on a machine with no internet access, you have to manually check out the following projects:

  • Yara
  • hash-library
Place the two folders in the external folder as external/yara and external/hash-library respectively. Then run cmake . -DGitHub=OFF and continue as you normally would.
Binaries-
Windows x86 binaries
All the binaries in this archive are signed with a certificate ‎presenting the following fingerprint:26fc24c12b2d84f77615cf6299e3e4ca4f3878fc.
Generating ClamAV Rules-
Since ClamAV signatures are huge as well as regularly updated and it did not make a lot of sense to allocate them from GitHub or with the binary. When you try using the ClamAV plugin for the first time, you will similarly encounter the following error message: [!] Error: Could not load yara_rules/clamav.yara. In order to create them, simply run the update_clamav_signatures.py Python script situated in bin/yara_rules.
 
Run the script whenever you want to refresh the signatures.
 [adsense size='1']
Usage

$ ./manalyze.exe --help

-h [ --help ]         Displays this message.
-v [ --version ]      Prints the program's version.
--pe arg              The PE to analyze. Also accepted as a positional
argument. Multiple files may be specified.
-r [ --recursive ]    Scan all files in a directory (subdirectories will be
ignored).
-o [ --output ] arg   The output format. May be 'raw' (default) or 'json'.
-d [ --dump ] arg     Dump PE information. Available choices are any
combination of: all, summary, dos (dos header), pe (pe
header), opt (pe optional header), sections, imports,
exports, resources, version, debug, tls, config, delay
--hashes              Calculate various hashes of the file (may slow down the
analysis!)
-x [ --extract ] arg  Extract the PE resources to the target directory.
-p [ --plugins ] arg  Analyze the binary with additional plugins. (may slow
down the analysis!)

Available plugins:
- clamav: Scans the binary with ClamAV virus definitions.
- compilers: Tries to determine which compiler generated the binary.
- peid: Returns the PEiD signature of the binary.
- strings: Looks for suspicious strings (anti-VM, process names...).
- findcrypt: Detects embedded cryptographic constants.
- packer: Tries to structurally detect packer presence.
- imports: Looks for suspicious imports.
- resources: Analyzes the program's resources.
- mitigation: Displays the enabled exploit mitigation techniques (DEP, ASLR, etc.).
- authenticode: Checks if the digital signature of the PE is valid.
- virustotal: Checks existing AV results on VirusTotal.
- all: Run all the available plugins.

Examples:
manalyze.exe program.exe
manalyze.exe -dresources -dexports -x out/ program.exe
manalyze.exe --dump=imports,sections --hashes program.exe
manalyze.exe -r malwares/ --plugins=peid,clamav --dump all

Download



Leave a Reply

Your email address will not be published.