Published on May 24th, 2016 📆 | 8107 Views ⚑
0Manalyze — A Static Analyzer For PE Executables
Manalyze was designed in C++ for Windows as well as for Linux and it is introduced under the terms of the GPLv3 license. It is a strong parser for PE files with an architecture of flexible plugin that permits users to statically analyze the files in-depth.
- It identifies a PE's compiler
- It can detect packed executables
- Applies ClamAV signatures
- It can identify for suspicious strings
- Looks for malicious import combinations i.e. WriteProcessMemory + CreateRemoteThread
- It can detect cryptographic constants such as IDA's find crypto plugin
- Manalyze can submit hashes to VirusTotal
- Verifies Authenticode signatures only on Windows.
Installation:
- Get the Boost libraries from boost.org and install CMake.
- Build the boost libraries
- cd boost_1_XX_0 && ./bootstrap.bat && ./b2.exe --build-type=complete --with-regex --with-program_options --with-system --with-filesystem.
- Add an environment variable BOOST_ROOT which contains the path to your boost_1_XX_0 folder.
- Download and install Git
- git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze && cmake .
- A Visual Studio project manalyze.sln should have appeared in the Manalyze folder.
Offline Builds-
If you need to build Manalyze on a machine with no internet access, you have to manually check out the following projects:
- Yara
- hash-library
$ ./manalyze.exe --help
-h [ --help ] Displays this message.
-v [ --version ] Prints the program's version.
--pe arg The PE to analyze. Also accepted as a positional
argument. Multiple files may be specified.
-r [ --recursive ] Scan all files in a directory (subdirectories will be
ignored).
-o [ --output ] arg The output format. May be 'raw' (default) or 'json'.
-d [ --dump ] arg Dump PE information. Available choices are any
combination of: all, summary, dos (dos header), pe (pe
header), opt (pe optional header), sections, imports,
exports, resources, version, debug, tls, config, delay
--hashes Calculate various hashes of the file (may slow down the
analysis!)
-x [ --extract ] arg Extract the PE resources to the target directory.
-p [ --plugins ] arg Analyze the binary with additional plugins. (may slow
down the analysis!)
Available plugins:
- clamav: Scans the binary with ClamAV virus definitions.
- compilers: Tries to determine which compiler generated the binary.
- peid: Returns the PEiD signature of the binary.
- strings: Looks for suspicious strings (anti-VM, process names...).
- findcrypt: Detects embedded cryptographic constants.
- packer: Tries to structurally detect packer presence.
- imports: Looks for suspicious imports.
- resources: Analyzes the program's resources.
- mitigation: Displays the enabled exploit mitigation techniques (DEP, ASLR, etc.).
- authenticode: Checks if the digital signature of the PE is valid.
- virustotal: Checks existing AV results on VirusTotal.
- all: Run all the available plugins.
Examples:
manalyze.exe program.exe
manalyze.exe -dresources -dexports -x out/ program.exe
manalyze.exe --dump=imports,sections --hashes program.exe
manalyze.exe -r malwares/ --plugins=peid,clamav --dump all
Download
Gloss