A static analyzer for PE executables.
My work on Manalyze started when my antivirus tried to quarantine my malware sample collection for the thirtieth time. It is also born from my increasing frustration with AV products which make decisions without ever explaining why they deem a file malicious. Obviously, most people are better off having an antivirus decide what's best for them. But it seemed to me that expert users (i.e. malware analysts) could use a tool which would analyze a PE executable, provide as many data as possible, and leave the final call to them.
If you want to see some sample reports generated by the tool, feel free to try out the web service I created for it: manalyzer.org.
Manalyze was written in C++ for Windows and Linux and is released under the terms of the GPLv3 license. It is a robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth. Manalyze... - Identifies a PE's compiler - Detects packed executables - Applies ClamAV signatures - Searches for suspicious strings - Looks for malicious import combinations (i.e.
CreateRemoteThread) - Detects cryptographic constants (just like IDA's findcrypt plugin) - Can submit hashes to VirusTotal - Verifies authenticode signatures (on Windows only)
There are few things I hate more than checking out an open-source project and spending two hours trying to build it. This is why I did my best to make Manalyze as easy to build as possible. If these few lines don't work for you, then I have failed at my job and you should drop me a line so I can fix this.
$> [sudo or as root] apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git $> [alternatively, also sudo or as root] pkg install boost-libs-1.55.0_8 libressl cmake git $> git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze $> cmake . $> make -j5 $> cd bin && ./manalyze --version
Finally, if you want to access Manalyze from every directory on your machine, install it using
$> make installfrom the root folder of the project.
cd boost_1_XX_0 && ./bootstrap.bat && ./b2.exe --build-type=complete --with-regex --with-program_options --with-system --with-filesystem
BOOST_ROOTwhich contains the path to your
git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze && cmake .
manalyze.slnshould have appeared in the
# Skip these two lines if you already have a sane build environment user$ xcode-select --install user$ sudo installer -pkg /Library/Developer/CommandLineTools/Packages/macOS_SDK_headers_for_macOS_10.14.pkg -target /
user$ git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze user$ brew install openssl boost user$ cmake . -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/ && make -j5 user$ bin && ./manalyze --version
Place the two folders in the
external/hash-libraryrespectively. Then run
cmake . -DGitHub=OFFand continue as you normally would.
A Docker image for Manalyze is provided by the community. Run
docker pull evanowe/manalyzeand get additional information here.
Since ClamAV signatures are voluminous and updated regularly, it didn't make a lot of sense to distribute them from GitHub or with the binary. When you try using the ClamAV plugin for the first time, you will likely encounter the following error message:
[!] Error: Could not load yara_rules/clamav.yara. In order to generate them, simply run the
update_clamav_signatures.pyPython script located in
Run the script whenever you want to refresh the signatures.
$ ./manalyze.exe --help Usage: -h [ --help ] Displays this message. -v [ --version ] Prints the program's version. --pe arg The PE to analyze. Also accepted as a positional argument. Multiple files may be specified. -r [ --recursive ] Scan all files in a directory (subdirectories will be ignored). -o [ --output ] arg The output format. May be 'raw' (default) or 'json'. -d [ --dump ] arg Dump PE information. Available choices are any combination of: all, summary, dos (dos header), pe (pe header), opt (pe optional header), sections, imports, exports, resources, version, debug, tls, config, delay, rich --hashes Calculate various hashes of the file (may slow down the analysis!) -x [ --extract ] arg Extract the PE resources to the target directory. -p [ --plugins ] arg Analyze the binary with additional plugins. (may slow down the analysis!)
Examples: manalyze.exe program.exe manalyze.exe -dresources -dexports -x out/ program.exe manalyze.exe --dump=imports,sections --hashes program.exe manalyze.exe -r malwares/ --plugins=peid,clamav --dump all
Contact me or open a pull request if you would like to be added to this list!