All Projects → JusticeRage → Manalyze

JusticeRage / Manalyze

Licence: gpl-3.0
A static analyzer for PE executables.

Projects that are alternatives of or similar to Manalyze

Automated-Malware-Analysis-List
My personal Automated Malware Analysis Sandboxes and Services
Stars: ✭ 20 (-97.15%)
Mutual labels:  analysis, malware, pe
static file analysis
Analysis of file (doc, pdf, exe, ...) in deep (emmbedded file(s)) with clamscan and yara rules
Stars: ✭ 34 (-95.15%)
Mutual labels:  analysis, yara
apooxml
Generate YARA rules for OOXML documents.
Stars: ✭ 34 (-95.15%)
Mutual labels:  malware, yara
freki
🐺 Malware analysis platform
Stars: ✭ 327 (-53.35%)
Mutual labels:  malware, yara
r2yara
r2yara - Module for Yara using radare2 information
Stars: ✭ 30 (-95.72%)
Mutual labels:  malware, yara
HatVenom
HatVenom is a HatSploit native powerful payload generation tool that provides support for all common platforms and architectures.
Stars: ✭ 84 (-88.02%)
Mutual labels:  malware, pe
ips-bph-framework
BLACKPHENIX is an open source malware analysis automation framework composed of services, scripts, plug-ins, and tools and is based on a Command-and-Control (C&C) architecture
Stars: ✭ 21 (-97%)
Mutual labels:  analysis, malware
S1EM
This project is a SIEM with SIRP and Threat Intel, all in one.
Stars: ✭ 270 (-61.48%)
Mutual labels:  malware, yara
Mquery
YARA malware query accelerator (web frontend)
Stars: ✭ 264 (-62.34%)
Mutual labels:  malware, yara
Freki
🐺 Malware analysis platform
Stars: ✭ 285 (-59.34%)
Mutual labels:  malware, yara
Detekt
Static code analysis for Kotlin
Stars: ✭ 4,169 (+494.72%)
Mutual labels:  analysis, static
cerberus research
Research tools for analysing Cerberus banking trojan.
Stars: ✭ 110 (-84.31%)
Mutual labels:  analysis, malware
yara
Malice Yara Plugin
Stars: ✭ 27 (-96.15%)
Mutual labels:  malware, yara
Multiscanner
Modular file scanning/analysis framework
Stars: ✭ 494 (-29.53%)
Mutual labels:  malware, yara
binlex
A Binary Genetic Traits Lexer Framework
Stars: ✭ 303 (-56.78%)
Mutual labels:  malware, yara
MalScan
A Simple PE File Heuristics Scanners
Stars: ✭ 41 (-94.15%)
Mutual labels:  analysis, malware
flashmingo
Automatic analysis of SWF files based on some heuristics. Extensible via plugins.
Stars: ✭ 117 (-83.31%)
Mutual labels:  analysis, malware
vulnscan
A static binary vulnerability scanner
Stars: ✭ 47 (-93.3%)
Mutual labels:  analysis, static
Yobi
Yara Based Detection Engine for web browsers
Stars: ✭ 39 (-94.44%)
Mutual labels:  malware, yara
Binee
Binee: binary emulation environment
Stars: ✭ 408 (-41.8%)
Mutual labels:  analysis, malware

Manalyze Build Status Coverage Status Documentation

Introduction

My work on Manalyze started when my antivirus tried to quarantine my malware sample collection for the thirtieth time. It is also born from my increasing frustration with AV products which make decisions without ever explaining why they deem a file malicious. Obviously, most people are better off having an antivirus decide what's best for them. But it seemed to me that expert users (i.e. malware analysts) could use a tool which would analyze a PE executable, provide as many data as possible, and leave the final call to them.

If you want to see some sample reports generated by the tool, feel free to try out the web service I created for it: manalyzer.org.

Table of Contents

A static analyzer for PE files

Manalyze was written in C++ for Windows and Linux and is released under the terms of the GPLv3 license. It is a robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth. Manalyze...

  • Identifies a PE's compiler
  • Detects packed executables
  • Applies ClamAV signatures
  • Searches for suspicious strings
  • Looks for malicious import combinations (i.e. WriteProcessMemory + CreateRemoteThread)
  • Detects cryptographic constants (just like IDA's findcrypt plugin)
  • Can submit hashes to VirusTotal
  • Verifies authenticode signatures (on Windows only)

How to build

There are few things I hate more than checking out an open-source project and spending two hours trying to build it. This is why I did my best to make Manalyze as easy to build as possible. If these few lines don't work for you, then I have failed at my job and you should drop me a line so I can fix this.

On Linux and BSD (tested on Debian Buster and FreeBSD 10.2)

$> [sudo or as root] apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git
$> [alternatively, also sudo or as root] pkg install boost-libs-1.55.0_8 libressl cmake git
$> git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze
$> cmake .
$> make -j5
$> cd bin && ./manalyze --version

Finally, if you want to access Manalyze from every directory on your machine, install it using $> make install from the root folder of the project.

On Windows

  • Get the Boost libraries from boost.org and install CMake.
  • Build the boost libraries
    • cd boost_1_XX_0 && ./bootstrap.bat && ./b2.exe --build-type=complete --with-regex --with-program_options --with-system --with-filesystem
    • Add an environment variable BOOST_ROOT which contains the path to your boost_1_XX_0 folder.
  • Download and install Git
  • git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze && cmake .
  • A Visual Studio project manalyze.sln should have appeared in the Manalyze folder!

On OS X (tested on Mojave)

# Skip these two lines if you already have a sane build environment
user$ xcode-select --install
user$ sudo installer -pkg /Library/Developer/CommandLineTools/Packages/macOS_SDK_headers_for_macOS_10.14.pkg -target /

user$ git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze
user$ brew install openssl boost
user$ cmake . -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/ && make -j5
user$ bin && ./manalyze --version

Offline builds

If you need to build Manalyze on a machine with no internet access, you have to manually check out the following projects:

Place the two folders in the external folder as external/yara and external/hash-library respectively. Then run cmake . -DGitHub=OFF and continue as you normally would.

Binaries

Docker image

A Docker image for Manalyze is provided by the community. Run docker pull evanowe/manalyze and get additional information here.

Generating ClamAV rules

Since ClamAV signatures are voluminous and updated regularly, it didn't make a lot of sense to distribute them from GitHub or with the binary. When you try using the ClamAV plugin for the first time, you will likely encounter the following error message: [!] Error: Could not load yara_rules/clamav.yara. In order to generate them, simply run the update_clamav_signatures.py Python script located in bin/yara_rules.

Run the script whenever you want to refresh the signatures.

Usage

$ ./manalyze.exe --help
Usage:
  -h [ --help ]         Displays this message.
  -v [ --version ]      Prints the program's version.
  --pe arg              The PE to analyze. Also accepted as a positional
                        argument. Multiple files may be specified.
  -r [ --recursive ]    Scan all files in a directory (subdirectories will be
                        ignored).
  -o [ --output ] arg   The output format. May be 'raw' (default) or 'json'.
  -d [ --dump ] arg     Dump PE information. Available choices are any
                        combination of: all, summary, dos (dos header), pe (pe
                        header), opt (pe optional header), sections, imports,
                        exports, resources, version, debug, tls, config, delay, rich
  --hashes              Calculate various hashes of the file (may slow down the
                        analysis!)
  -x [ --extract ] arg  Extract the PE resources to the target directory.
  -p [ --plugins ] arg  Analyze the binary with additional plugins. (may slow
                        down the analysis!)

Available plugins:
  - clamav: Scans the binary with ClamAV virus definitions.
  - compilers: Tries to determine which compiler generated the binary.
  - peid: Returns the PEiD signature of the binary.
  - strings: Looks for suspicious strings (anti-VM, process names...).
  - findcrypt: Detects embedded cryptographic constants.
  - packer: Tries to structurally detect packer presence.
  - imports: Looks for suspicious imports.
  - resources: Analyzes the program's resources.
  - mitigation: Displays the enabled exploit mitigation techniques (DEP, ASLR, etc.).
  - overlay: Analyzes data outside of the PE's boundaries.
  - authenticode: Checks if the digital signature of the PE is valid.
  - virustotal: Checks existing AV results on VirusTotal.
  - all: Run all the available plugins.

Examples:
  manalyze.exe program.exe
  manalyze.exe -dresources -dexports -x out/ program.exe
  manalyze.exe --dump=imports,sections --hashes program.exe
  manalyze.exe -r malwares/ --plugins=peid,clamav --dump all

People using Manalyze

Contact me or open a pull request if you would like to be added to this list!

Contact

E-Mail Twitter GnuPG

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].