Manalyze, a static analyzer for PE files
Key | Action |
---|---|
K or space | Play / Pause |
M | Mute / Unmute |
C | Select next subtitles |
A | Select next audio track |
V | Show slide in full page or toggle automatic source change |
left arrow | Seek 5s backward |
right arrow | Seek 5s forward |
shift + left arrow or J | Seek 10s backward |
shift + right arrow or L | Seek 10s forward |
control + left arrow | Seek 60s backward |
control + right arrow | Seek 60s forward |
shift + down arrow | Decrease volume |
shift + up arrow | Increase volume |
shift + comma | Decrease playback rate |
shift + dot or shift + semicolon | Increase playback rate |
end | Seek to end |
beginning | Seek to beginning |
Share this media
Download links
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
Links:
Number of views:
40Creation date:
July 5, 2016Speakers:
Ivan KwiatkowskiCompany:
RMLLLicense:
CC BY SA v4Description
During this talk, I would like to present a free open-source (GPLv3) tool, written in C++, that I’ve been working on for two years on my spare time. It was designed as a helper program which speeds-up the job of a malware analyst by automating repetitive tasks. It can also be used for malware triage, in order to determine which files are worth analyzing manually. It has the following architecture :
- A robust PE parser which was designed with malicious and/or malformed PEs in mind. It is currently being fuzzed by AFL (input files used), with no crashes so far.
- A customized version of Yara which can re-use the project’s PE parser, accompanied with a set of handmade rules to detect suspicious files.
- Plugins which use and correlate the information collected by the PE parser to infer the program’s behaviour and characteristics.
- An output system which can print out the generated data as text or JSON.
The following plugins are already included in the tool:
- ClamAV and PEiD signatures - a Python script has been written to convert ClamAV databases into Yara rules.
- Compiler detection
- Suspicious strings (i.e. “cmd.exe”, “CurrentVersion\Run”, …)
- Cryptographic algorithms identification
- Packer detection (but no automatic unpacking!)
- Alerts for dangerous import combinations
- Resource analysis and extraction
- Authenticode verification (on Windows only so far) with a twist (if the program pretends to come from a well-known company like Microsoft or Oracle in the manifest but isn’t signed, flag it as very suspicious)
- Submitting file hashes to VirusTotal
The plugin system was intended to be easy to use, and it’s (supposed to be) easy for anyone to write their own plugins without having to dive deeply into the project’s code. Conversely, the PE parser is intended as a buiding block for other security projects and can be taken out from Manalyze and put into other projects with no hassle. A lot of effort was put into writing the developer documentation in order to minimize the learning curve for people willing to contribute.
A web portal was also written so people can upload samples and see results without having to compile/run the tool.
Ivan Kwiatkowski
Ivan Kwiatkowski (@JusticeRage) is a 27 year old security researcher from Paris. Noteworthy hobbies include writing fiction and replying to Nigerian scams.
Other media in the channel "Sécurité"
- 82 viewsMOWR, A virustotal-like service for web malwaresAugust 7th, 2016
- 273 views, 1 this yearMIG: Investigate 1,000 endpoints in 10sAugust 8th, 2016
- 59 viewsComplex malware & forensics investigationAugust 7th, 2016
- 129 viewsUsing and abusing MISP to track campaignsAugust 7th, 2016
- 18 viewsBuilding A Poor man’s Fir3Ey3 Mail ScannerAugust 8th, 2016
- 16 viewsHands-on security for DIY projectsAugust 7th, 2016