Manalyze, a static analyzer for PE files
Action | Key |
---|---|
Play / Pause | K or space |
Mute / Unmute | M |
Toggle fullscreen mode | F |
Select next subtitles | C |
Select next audio track | A |
Toggle automatic slides maximization | V |
Seek 5s backward | left arrow |
Seek 5s forward | right arrow |
Seek 10s backward | shift + left arrow or J |
Seek 10s forward | shift + right arrow or L |
Seek 60s backward | control + left arrow |
Seek 60s forward | control + right arrow |
Seek 1 frame backward | alt + left arrow |
Seek 1 frame forward | alt + right arrow |
Decrease volume | shift + down arrow |
Increase volume | shift + up arrow |
Decrease playback rate | < |
Increase playback rate | > |
Seek to end | end |
Seek to beginning | beginning |
Share this media
Download links
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
During this talk, I would like to present a free open-source (GPLv3) tool, written in C++, that I’ve been working on for two years on my spare time. It was designed as a helper program which speeds-up the job of a malware analyst by automating repetitive tasks. It can also be used for malware triage, in order to determine which files are worth analyzing manually. It has the following architecture :
- A robust PE parser which was designed with malicious and/or malformed PEs in mind. It is currently being fuzzed by AFL (input files used), with no crashes so far.
- A customized version of Yara which can re-use the project’s PE parser, accompanied with a set of handmade rules to detect suspicious files.
- Plugins which use and correlate the information collected by the PE parser to infer the program’s behaviour and characteristics.
- An output system which can print out the generated data as text or JSON.
The following plugins are already included in the tool:
- ClamAV and PEiD signatures - a Python script has been written to convert ClamAV databases into Yara rules.
- Compiler detection
- Suspicious strings (i.e. “cmd.exe”, “CurrentVersion\Run”, …)
- Cryptographic algorithms identification
- Packer detection (but no automatic unpacking!)
- Alerts for dangerous import combinations
- Resource analysis and extraction
- Authenticode verification (on Windows only so far) with a twist (if the program pretends to come from a well-known company like Microsoft or Oracle in the manifest but isn’t signed, flag it as very suspicious)
- Submitting file hashes to VirusTotal
The plugin system was intended to be easy to use, and it’s (supposed to be) easy for anyone to write their own plugins without having to dive deeply into the project’s code. Conversely, the PE parser is intended as a buiding block for other security projects and can be taken out from Manalyze and put into other projects with no hassle. A lot of effort was put into writing the developer documentation in order to minimize the learning curve for people willing to contribute.
A web portal was also written so people can upload samples and see results without having to compile/run the tool.
Ivan Kwiatkowski
Ivan Kwiatkowski (@JusticeRage) is a 27 year old security researcher from Paris. Noteworthy hobbies include writing fiction and replying to Nigerian scams.
Other media in the channel "Sécurité"
82 viewsMOWR, A virustotal-like service for web malwaresAugust 7th, 2016
277 views, 4 this yearMIG: Investigate 1,000 endpoints in 10sAugust 8th, 2016
59 viewsComplex malware & forensics investigationAugust 7th, 2016
129 viewsUsing and abusing MISP to track campaignsAugust 7th, 2016
18 viewsBuilding A Poor man’s Fir3Ey3 Mail ScannerAugust 8th, 2016
16 viewsHands-on security for DIY projectsAugust 7th, 2016