Manalyze, a static analyzer for PE files

Keyboard shortcuts

Key

Action

K or space

Play / Pause

Mute / Unmute

Select next subtitles

Select next audio track

Show slide in full page or toggle automatic source change

left arrow

Seek 5s backward

right arrow

Seek 5s forward

shift + left arrow or J

Seek 10s backward

shift + right arrow or L

Seek 10s forward

control + left arrow

Seek 60s backward

control + right arrow

Seek 60s forward

shift + down arrow

Decrease volume

shift + up arrow

Increase volume

shift + coma

Decrease playback speed

shift + dot or shift + semicolon

Increase playback speed

end

Seek to end

beginning

Seek to beginning

Loading Click here to add:

Information on this media

Creation date:

July 5th, 2016, 11:40 a.m.

Add date:

August 6th, 2016, 2:53 p.m.

Number of views:

Speaker:

Ivan Kwiatkowski

Company:

RMLL

License:

CC BY SA v4

Visibility:

This media is published

Description

During this talk, I would like to present a free open-source (GPLv3) tool, written in C++, that I’ve been working on for two years on my spare time. It was designed as a helper program which speeds-up the job of a malware analyst by automating repetitive tasks. It can also be used for malware triage, in order to determine which files are worth analyzing manually. It has the following architecture :

A robust PE parser which was designed with malicious and/or malformed PEs in mind. It is currently being fuzzed by AFL (input files used), with no crashes so far.
A customized version of Yara which can re-use the project’s PE parser, accompanied with a set of handmade rules to detect suspicious files.
Plugins which use and correlate the information collected by the PE parser to infer the program’s behaviour and characteristics.
An output system which can print out the generated data as text or JSON.

The following plugins are already included in the tool:

ClamAV and PEiD signatures - a Python script has been written to convert ClamAV databases into Yara rules.
Compiler detection
Suspicious strings (i.e. “cmd.exe”, “CurrentVersion\Run”, …)
Cryptographic algorithms identification
Packer detection (but no automatic unpacking!)
Alerts for dangerous import combinations
Resource analysis and extraction
Authenticode verification (on Windows only so far) with a twist (if the program pretends to come from a well-known company like Microsoft or Oracle in the manifest but isn’t signed, flag it as very suspicious)
Submitting file hashes to VirusTotal

The plugin system was intended to be easy to use, and it’s (supposed to be) easy for anyone to write their own plugins without having to dive deeply into the project’s code. Conversely, the PE parser is intended as a buiding block for other security projects and can be taken out from Manalyze and put into other projects with no hassle. A lot of effort was put into writing the developer documentation in order to minimize the learning curve for people willing to contribute.

A web portal was also written so people can upload samples and see results without having to compile/run the tool.

Ivan Kwiatkowski

Ivan Kwiatkowski (@JusticeRage) is a 27 year old security researcher from Paris. Noteworthy hobbies include writing fiction and replying to Nigerian scams.

https://sec2016.rmll.info