The Manalyze tool can be used in two different ways. One method involves installing the Manalyze tool in your own environment, while the other offers it as a ready-to-use service without any installation. You can analyze PE files using the Manalyze tool at the official address.
Public services like Manalyze often share submitted files and their analysis results with other users. Therefore, uploading samples here can make any potentially risky data public, making this method less preferable in professional settings.
In this section of the course, we will install and use the Manalyze tool in a lab environment running Ubuntu.
The installation involves a few simple steps, which are outlined below:
root@letsDefend:/home/letsdefend/files/# apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git
root@letsDefend:/home/letsdefend/files/# git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze
root@letsDefend:/home/letsdefend/files/Manalyze# cmake .
root@letsDefend:/home/letsdefend/files/Manalyze# make -j5
root@letsDefend:/home/letsdefend/files/# sudo ln -s -f /usr/bin/gcc-11 /usr/bin/gcc
root@letsDefend:/home/letsdefend/files/Manalyze/bin# yara_rules/update_clamav_signatures.py
root@letsDefend:/home/letsdefend/files/Manalyze# cd bin && ./manalyze --version
If the installation steps are completed without errors, you will see output similar to the image below:
In the previous lesson, we saw that the file "putty.exe", which was identified as a PE32+ file using the "file" command, produced the output shown in the figure below when analyzed with the Manalyze:
The Manalyze tool can be used with parameters to obtain a more detailed output. For example, to analyze the "putty.exe" file, you can use the following command:
./manalyze -dresources -dexports -x out/ ../../putty.exe
The parameters in this command are explained as follows:
-dresources: This parameter is used to perform a deep analysis of the file's resources, which include icons, menus, UI language packs, and other static data within an application.
-dexports: This parameter analyzes the list of functions and other symbols exported by the file, which is useful for understanding what functions a library file (DLL) provides.
-x out/: This parameter specifies the output folder where the analysis results will be saved. In this example, all analysis outputs will be stored in the "out/" directory.
When the command is executed, you will see an output similar to the one below. The dump of the "Resources" section within the PE file is shown in the image:
./manalyze -dresources -dexports -x out/ ../../putty.exe
Upon checking the "out" directory, you will see the following files:
In addition to content extraction, an important capability of the Manalyze tool is its ability to perform signature-based malware analysis. To test this feature, follow these steps:
First, download the Malware Test PE file provided by Palo Alto:
URL : https://wildfire.paloaltonetworks.com/publicapi/test/pe
CAUTION! Remember that this file is malware and should not be downloaded outside a sandbox environment.
When this malware is examined with the Manalyze, the output will look like this:
The "SUSPICIOUS" label at the bottom of the output is a result of signature-based malware analysis. The reason it is marked "SUSPICIOUS" is that the "PEiD Signature" value matches a malicious signature. The details of this signature indicate that the executable is packed with "PolyEne 0.01."
"PolyEne 0.01+ by Lennart Hedlund" is an older file packing tool.
