.. Manalyze documentation master file, created by
   sphinx-quickstart on Sun Dec 13 19:39:10 2015.
   You can adapt this file completely to your liking, but it should at least
   contain the root `toctree` directive.

Welcome to Manalyze's documentation!
====================================

Manalyze performs static analysis on PE files, in order to detect signs of malicious behavior. It is a versatile tool with a robust parser and a set of built-in tests, but can also be extended easily. You can use Manalyze to:

* Detect packed executables
* Apply ClamAV and Yara signatures
* Look for suspicious import combinations (i.e. ``CreateRemoteThread`` + ``WriteProcessMemory``)
* Analyze and extract resources
* Identify cryptographic algorithms used
* Submit hashes to VirusTotal
* Verify authenticode signatures
* ...and more.

Here is a sample report generated by the tool for ``643654975b63a9bb6f597502e5cd8f49``, a sample taken from the `Siesta`_ campaign::

	Summary:
	--------
	Architecture:       IMAGE_FILE_MACHINE_I386
	Subsystem:          IMAGE_SUBSYSTEM_WINDOWS_GUI
	Compilation Date:   2014-Jan-14 04:38:30
	Detected languages: Chinese - PRC

	[ MALICIOUS ] Matching ClamAV signature(s):
			Win.Backdoor.Sloth

	Matching compiler(s):
			MASM/TASM - sig4 (h)
			Microsoft Visual C++
			Microsoft Visual C++ v6.0

	[ SUSPICIOUS ] PEiD Signature:
			Armadillo v1.71

	Cryptographic algorithms detected in the binary:
			Uses constants related to DES

	The PE contains common functions which appear in legitimate applications.
		[!] The program may be hiding some of its imports:
			GetProcAddress
			LoadLibraryA
		Possibly launches other programs:
			CreateProcessA
			ShellExecuteA
		Can create temporary files:
			CreateFileA
			GetTempPathA

	[ MALICIOUS ] The PE is possibly a dropper.
			Resource 108 detected as a PDF document.
			Resource 109 detected as a PE Executable.
			Resources amount for 93.026% of the executable.

	[ MALICIOUS ] VirusTotal score: 38/56 (Scanned on 2015-10-26 15:07:59)
			MicroWorld-eScan: Gen:Variant.Zusy.23178
			CAT-QuickHeal: Trojan.Comisproc.r4
			[...]

This sample is a dropper of (allegedly) Chinese origin which displays a PDF file upon launch and encrypts its strings with the DES algorithm: all of which could have been guessed from reading the analysis report.

In the first part of this documentation, you will learn how to obtain and use the tool. The second part focuses on Manalyze's plugin system, should you wish to extend its capabilities.

.. _Siesta: https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html

Contents:

.. toctree::
   :maxdepth: 3
   
   user
   developer
   interfacing


Indices and tables
==================

* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`