justicerage / manalyze Goto Github PK

Hello,

This might be a case of user error, but when I try to run parse_clamav.py against a custom set of clam rules (https://raw.githubusercontent.com/wmetcalf/clam-punch/master/miscreantpunch099.ldb) it'll generate an error

Unable to understand the following offset: 48344426616d703b48354126616d703b*48353426616d703b48363826616d703b48363926616d703b48373326616d703b48323026616d703b48373026616d703b48373226616d703b48366626616d703b48363726616d703b48373226616d703b48363126616d703b48366426616d703b

This appears to be from this line in the ldb file.

MiscreantPunch.EXEInsideOfDoc.ASASCII.2;Target:0;(0);48344426616d703b48354126616d703b*48353426616d703b48363826616d703b48363926616d703b48373326616d703b48323026616d703b48373026616d703b48373226616d703b48366626616d703b48363726616d703b48373226616d703b48363126616d703b48366426616d703b::i

Any help you can give would be greatly appreciated!

boost::scoped_array<boost::uint32_t> names(new boost::uint32_t[ied.NumberOfNames]);
boost::scoped_array<boost::uint16_t> ords(new boost::uint16_t[ied.NumberOfNames]);

if ied.NumberOfNames is sufficently big, there will be unhandled bad alloc exception.
Sample (pass: infected):
https://mega.nz/#!V5pEgARQ!qwQsCH3enmjnv9--x_d4WDYyZpja1au2NYokzKKT7sQ

are you missing an OR (|) at the end of the line?

manalyze_infloop.zip

CAUTION: malware attached

The file in the attached zip gives an infinite loop when parsing resources, spamming the following error messages:

[*] Warning: The PE contains duplicate resources. It was almost certainly crafted manually.
[*] Warning: Could not locate the section containing resource 65280. Trying to use the RVA as an offset...
[*] Warning: Resource 65280 has a size of 0!

Seems to be related to size 0 resources.

Hi!

I have a problem with the Yara rules. When I try to run an analysis (Example: manalyze sample.exe -p strings), I have the following error:

[!] Error: Could not load yara_rules/suspicious_strings.yara!
[!] Error: Could not load yara_rules/domains.yara!
* Manalyze 0.9 *

I checked the folder "/usr/local/manalyze/yara_rules" and there are Yara's rules.

Can you help me with this problem, please?

Clamav has recently started using Cloudflare to front their signature download page. If you use Python, then the response will be a 403. The text says that it wants cookies to be enabled. Using a web browser works fine to download the AV update package.

>>> import requests
>>> r = requests.get("http://database.clamav.net/daily.cvd")
>>> r
<Response [403]>

Use the data contained on this page to update the list of known packers and section names.

E-mail received a few days ago:

I've been using your Manalyzer for a few days on Linux to try to triage some binaries. Thanks for all your work, btw. I'd like to start using it on a wider basis and would like to be able to do a "make install" to have it available to everyone on my Linux system. After a successful, build, though:

[gcomeaux@localhost Manalyze]$ make install
make: *** No rule to make target `install'. Stop.

... Is there any way to easily get an installation with all dependencies in their proper place? I'm not a CMake expert, but there must be some way to specify a CMake target to get that working.

Thank you for any thoughts or suggestions.

For example, a COM dll needs functions such as DllRegisterServer and DllCanUnloadNow.

I get that when I run update_clamav_signatures.py. Cropped result of this is below:

Rule Win.Dropper.Zeus-9956976-0 seems to be malformed. Skipping...
Rule Win.Malware.Generic-9956990-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Malware.Wingo-9956993-0. Skipping...
Rule Win.Virus.Expiro-9957000-0 seems to be malformed. Skipping...
Rule Win.Dropper.Zeus-9957002-0 seems to be malformed. Skipping...
Rule Win.Packed.Vbkryjetor-9957003-0 seems to be malformed. Skipping...
Rule Win.Malware.Conjar-9957004-0 seems to be malformed. Skipping...
Rule Win.Dropper.Detected-9957005-0 seems to be malformed. Skipping...
Rule Win.Dropper.Detected-9957006-0 seems to be malformed. Skipping...
Rule Win.Packed.Trojanx-9957008-0 seems to be malformed. Skipping...
Rule Win.Packed.Coantor-9957009-0 seems to be malformed. Skipping...
Rule Win.Packed.Msilheracles-9957011-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9957017-0 seems to be malformed. Skipping...
Rule Win.Packed.Generickdz-9957018-0 seems to be malformed. Skipping...
Rule Win.Dropper.LokiBot-9957019-0 seems to be malformed. Skipping...
Rule Win.Virus.Ramnit-9957027-0 seems to be malformed. Skipping...
Rule Win.Dropper.LokiBot-9957036-0 seems to be malformed. Skipping...
Rule Win.Dropper.Zeus-9957041-0 seems to be malformed. Skipping...

It happens for all of the downloaded updates

Analysis of this sample
8323af43ff507b82c87b38b45ea4c79fae4b49ed453590101373c18aae96b8fb does not end.

$ ./bin/manalyze --output=json 8323af43ff507b82c87b38b45ea4c79fae4b49ed453590101373c18aae96b8fb

I investigated a little bit, and I suspect that the parsing logic of resources contains some bugs.
I think that recursive parse of resources tree does not end properly.

The latest ClamAV rules are not converted properly and cause the ClamAV plugin to be dysfunctional.

[!] Error: Could not compile yara rules (1 error(s)).
[!] Error: ClamAV rules haven't been generated yet!
[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.```

C:\Users\50CAL\Manalyze\bin\yara_rules>python update_clamav_signatures.py
Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...

Hi,

I came across just another minor issue. Consider the following:

int main(int argc, char *argv[]) {
  // check argc == 2
  mana::PE pe(argv[1]);
  pe.get_raw_bytes(-1);
  return 0;
}

In case argv[1] is set to a nonexistent file this will segfault during fseek() called from PE::get_raw_bytes() since PE::_file_handle is not initialized and doesn't point to a proper FILE object.
Since all the other methods of the PE class that operate on _file_handle have a nullptr check I assumed such a check wasn't intentionally omitted.

Cheers
rc0r

Where can I learn to use the functions in the windows.h file ?

I found that Manalyze can run in Win7. But it did not work in WinXP.
Is it true?

An extra null pointer check is not needed in functions like the following.

• destroy
• delete_manape_module_data

Visual studio has a standardized PE format for delay loaded imports.

For some reason my dll has an empty exports section.

LoadDriver Yet another LoadLibrary replacement
LoadTypeLib Possible LoadLibrary replacement?
waveInOpen|DirectSoundCaptureCreate Records audio
EnableRouter|SetAdapterIpAddress|SetIpInterfaceEntry Messes with the network configuration
OleGetClipboard Reads the clipboard
CertAddCertificateContextToStore|CertOpenSystemStore Manipulates the system certificate store
InitiateShutdown|ExitWindows Turns the system off
Wmi* Uses WMI
SHTestTokenMembership|CheckTokenMembership|IsUserAnAdmin Checks for privileges
SHEnumKeyEx Another way to access the registery

C:\Users\50CAL\Manalyze\bin\yara_rules>python update_clamav_signatures.py
Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...
Downloading: daily.cvd Bytes: 41899296
Rule Eicar-Test-Signature already exists!
Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping...
Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping...
Unable to translate a logical signature for Win.Trojan.B-468. Skipping...
Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping...
Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping...
Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping...
Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping...
Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping...
Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping...
Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping...
Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping...
Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping...
Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping...
Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping...
Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping...
Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping...
Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping...
Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping...
Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196650-0. Skipping...
Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping...
Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping...
Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping...
Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping...
Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping...
Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping...
Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping...
Rule Win.Exploit.CVE_2017_2781-6316049-1 seems to be malformed. Skipping...
Unable to understand the following offset: 5c6a706567626c6970{-250}66666438

Hi,

in case Resource::extract() is called with an invalid destination argument the calling process segfaults because fwrite() tries to write to a FILE * object which in fact is NULL.

I'd consider this a minor bug, since one could argue using the API in a wrong way is the user's fault. However in that case you may want to avoid the segmentation fault and guide your users by providing an appropriate error message.

So a patch could look sth. like the following (disclaimer: untested!):

FILE* out = fopen(destination.string().c_str(), "a+");

+ if(out == nullptr) {
+     PRINT_ERROR << "Opening file " << destination.string().c_str() << " failed!" << std::endl;
+     return false;
+ }

Cheers
rc0r

In malformed executables, section names may be composed of unprintable characters. These characters should be escaped to avoid outputting garbage to the console.

This is from the proxy stub code generated by midl.

Example: test_p.c

/* this ALWAYS GENERATED file contains the proxy stub code */

 /* File created by MIDL compiler version 8.01.0628 */

...

#pragma code_seg(".orpc")
static const unsigned short IChildFrame_FormatStringOffsetTable[] =
    {
    0,
    42,
    84,
    126
    };

    FILE* f = fopen(_path.c_str(), "rb");
    if (f == nullptr || fseek(f, _pointer_to_raw_data, SEEK_SET))
    {
        fclose(f);
        return res;
    }

This condition is wrong, if (f == nullptr) will trigger fclose(nullptr) which will lead to crash.

This is a snippet of the output. It seems nearly every rule breaks this.

Rule Win.Downloader.Upatre-9937450-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-9937452-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-9937455-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9937463-0 seems to be malformed. Skipping...
Rule Win.Ransomware.TeslaCrypt-9937465-0 seems to be malformed. Skipping...
Rule Win.Downloader.Stantinko-9937476-0 seems to be malformed. Skipping...
Rule Win.Trojan.Emotet-9937498-0 seems to be malformed. Skipping...
Rule Win.Packed.Msilzilla-9937499-0 seems to be malformed. Skipping...

Hi

I am writing to you regarding an issue I encountered while installing the Manalyze program. After installing the necessary dependencies, when I proceeded to execute the command "make -j5," I encountered the following error:

/home/rpadmin/Manalyze-master/plugins/plugin_virustotal/json_spirit/json_spirit_reader_template.h:446:114: error: ‘boost::placeholders’ has not been declared
Uint64_action new_uint64 ( boost::bind( &Semantic_actions_t::new_uint64, &self.actions_, boost::placeholders::_1 ) );

I believe this error is related to the use of 'boost::placeholders' in the code, which seems to be causing a declaration issue. In order to resolve this problem, I would greatly appreciate your guidance and assistance.

Could you please provide me with instructions on how to address this error? I would be grateful for any insights or suggestions you can offer. I am eager to successfully install and utilize the Manalyze program for my needs.

Thank you for your attention to this matter. I look forward to your prompt response.
OS: UbuntuServer 16.04

Hello,

In the file bin/yara_rules/peid.yara, the rule for PolyEnE_0_01__by_Lennart_Hedlund should be deleted because it detects false positives.

So please remove the following lines :

rule PolyEnE_0_01__by_Lennart_Hedlund
{
meta:
packer_name = "PolyEnE 0.01+ by Lennart Hedlund"
strings:
$a0 = { 60 00 00 E0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 00 00 E0 }

condition:
$a0
}

System info:
uname -svrom: Linux 4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux lsb_release -c: stretch
When invoking command: make
The following error appear:
/home/pierre/Manalyze/plugins/plugin_virustotal/plugin_virustotal.cpp: In function ‘bool plugin::vt_api_interact(const string&, const string&, std::__cxx11::string&, plugin::sslsocket&)’: /home/pierre/Manalyze/plugins/plugin_virustotal/plugin_virustotal.cpp:276:84: error: ‘SSL_R_SHORT_READ’ was not declared in this scope if (error != boost::asio::error::eof && error.value() != ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ)) { ^ CMakeFiles/plugin_virustotal.dir/build.make:62 : la recette pour la cible « CMakeFiles/plugin_virustotal.dir/plugins/plugin_virustotal/plugin_ virustotal.cpp.o » a échouée

False positive for:
The PE is possibly packed.
Unusual section name found: .didat

This is:
"Delayload import table in its own .didat section"

Reference:
https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

Hello team,
I've detected a version disclosure (Nginx) in the target web server's HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx.

URL: https://manalyzer.org/
HTTP Response:
HTTP/1.1 200 OK
Server: nginx/1.2.1
Connection: keep-alive
Content-Encoding:
Strict-Transport-Security: max-age=15768000
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Date: Tue, 11 Apr 2017 00:02:26 GMT

identified version: 1.2.1

and you are using an out-of-date version of Nginx. Since this is an old version of the software, it may be vulnerable to attacks.

Hi there,

I'm trying to install Manalyze following the instructions on the documentation in the Linux section.
uname -a
Output:
Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

When I run sudo cmake . I get the following error stacktrace:

james@james-Aspire-VN7-593G:/home/Manalyze$ sudo cmake .
[sudo] password for james: 
-- The C compiler identification is GNU 7.3.0
-- The CXX compiler identification is GNU 7.3.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found Git: /usr/bin/git (found version "2.17.1") 
-- Boost version: 1.65.1
-- Found the following Boost libraries:
--   regex
--   system
--   filesystem
--   program_options
-- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libcrypto.so (found version "1.1.0g") 
Checking out yara...
Cloning into 'external/yara'...
fatal: unable to access 'https://github.com/JusticeRage/yara.git/': Could not resolve host: github.com
Checking out hash-library...
Cloning into 'external/hash-library'...
CMake Error at CMakeLists.txt:131 (add_subdirectory):
  add_subdirectory given source "external/yara" which is not an existing
  directory.


-- Configuring incomplete, errors occurred!
See also "/home/Manalyze/CMakeFiles/CMakeOutput.log".

Any assistance would be greatly appreciated!
Many thanks

It was reported that PE files with a very high number of sections cause the analysis to be extremely slow.
The issue has been traced down to Section::get_raw_data() which opens and closes the input file with every call. The file handle should be cached and sanity checks need to be put in place to prevent unnecessary operations.

The result of PE::get_filesize should also be cached instead of being computed with every call.

Is there any way to save the JSON output to a file? I guess I could also parse through the console output, but it would be helpful to download it directly to a file.

ld: unknown option: -rpath=$ORIGIN
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [bin/manalyze] Error 1
make[1]: *** [CMakeFiles/manalyze.dir/all] Error 2
make: *** [all] Error 2

I noticed that Manalyzer sometimes return a false positive when one brand's name is a substring of another. Here's an example: https://manalyzer.org/report/738583111ef0f36a57348bb735f6a3cc

The executable is supposed to be an installer for JetBrains' IntelliJ Platform, but Manalyzer thinks its a fake Intel program.

Hi,

fuzzing manalyze discovered the following crash:

original sample - DoS.dll (28K) (md5: acf1bffb70226d182bc0fef847f5c867)

The crash surfaced because afl-fuzz uses a memory limit during fuzzing. Running manalyze directly on the provided sample did not crash the process on my quite decent box. However massive amounts of virtual memory (>80Gb) were used when processing the file. This probably just didn't cause any real havoc because I have quite a large swap partition. Nevertheless this whole process bogged down my box for several minutes:

$ time manalyze DoS.dll
# ...
manalyze   170.76s user 280.52s system 65% cpu 11:28.31 total

To simulate a less powerful machine I used ulimit -v 10000000 limiting the virtual memory to ~10G. Using this setup manalyze SIGABRT's very soon:

$ ulimit -v 10000000 # kbytes
$ time manalyze DoS.dll
# ...
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
[2]    17055 abort (core dumped)  ./manalyze 
manalyze   7.59s user 8.62s system 14% cpu 1:52.14 total

$ ls -l core.17055 
-rw------- 1 rc0r rc0r 9.5G Oct 24 11:20 core.17055

I did not try running this on a system with much less memory available then I had. But at best I'd expect the memory allocation to fail as in the ulimited test I did.

Let me know if you need any further info or assistance in order to diagnose the problem!

Ran the clamav update script but when running manalyze it does not compile the yara rules due to syntax errors

[!] Error: [Yara compiler] yara_rules/clamav.yara(972693) : syntax error, unexpected '{', expecting text string
[!] Error: [Yara compiler] yara_rules/clamav.yara(1003499) : syntax error, unexpected string identifier, expecting '}'
[!] Error: Could not compile yara rules (2 error(s)).
[!] Error: ClamAV rules haven't been generated yet!
[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.

I have run yara_rules/update_clamav_signatures.py however it seems to skip a lot of rules due to them being malformed.

Hi manalyzer team

there an ssrf on the request via url upload , as you can see here ssh version u used is leaked in the Response :

• Request

POST /upload HTTP/1.1
Host: manalyzer.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------210165242507531672849060397
Content-Length: 186
Origin: https://manalyzer.org
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------210165242507531672849060397
Content-Disposition: form-data; name="url"

http://127.0.0.1:22/
-----------------------------210165242507531672849060397--

• Response

HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sun, 03 Oct 2021 14:26:10 GMT
Content-Type: application/json
Content-Length: 192
Connection: close
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

{"data":{"error_message":"An error occurred while retrieving the requested file ((
'Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2\\r\\n')))."},"status":"failed"}

Attacker able to scan internal ports also can make a directory enumeration on http://127.0.0.1/$FUZZ$ ... for fixing block access to internal hosts

Hello,

While updating our FileInfo Analyzer (TheHive Project) to include manalyzer binaries, we face lots of errors with the update of yara rules in clamav (bin/update_clamav_signatures.py):

[..]
Rule Win.Trojan.Emotet-9778251-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9778253-0 seems to be malformed. Skipping...
Rule Win.Malware.Fsysna-9778257-0 seems to be malformed. Skipping...
Rule Win.Packed.Vobfus-9778258-0 seems to be malformed. Skipping...
Rule Win.Trojan.Azorult-9778259-0 seems to be malformed. Skipping...
Rule Win.Malware.Sctk-9778260-0 seems to be malformed. Skipping...
Rule Win.Trojan.Fareit-9778261-0 seems to be malformed. Skipping...
Rule Win.Trojan.Fareit-9778262-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9778278-0 seems to be malformed. Skipping...
Rule Win.Malware.Zusy-9778280-0 seems to be malformed. Skipping...
[..]

I also tried to run it from the docker image and get similar results.

error info:
C:\Users\xxx\Desktop\manalyze>manalyze.exe --plugins=peid,clamav --dump all Churrasco.exe
[!] Error: [Yara compiler] yara_rules/clamav.yara(845778) : internal fatal error

i am confused how to use it on win7 and how yara integrate it ？ thanks

Does it support Mac os?

Unusual section name found: .detourc
Unusual section name found: .detourd

These sections are added by detours:
https://github.com/microsoft/Detours/blob/master/src/disasm.cpp#L147

Reference:
https://github.com/microsoft/Detours

It seems that on Windows, when Manalyze is called from cmd.exe (and possibly other conditions), external plugins are not detected at all. The issue does not appear when using Powershell or the Git shell.

A documentation page should be added to explain how to write Yara rules that rely on manalyze's parser.

• EnumDeviceDrivers|GetDeviceDriverFileNameW Checks for drivers
• EvtClearLog|ClearEventLog Empties the system event log
• TerminateProcess Messes with other processes
• PrintWindow Takes screenshots
• SetKernelObjectSecurity|SetFileSecurity|SetNamedSecurityInfo|SetSecurityInfo Manipulates DACLs
• OpenSCManagerW|CreateService|DeleteService Manipulates services
• CoLoadLibrary Replacement for LoadLibrary