Manalyze submodule for FileInfo analyzer

analyzers/FileInfo/FileInfo.json

@@ -1,6 +1,6 @@
 {
   "name": "FileInfo",
-  "version": "3.0",
+  "version": "4.0",
   "author": "TheHive-Project",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
@@ -9,6 +9,37 @@
   "baseConfig": "FileInfo",
   "command": "FileInfo/fileinfo_analyzer.py",
   "configurationItems": [
+    {
+      "name": "manalyze_enable",
+      "description": "Wether to enable manalyze submodule or not.",
+      "type": "boolean",
+      "required": true,
+      "multi": false
+    },
+    {
+      "name": "manalyze_enable_docker",
+      "description": "Use docker to run Manalyze.",
+      "type": "boolean",
+      "required": false,
+      "multi": false,
+      "default": false
+    },
+    {
+      "name": "manalyze_enable_binary",
+      "description": "Use local binary to run Manalyze. Need to compile it before!",
+      "type": "boolean",
+      "required": false,
+      "multi": false,
+      "default": true
+    },
+    {
+      "name": "manalyze_binary_path",
+      "description": "Path to the Manalyze binary that was compiled before",
+      "type": "string",
+      "required": false,
+      "multi": false,
+      "default": "/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze"
+    }
   ]
 }
 

analyzers/FileInfo/fileinfo_analyzer.py

@@ -1,10 +1,12 @@
 #!/usr/bin/env python3
 import pyexifinfo
 import magic
+import os
 
 from cortexutils.analyzer import Analyzer
 from submodules import available_submodules
 from submodules.submodule_metadata import MetadataSubmodule
+from submodules.submodule_manalyze import ManalyzeSubmodule
 
 
 class FileInfoAnalyzer(Analyzer):
@@ -15,14 +17,35 @@ def __init__(self):
         self.filetype = pyexifinfo.fileType(self.filepath)
         self.mimetype = magic.Magic(mime=True).from_file(self.filepath)
 
+        # Check if manalyze submodule is enabled
+        if self.get_param('config.manalyze_enable', False, 'Parameter manalyze_enable not given.'
+                                                           'Please enable or disable manalyze submodule explicitly.'):
+            binary_path = self.get_param('config.manalyze_binary_path',
+                                         '/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze')
+            if self.get_param('config.manalyze_enable_docker', False):
+                available_submodules.append(
+                    ManalyzeSubmodule(
+                        use_docker=True
+                    )
+                )
+            elif self.get_param('config.manalyze_enable_binary', False) \
+                    and os.path.isfile(binary_path):
+                available_submodules.append(
+                    ManalyzeSubmodule(
+                        use_binary=True,
+                        binary_path=binary_path
+                    )
+                )
+            else:
+                self.error('Manalyze submodule is enabled, but either there is no method allowed (docker or binary)'
+                           'or the path to binary is not correct.')
+
     def summary(self, raw):
         taxonomies = []
         for submodule in raw['results']:
             taxonomies += submodule['summary']['taxonomies']
         return {'taxonomies': taxonomies}
 
-
-
     def run(self):
         results = []
 
@@ -41,8 +64,8 @@ def run(self):
                 module_results = module.analyze_file(self.filepath)
                 module_summaries = module.module_summary()
                 results.append({
-                   'submodule_name': module.name,
-                   'results': module_results,
+                    'submodule_name': module.name,
+                    'results': module_results,
                     'summary': module_summaries
                 })
 

analyzers/FileInfo/submodules/submodule_manalyze.py

@@ -0,0 +1,108 @@
+import subprocess
+import json
+import os
+
+from .submodule_base import SubmoduleBaseclass
+
+
+class ManalyzeSubmodule(SubmoduleBaseclass):
+    """Manalyze submodule implements the static analysis tool by @JusticeRage
+    (https://github.com/JusticeRage/Manalyze)"""
+
+    def __init__(self, **kwargs):
+        SubmoduleBaseclass.__init__(self)
+
+        self.use_docker = kwargs.get('use_docker', False)
+        self.use_binary = kwargs.get('use_binary', False)
+        self.binary_path = kwargs.get('binary_path', None)
+
+        self.name = 'Manalyze'
+
+    def check_file(self, **kwargs):
+        """
+        Manalyze is for PE files.
+        """
+        try:
+            if kwargs.get('filetype') in ['Win32 EXE', 'Win64 EXE']:
+                return True
+        except KeyError:
+            return False
+        return False
+
+    def run_local_manalyze(self, filepath):
+        sp = subprocess.run([
+            self.binary_path,
+            '--dump=imports,exports,sections',
+            '--hashes',
+            '--pe={}'.format(filepath),
+            '--plugins=clamav,compilers,peid,strings,findcrypt,btcaddress,packer,imports,resources,mitigation,authenticode',
+            '--output=json'
+        ], stdout=subprocess.PIPE, cwd=os.path.split(self.binary_path)[0])
+        result = sp.stdout
+        result = json.loads(result.decode('utf-8'))
+        return result[filepath]
+
+    def run_docker_manalyze(self, filepath):
+        filepath, filename = os.path.split(filepath)
+        sp = subprocess.run([
+            'docker',
+            'run',
+            '--rm',
+            '-v',
+            '{}:/data'.format(filepath),
+            'evanowe/manalyze',
+            '/Manalyze/bin/manalyze',
+            '--dump=imports,exports,sections',
+            '--hashes',
+            '--pe=/data/{}'.format(filename),
+            '--plugins=clamav,compilers,peid,strings,findcrypt,btcaddress,packer,imports,resources,mitigation,authenticode',
+            '--output=json'
+        ], stdout=subprocess.PIPE)
+        result = sp.stdout
+        result = json.loads(result.decode('utf-8'))
+        return result[list(result)[0]]
+
+    def build_results(self, results):
+        """Properly format the results"""
+        self.add_result_subsection(
+            'Exploit mitigation techniques',
+            {
+                'level': results.get('Plugins', {}).get('mitigation', {}).get('level', None),
+                'summary': results.get('Plugins', {}).get('mitigation', {}).get('summary', None),
+                'content': results.get('Plugins', {}).get('mitigation', {}).get('plugin_output', None)
+            }
+        )
+        self.add_result_subsection(
+            'Suspicious strings',
+            {
+                'level': results.get('Plugins', {}).get('strings', {}).get('level', None),
+                'summary': results.get('Plugins', {}).get('strings', {}).get('summary', None),
+                'content': results.get('Plugins', {}).get('strings', {}).get('plugin_output', None)
+            }
+        )
+        self.add_result_subsection(
+            'Suspicious imports',
+            {
+                'level': results.get('Plugins', {}).get('imports', {}).get('level', None),
+                'summary': results.get('Plugins', {}).get('imports', {}).get('summary', None),
+                'content': results.get('Plugins', {}).get('imports', {}).get('plugin_output', None)
+            }
+        )
+        self.add_result_subsection(
+            'Packer',
+            {
+                'level': results.get('Plugins', {}).get('packer', {}).get('level', None),
+                'summary': results.get('Plugins', {}).get('packer', {}).get('summary', None),
+                'content': results.get('Plugins', {}).get('packer', {}).get('plugin_output', None)
+            }
+        )
+        self.add_result_subsection('Manalyze raw output', json.dumps(results, indent=4))
+
+    def analyze_file(self, path):
+        results = {}
+        if self.use_docker:
+            results = self.run_docker_manalyze(path)
+        elif self.use_binary and self.binary_path and self.binary_path != '':
+            results = self.run_local_manalyze(path)
+        self.build_results(results)
+        return self.results

analyzers/FileInfo/submodules/submodule_pe.py

@@ -1,6 +1,7 @@
 import pefile
 import pehashng
 from pefile import __version__ as pefile_version
+import sys
 
 from .submodule_base import SubmoduleBaseclass
 
@@ -66,20 +67,18 @@ def pe_entrypoint(pedict):
     def pe_info(self, pe):
         pedict = pe.dump_dict()
         table = []
-        try:
-            for fileinfo in pe.FileInfo:
-                if fileinfo.Key.decode() == 'StringFileInfo':
-                    for stringtable in fileinfo.StringTable:
-                        for entry in stringtable.entries.items():
-                            table.append({'Info': entry[0].decode(), 'Value': entry[1].decode()})
-
-            table.append({'Info': 'Compilation Timestamp',
-                          'Value': self.compilation_timestamp(pedict)})
-            table.append({'Info': 'Target machine', 'Value': self.pe_machine(pedict)}),
-            table.append({'Info': 'Entry Point', 'Value': self.pe_entrypoint(pedict)})
-            return table
-        except Exception as excp:
-            return 'None'
+        for fileinfo in pe.FileInfo:
+            if hasattr(fileinfo, 'Key') and fileinfo.Key.decode() == 'StringFileInfo':
+                for stringtable in fileinfo.StringTable:
+                    for entry in stringtable.entries.items():
+                        table.append({'Info': entry[0].decode(), 'Value': entry[1].decode()})
+
+        table.append({'Info': 'Compilation Timestamp',
+                      'Value': self.compilation_timestamp(pedict)})
+        table.append({'Info': 'Target machine', 'Value': self.pe_machine(pedict)}),
+        table.append({'Info': 'Entry Point', 'Value': self.pe_entrypoint(pedict)})
+        return table
+
 
     @staticmethod
     def pe_iat(pe):