Merge branch 'master' of github.com:JusticeRage/Manalyze

JusticeRage · Apr 18, 2017 · 17a3532 · 17a3532
2 parents 2b3dea3 + bc65168
commit 17a3532
Show file tree

Hide file tree

Showing 28 changed files with 782 additions and 106 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -11,6 +11,7 @@ addons:
     - libboost-system1.55-dev
     - libboost-filesystem1.55-dev
     - libboost-test1.55-dev
+    - libssl-dev
     - gcc-4.8
     - g++-4.8
 compiler:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -20,6 +20,13 @@ else()
 	find_package(Boost REQUIRED COMPONENTS regex system filesystem program_options unit_test_framework)
 endif()
 
+find_package(OpenSSL)
+if (OPENSSL_FOUND)
+	add_definitions(-DWITH_OPENSSL) # Enable OpenSSL if it was found.
+else()
+	message("Building without OpenSSL.")
+endif()
+
 # Download or update external projects
 if (EXISTS external/yara AND GitHub MATCHES [Oo][Nn])
     message("Updating yara...")
@@ -56,7 +63,7 @@ include_directories(
 add_definitions(-DWITH_MANACOMMONS) # Use functions from manacommons.
 add_library(manape SHARED manape/pe.cpp manape/nt_values.cpp manape/utils.cpp manape/imports.cpp manape/resources.cpp manape/section.cpp manape/imported_library.cpp)
 
-add_library(manacommons SHARED manacommons/color.cpp manacommons/output_tree_node.cpp manacommons/escape.cpp manacommons/plugin_framework/result.cpp)
+add_library(manacommons SHARED manacommons/color.cpp manacommons/output_tree_node.cpp manacommons/escape.cpp manacommons/base64.cpp manacommons/plugin_framework/result.cpp)
 
 add_executable(manalyze src/main.cpp src/config_parser.cpp src/output_formatter.cpp src/dump.cpp src/import_hash.cpp
 			   src/plugin_framework/dynamic_library.cpp src/plugin_framework/plugin_manager.cpp # Plugin system
@@ -95,13 +102,22 @@ else()
 				target_link_libraries(manalyze dl)
 			endif()
 			set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
+
+			# Compile the *nix authenticode plugin if OpenSSL was found.
+			if (OPENSSL_FOUND)
+				add_library(plugin_authenticode SHARED plugins/plugin_authenticode_openssl.cpp)
+				target_link_libraries(plugin_authenticode ${OPENSSL_LIBRARIES})
+			endif()
 endif()
 
 # VirusTotal plugin
 add_library(plugin_virustotal SHARED plugins/plugin_virustotal/plugin_virustotal.cpp
 									 plugins/plugin_virustotal/json_spirit/json_spirit_reader.cpp
 									 plugins/plugin_virustotal/json_spirit/json_spirit_value.cpp)
 target_link_libraries(plugin_virustotal manape hash-library manacommons ${Boost_LIBRARIES})
+if (OPENSSL_FOUND)
+	target_link_libraries(plugin_virustotal ${OPENSSL_LIBRARIES})
+endif()
 
 # yara dependency
 add_subdirectory(external/yara)
@@ -124,4 +140,28 @@ target_link_libraries(
 						${Boost_LIBRARIES}
                      )
 
+# make install command for linux machines:
+if ("${CMAKE_SYSTEM}" MATCHES "Linux")
 
+	# Copy binaries
+	install(TARGETS manalyze manacommons manape
+			RUNTIME DESTINATION /usr/local/bin
+			LIBRARY DESTINATION /usr/local/lib
+			ARCHIVE DESTINATION /usr/local/lib/static)
+
+	# Copy the yara_rules folder to /etc/manalyze.
+	install(DIRECTORY bin/yara_rules 
+			DESTINATION /etc/manalyze)
+
+	# Copy the plugins to /etc/manalyze.
+	install(DIRECTORY bin/
+			DESTINATION /etc/manalyze
+			FILES_MATCHING PATTERN "libplugin_*.so")
+
+	# Copy the configuration file template.
+	install(FILES bin/manalyze.conf
+			DESTINATION /etc/manalyze)
+
+	# Run ldconfig.
+	execute_process(COMMAND ldconfig)
+endif()
diff --git a/README.md b/README.md
@@ -22,8 +22,8 @@ There are few things I hate more than checking out an open-source project and sp
 
 ### On Linux and BSD (tested on Debian Jessie and FreeBSD 10.2)
 ```
-$> [sudo or as root] apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev build-essential cmake git
-$> [alternatively, also sudo or as root] pkg install boost-libs-1.55.0_8 cmake
+$> [sudo or as root] apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git
+$> [alternatively, also sudo or as root] pkg install boost-libs-1.55.0_8 libressl cmake git
 $> git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze
 $> cmake .
 $> make

diff --git a/bin/.dlopen.valgrind.supp b/bin/.dlopen.valgrind.supp
@@ -1,8 +1,7 @@
 {
-   Ignore dlopen bug.
+   <Ignore dlopen leak.>
    Memcheck:Leak
    ...
    fun:dlopen@@GLIBC_2.2.5
    ...
 }
-
diff --git a/bin/yara_rules/suspicious_strings.yara b/bin/yara_rules/suspicious_strings.yara
@@ -33,13 +33,16 @@ rule System_Tools
         $a9 = "regmon.exe" nocase wide ascii
         $a10 = "filemon.exe" nocase wide ascii
         $a11 = "msconfig.exe" nocase wide ascii
+<<<<<<< HEAD
         $a12 = "vssadmin.exe" nocase wide ascii
         $a13 = "bcdedit.exe" nocase wide ascii
         $a14 = "dumpcap.exe" nocase wide ascii
         $a15 = "tcpdump.exe" nocase wide ascii
+		$a16 = "mshta.exe" nocase wide ascii    // Used by DUBNIUM to download files
         $a16 = "control.exe" nocase wide ascii  // Used by EquationGroup to launch DLLs
         $a17 = "regsvr32.exe" nocase wide ascii
         $a18 = "rundll32.exe" nocase wide ascii
+		
     condition:
         any of them
 }
@@ -126,7 +129,7 @@ rule Antivirus
         $a40 = "avgrsx.exe" nocase wide ascii
         $a41 = "avgserv.exe" nocase wide ascii
         $a42 = "avgserv9.exe" nocase wide ascii
-        $a43 = "avguard.exe" nocase wide ascii
+        $a43 = /av(gui|guard|center|gtray|gidsagent|gwdsvc|grsa|gcsrva|gcsrvx).exe/ nocase wide ascii
         $a44 = "avgw.exe" nocase wide ascii
         $a45 = "avkpop.exe" nocase wide ascii
         $a46 = "avkserv.exe" nocase wide ascii
@@ -517,7 +520,26 @@ rule Antivirus
         $a575 = "zapro.exe" nocase wide ascii
         $a577 = "zatutor.exe" nocase wide ascii
         $a579 = "zonealarm.exe" nocase wide ascii
-
+		// Strings from Dubnium below
+		$a580 = "QQPCRTP.exe" nocase wide ascii
+		$a581 = "QQPCTray.exe" nocase wide ascii
+		$a582 = "ZhuDongFangYu.exe" nocase wide ascii
+		$a583 = /360(tray|sd|rp).exe/ nocase wide ascii
+		$a584 = /qh(safetray|watchdog|activedefense).exe/ nocase wide ascii
+		$a585 = "McNASvc.exe" nocase wide ascii
+		$a586 = "MpfSrv.exe" nocase wide ascii
+		$a587 = "McProxy.exe" nocase wide ascii
+		$a588 = "mcmscsvc.exe" nocase wide ascii
+		$a589 = "McUICnt.exe" nocase wide ascii
+		$a590 = /ui(WatchDog|seagnt|winmgr).exe/ nocase wide ascii
+		$a591 = "ufseagnt.exe" nocase wide ascii
+		$a592 = /core(serviceshell|frameworkhost).exe/ nocase wide ascii
+		$a593 = /ay(agent|rtsrv|updsrv).aye/ nocase wide ascii
+		$a594 = /avast(ui|svc).exe/ nocase wide ascii
+		$a595 = /ms(seces|mpeng).exe/ nocase wide ascii
+		$a596 = "afwserv.exe" nocase wide ascii
+		$a597 = "FiddlerUser"
+		
     condition:
         any of them
 }

diff --git a/docs/obtaining-manalyze.rst b/docs/obtaining-manalyze.rst
@@ -32,11 +32,11 @@ Linux and BSD
 
 How you take care of step 1 may vary depending on your package manager. On Debian Jessie, use the following command **as root**::
 
-    apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev build-essential cmake git
+    apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git
 	
 On FreeBSD 10.2, use this one instead (also **as root**)::
 
-    pkg install boost-libs-1.55.0_8 cmake git
+    pkg install boost-libs-1.55.0_8 libressl cmake git
 	
 Next, get Manalyze's source code and try building it::
 
@@ -118,11 +118,28 @@ This compilation error is usually encountered on Debian 7 (Wheezy)::
 
 This issue has been traced to the `Boost libraries <http://www.boost.org/>`_ in Wheezy repositories being too old (1.49.0). You'll need to either upgrade them manually or switch to Debian Jessie.
 
-2. Incompatibilities between OpenSSL 1.1 and Boost
+2. CMake does not find OpenSSL
+------------------------------
+
+Some versions of CMake (for instance 3.0.2, present in Debian Jessie's repositories) seem to have trouble locating OpenSSL and generate the following error messages::
+
+	CMake Error at /usr/share/cmake-3.0/Modules/FindOpenSSL.cmake:293 (list):
+	  list GET given empty list
+	Call Stack (most recent call first):
+	  CMakeLists.txt:23 (find_package)
+
+	[...]
+
+	-- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libssl.so;/usr/lib/x86_64-linux-gnu/libcrypto.so (found version ".0.0`") 
+
+Upgrading CMake to the latest release (3.5.2 at the time I'm writing this) solves this issue.
+
+3. Incompatibilities between OpenSSL 1.1 and Boost
 --------------------------------------------------
 
 The following error may be encountered on Debian 9 (Stretch)::
 
     In function ‘bool plugin::vt_api_interact(const string&, const string&, std::__cxx11::string&, plugin::sslsocket&)’: ~/Manalyze/plugins/plugin_virustotal/plugin_virustotal.cpp:276:84: error: ‘SSL_R_SHORT_READ’ was not declared in this scope if (error != boost::asio::error::eof && error.value() != ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ))
 	
 Starting with Stretch, Debian ships with the 1.1 branch of OpenSSL which is `not compatible <https://github.com/chriskohlhoff/asio/issues/184>`_ with most versions of Boost. It is unclear from which version the problem has been fixed, but a workaround for this issue is to download one of the latest Boost distributions from upstream and build it instead of using the libraries provided by Debian.
+
diff --git a/include/dump.h b/include/dump.h
@@ -1,24 +1,26 @@
 /*
-This file is part of Manalyze.
+    This file is part of Manalyze.
 
-Manalyze is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+    Manalyze is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
 
-Manalyze is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+    Manalyze is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public License
-along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
+    You should have received a copy of the GNU General Public License
+    along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #pragma once
 
 #include <set>
 #include <vector>
+#include <string>
+#include <sstream>
 #include <boost/algorithm/string/predicate.hpp>
 #include <boost/make_shared.hpp>
 
@@ -29,6 +31,7 @@ along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 #include "yara/yara_wrapper.h"
 
 #include "import_hash.h"
+#include "manacommons/base64.h"
 
 namespace mana
 {
@@ -62,6 +65,14 @@ yara::const_matches detect_filetype(mana::pResource resource);
 /**
  * @brief   Extracts resources from a PE file.
  *
+ *	In the general case, the resource's raw bytes are written to a file, but some resource
+ *	types can be handled more gracefully:
+ *	* RT_GROUP_ICON (and the referenced RT_ICON resources, which cannot be extracted alone)
+ *	  are saved as .ico files. (RT_GROUP_CURSORS are supported too, but don't seem to work
+ *	  as well.)
+ *	* RT_BITMAP as .bmp files. The bitmap header is reconstructed.
+ *	* RT_MANIFEST as .xml files.
+ *
  * @param   const mana::PE& pe The PE whose resources we want extracted.
  * @param   const std::string& destination_folder The folder into which the
  *          extracted files should be placed.
@@ -70,4 +81,20 @@ yara::const_matches detect_filetype(mana::pResource resource);
  */
 bool extract_resources(const mana::PE& pe, const std::string& destination_folder);
 
-} // !namespace sg
+/**
+ *	@brief	Extracts the certificates used for the Authenticode signature of the PE.
+ *
+ *  @param  const mana::PE& pe The PE whose certificates we want extracted.
+ *	@param	const std::string& destination_folder The folder into which the certificates should
+ *			be placed.
+ *	@param	const std::string& filename The name of the file which in which the certificate will
+ *			be stored. If none is provided, the name [PE name].p7b will be used. 
+ *			/!\ Existing files will be overwritten!
+ *
+ *	@return	Whether the extraction was successful or not.
+ */
+bool extract_authenticode_certificates(const mana::PE& pe,
+                                       const std::string& destination_folder,
+                                       const std::string& filename = "");
+
+} // !namespace mana
diff --git a/include/manacommons/base64.h b/include/manacommons/base64.h
@@ -0,0 +1,61 @@
+/*
+    This file is part of Manalyze.
+
+    Manalyze is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    Manalyze is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#pragma once
+
+#include <string>
+#include <sstream>
+#include <vector>
+
+#include <boost/cstdint.hpp>
+#include <boost/shared_ptr.hpp>
+#include <boost/make_shared.hpp>
+#include <boost/archive/iterators/base64_from_binary.hpp>
+#include <boost/archive/iterators/insert_linebreaks.hpp>
+#include <boost/archive/iterators/transform_width.hpp>
+#include <boost/archive/iterators/ostream_iterator.hpp>
+#include <boost/system/api_config.hpp>
+
+#if defined BOOST_WINDOWS_API && !defined DECLSPEC_MANACOMMONS
+	#ifdef MANACOMMONS_EXPORT
+		#define DECLSPEC_MANACOMMONS    __declspec(dllexport)
+	#else
+		#define DECLSPEC_MANACOMMONS    __declspec(dllimport)
+	#endif
+#elif !defined BOOST_WINDOWS_API && !defined DECLSPEC_MANACOMMONS
+	#define DECLSPEC_MANACOMMONS
+#endif
+
+namespace utils {
+
+namespace biter = boost::archive::iterators;
+typedef boost::shared_ptr<std::string> pString;
+
+// ----------------------------------------------------------------------------
+
+/**
+ *	@brief	Converts the input data into a Base64 encoded string.
+ *
+ *	Taken from the boost examples and slightly adaped to handle padding.
+ *
+ *	@param	const std::vector<boost::uint8_t>& bytes A vector of bytes to encode.
+ *
+ *	@return	A string containing the Base64 representation of the input.
+ */
+DECLSPEC_MANACOMMONS pString b64encode(const std::vector<boost::uint8_t>& bytes);
+
+} // !namespace 
diff --git a/include/manacommons/color.h b/include/manacommons/color.h
@@ -62,11 +62,11 @@ void set_color(Color c);
  *
  *	@return	A reference to sink, so the operator "<<" can be chained.
  */
-	DECLSPEC_MANACOMMONS std::ostream& print_colored_text(const std::string& text,
-								 Color c,
-								 std::ostream& sink = std::cout,
-								 const std::string& prefix = "",
-								 const std::string& suffix = "");
+DECLSPEC_MANACOMMONS std::ostream& print_colored_text(const std::string& text,
+													  Color c,
+													  std::ostream& sink = std::cout,
+													  const std::string& prefix = "",
+													  const std::string& suffix = "");
 
 #define PRINT_ERROR utils::print_colored_text("!", utils::RED, std::cerr, "[", "] Error: ")
 #define PRINT_WARNING utils::print_colored_text("*", utils::YELLOW, std::cerr, "[", "] Warning: ")

diff --git a/include/manape/utf8/checked.h → include/manacommons/utf8/checked.h b/include/manape/utf8/checked.h → include/manacommons/utf8/checked.h
@@ -28,7 +28,7 @@ DEALINGS IN THE SOFTWARE.
 #ifndef UTF8_FOR_CPP_CHECKED_H_2675DCD0_9480_4c0c_B92A_CC14C027B731
 #define UTF8_FOR_CPP_CHECKED_H_2675DCD0_9480_4c0c_B92A_CC14C027B731
 
-#include "manape/utf8/core.h"
+#include "manacommons/utf8/core.h"
 #include <stdexcept>
 
 namespace utf8

diff --git a/include/manape/utf8/core.h → include/manacommons/utf8/core.h b/include/manape/utf8/core.h → include/manacommons/utf8/core.h
diff --git a/include/manape/utf8/unchecked.h → include/manacommons/utf8/unchecked.h b/include/manape/utf8/unchecked.h → include/manacommons/utf8/unchecked.h
@@ -28,7 +28,7 @@ DEALINGS IN THE SOFTWARE.
 #ifndef UTF8_FOR_CPP_UNCHECKED_H_2675DCD0_9480_4c0c_B92A_CC14C027B731
 #define UTF8_FOR_CPP_UNCHECKED_H_2675DCD0_9480_4c0c_B92A_CC14C027B731
 
-#include "manape/utf8/core.h"
+#include "manacommons/utf8/core.h"
 
 namespace utf8
 {

diff --git a/include/manape/utf8/utf8.h → include/manacommons/utf8/utf8.h b/include/manape/utf8/utf8.h → include/manacommons/utf8/utf8.h
diff --git a/include/manape/nt_values.h b/include/manape/nt_values.h
@@ -58,6 +58,10 @@ typedef boost::shared_ptr<std::string> pString;
 #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13   // Delay Load Import Descriptors
 #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14   // COM Runtime descriptor
 
+#ifndef WIN_CERT_TYPE_PKCS_SIGNED_DATA
+# define WIN_CERT_TYPE_PKCS_SIGNED_DATA       2
+#endif
+
 namespace nt {
 
 typedef std::map<std::string, int> flag_dict;