Merged some of ANY.RUN's modifications.

The output of the tool should be cleaner.
I'm keeping the dots everywhere though ;)

README.md

@@ -99,6 +99,12 @@ Examples:
   manalyze.exe -r malwares/ --plugins=peid,clamav --dump all
 ````
 
+## People using Manalyze
+
+- [ANY.RUN](https://any.run/)
+
+Contact me or open a pull request if you would like to be added to this list!
+
 ## Contact
 [![E-Mail](https://manalyzer.org/static/mail.png)](mailto:justicerage@manalyzer[.]org)
 [![Twitter](http://manalyzer.org/static/twitter.png)](https://twitter.com/JusticeRage)

include/dump.h

@@ -35,7 +35,6 @@
 
 namespace mana
 {
-
 void dump_dos_header(const mana::PE& pe, io::OutputFormatter& formatter);
 void dump_pe_header(const mana::PE& pe, io::OutputFormatter& formatter);
 void dump_image_optional_header(const mana::PE& pe, io::OutputFormatter& formatter);

manacommons/output_tree_node.cpp

@@ -15,6 +15,8 @@ You should have received a copy of the GNU General Public License
 along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#include <iomanip>
+
 #include "manacommons/output_tree_node.h"
 
 namespace io
@@ -103,8 +105,23 @@ pString OutputTreeNode::to_string() const
 	}
 
 	std::stringstream ss;
-	if (_modifier == HEX) {
-		ss << std::hex << "0x";
+	if (_modifier == HEX)
+	{
+		ss << std::hex << "0x" << std::uppercase << std::setfill('0');
+        switch (_type)
+        {
+            case UINT32:
+                ss << std::setw(8);
+                break;
+            case UINT16:
+                ss << std::setw(4);
+                break;
+            case UINT64:
+                ss << std::setw(16);
+                break;
+            default:
+                break;
+        }
 	}
 	else if (_modifier == DEC) {
 		ss << std::dec;

plugins/plugin_authenticode/plugin_authenticode.cpp

@@ -496,9 +496,9 @@ void do_winverifytrust(GUID& guid, WINTRUST_DATA& data, pResult res)
 /**
  *	@brief	A simple function used to translate the PE path into a std::wstring
  *			as is required by Microsoft's API.
- *			
+ *
  *	@param	s The string to convert.
- *	
+ *
  *	@return	a std::wstring representing the input.
  */
 std::wstring multibytetowide_helper(const std::string& s)
@@ -527,7 +527,7 @@ void make_information(const std::string& type, const std::wstring& data, pResult
 	}
 	catch (utf8::invalid_utf16)
 	{
-		PRINT_WARNING << "[plugin_authenticode] Couldn't convert a string from UTF-16 to UTF-8!" 
+		PRINT_WARNING << "[plugin_authenticode] Couldn't convert a string from UTF-16 to UTF-8!"
 					  << DEBUG_INFO << std::endl;
 		return;
 	}
@@ -567,7 +567,7 @@ void check_catalog_signature(const mana::PE& pe, pResult res)
 	if (!::CryptCATAdminCalcHashFromFileHandle(handle, &size, hash_buffer, 0) || hash_buffer == nullptr) { // ...and one to get the hash.
 		goto end;
 	}
-	
+
 	// The hash is used as a reference in the catalog. Convert it to a string.
 	for (unsigned int i = 0; i < size; i++)	{
 		ss << boost::wformat(L"%02X") % hash_buffer[i];

plugins/plugin_authenticode/plugin_authenticode_openssl.cpp

@@ -123,7 +123,7 @@ void add_certificate_information(pPKCS7 p, pResult res)
     STACK_OF(X509)* signers = PKCS7_get0_signers(p.get(), nullptr, 0);
     if (signers == nullptr)
     {
-        PRINT_WARNING << "[plugin_authenticode] Could not obtain the certificate signers." << std::endl;
+        PRINT_WARNING << "[plugin_authenticode] Could not obtain the certificate signers" << std::endl;
         return;
     }
 

plugins/plugin_imports.cpp

@@ -223,7 +223,7 @@ class ImportsPlugin : public IPlugin
 		check_functions(pe, process_doppelganging, MALICIOUS, "Code injection capabilities (process doppelganging)", AT_LEAST_THREE, res);
 		check_functions(pe, "", NO_OPINION, "Can access the registry", AT_LEAST_ONE, res);
 		check_functions(pe, process_creation_api, NO_OPINION, "Possibly launches other programs", AT_LEAST_ONE, res);
-		check_functions(pe, "(Nt|Zw).*", SUSPICIOUS, "Uses Windows' Native API", AT_LEAST_TWO, res);
+		check_functions(pe, "(Nt|Zw).*", SUSPICIOUS, "Uses Windows's Native API", AT_LEAST_TWO, res);
 		check_functions(pe, "Crypt.*", NO_OPINION, "Uses Microsoft's cryptographic API", AT_LEAST_ONE, res);
 		check_functions(pe, temporary_files, NO_OPINION, "Can create temporary files", AT_LEAST_TWO, res);
 		check_functions(pe, "Wlx.*", MALICIOUS, "Possibly attempts GINA replacement", AT_LEAST_THREE, res);
@@ -240,7 +240,7 @@ class ImportsPlugin : public IPlugin
 		check_functions(pe, eventlog_deletion, MALICIOUS, "Deletes entries from the event log", AT_LEAST_ONE, res);
 		check_functions(pe, dacl_api, SUSPICIOUS, "Changes object ACLs", AT_LEAST_ONE, res);
 		check_functions(pe, screenshot_api, SUSPICIOUS, "Can take screenshots", AT_LEAST_TWO, res);
-		check_functions(pe, audio_api, SUSPICIOUS, "Can use the microphone to record audio.", AT_LEAST_ONE, res);
+		check_functions(pe, audio_api, SUSPICIOUS, "Can use the microphone to record audio", AT_LEAST_ONE, res);
 		check_functions(pe, networking_api, SUSPICIOUS, "Modifies the network configuration", AT_LEAST_ONE, res);
 		check_functions(pe, "GetClipboardData", NO_OPINION, "Reads the contents of the clipboard", AT_LEAST_ONE, res);
 		check_functions(pe, "IsUserAnAdmin", NO_OPINION, "Checks if it has admin rights", AT_LEAST_ONE, res);
@@ -258,7 +258,7 @@ class ImportsPlugin : public IPlugin
 				res->set_summary("The PE contains functions most legitimate programs don't use.");
 				break;
 			case MALICIOUS:
-				res->set_summary("The PE contains functions mostly used by malwares.");
+				res->set_summary("The PE contains functions mostly used by malware.");
 				break;
 			default:
 				break;

plugins/plugin_packer_detection.cpp

@@ -116,7 +116,7 @@ class PackerDetectionPlugin : public IPlugin
 		// Checksum of the DOS header
 		for (unsigned int i = 0; i < rich->file_offset; ++i)
 		{
-			// Ignore e_lfanew?
+			// Ignore e_lfanew.
 			if (0x3c <= i && i < 0x40) {
 				continue;
 			}
@@ -142,7 +142,7 @@ class PackerDetectionPlugin : public IPlugin
 		for (auto it = rich->values.begin() ; it != rich->values.end() ; ++it)
 		{
 			// Look for the "Total imports" @comp.id.
-			if (std::get<0>(*it) == 1) 
+			if (std::get<0>(*it) == 1)
 			{
 				auto imports = pe.find_imports(".*");
 				// For some reason, the number of imports present here seems to be wrong in a lot of goodware.
@@ -157,7 +157,6 @@ class PackerDetectionPlugin : public IPlugin
 				}
 			}
 		}
-
 	}
 
 	pResult analyze(const mana::PE& pe) override
@@ -186,7 +185,7 @@ class PackerDetectionPlugin : public IPlugin
 			}
 
 			// Look for WX sections
-			int characteristics = (*it)->get_characteristics();
+			unsigned int characteristics = (*it)->get_characteristics();
 			if (characteristics & nt::SECTION_CHARACTERISTICS.at("IMAGE_SCN_MEM_EXECUTE") &&
 				characteristics & nt::SECTION_CHARACTERISTICS.at("IMAGE_SCN_MEM_WRITE"))
 			{
@@ -217,11 +216,11 @@ class PackerDetectionPlugin : public IPlugin
 		if (imports->size() == 1)
 		{
 			auto mscoree = pe.find_imported_dlls("mscoree.dll");
-			if (mscoree->size() > 0)
+			if (!mscoree->empty())
 			{
 
 				auto corexemain = mscoree->at(0)->get_imports();
-				if (corexemain->size() > 0 && corexemain->at(0)->Name == "_CorExeMain") {
+				if (!corexemain->empty() && corexemain->at(0)->Name == "_CorExeMain") {
 					return res;
 				}
 			}
@@ -237,7 +236,7 @@ class PackerDetectionPlugin : public IPlugin
 			try {
 				min_imports = std::stoi(_config->at("min_imports"));
 			}
-			catch (std::invalid_argument)
+			catch (std::invalid_argument&)
             {
                 PRINT_WARNING << "Could not parse packer.min_imports in the configuration file." << std::endl;
 				min_imports = 10;

plugins/plugins_yara.cpp

@@ -306,7 +306,7 @@ class FindCryptPlugin : public YaraPlugin
 
 		// Look for common cryptography libraries
 		if (pe.find_imports(".*", "libssl(32)?.dll|libcrypto.dll")->size() > 0) {
-			res->add_information("OpenSSL.");
+			res->add_information("OpenSSL");
 		}
 		if (pe.find_imports(".*", "cryptopp.dll")->size() > 0) {
 			res->add_information("Crypto++");