{"id":19839781,"url":"https://github.com/justicerage/manalyze","last_synced_at":"2026-01-27T02:02:57.153Z","repository":{"id":41329826,"uuid":"40815641","full_name":"JusticeRage/Manalyze","owner":"JusticeRage","description":"A static analyzer for PE executables.","archived":false,"fork":false,"pushed_at":"2024-01-03T18:01:36.000Z","size":13563,"stargazers_count":1091,"open_issues_count":6,"forks_count":163,"subscribers_count":61,"default_branch":"master","last_synced_at":"2025-11-15T13:02:40.890Z","etag":null,"topics":["analysis","malware","pe","static"],"latest_commit_sha":null,"homepage":null,"language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JusticeRage.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2015-08-16T12:19:34.000Z","updated_at":"2025-11-14T08:39:49.000Z","dependencies_parsed_at":"2023-02-01T01:45:31.946Z","dependency_job_id":"d9c8219d-0f42-444f-93e1-be8f14424550","html_url":"https://github.com/JusticeRage/Manalyze","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/JusticeRage/Manalyze","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JusticeRage%2FManalyze","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JusticeRage%2FManalyze/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JusticeRage%2FManalyze/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JusticeRage%2FManalyze/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JusticeRage","download_url":"https://codeload.github.com/JusticeRage/Manalyze/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JusticeRage%2FManalyze/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28796962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T01:07:07.743Z","status":"online","status_checked_at":"2026-01-27T02:00:07.755Z","response_time":168,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","malware","pe","static"],"created_at":"2024-11-12T12:24:18.806Z","updated_at":"2026-01-27T02:02:57.148Z","avatar_url":"https://github.com/JusticeRage.png","language":"YARA","funding_links":[],"categories":[],"sub_categories":[],"readme":"﻿# Manalyze [![Build Status](https://travis-ci.com/JusticeRage/Manalyze.svg?branch=master)](https://travis-ci.org/JusticeRage/Manalyze) [![Coverage Status](https://coveralls.io/repos/github/JusticeRage/Manalyze/badge.svg?branch=master)](https://coveralls.io/github/JusticeRage/Manalyze?branch=master) [![Documentation](https://readthedocs.org/projects/manalyze/badge/?version=latest)](https://docs.manalyzer.org/en/latest/)\n\n## Introduction\nManalyze is a static analysis tool for PE files that you can use to conduct primary assessment on an executable (or set of executables). It collects weak signals that could indicate malicious behavior and displays information that can help a subsequent manual analysis.\n\nIf you want to see some sample reports generated by the tool, feel free to try out the web service I created for it: [manalyzer.org](https://manalyzer.org).\n\n## Table of Contents\n\n- [A static analyzer for PE files](#a-static-analyzer-for-pe-file)\n- [How to build](#how-to-build)\n- [Generating ClamAV rules](#generating-clamav-rules)\n- [Usage](#usage)\n- [People using Manalyze](#people-using-manalyze)\n- [Contact](#contact)\n\n## A static analyzer for PE files\nManalyze was written in C++ for Windows and Linux and is released under the terms of the [GPLv3 license](https://www.gnu.org/licenses/gpl-3.0.txt). It is a robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth. Manalyze...\n- Identifies a PE's compiler\n- Detects packed executables\n- Applies ClamAV signatures\n- Searches for suspicious strings\n- Looks for malicious import combinations (i.e. `WriteProcessMemory` + `CreateRemoteThread`)\n- Detects cryptographic constants (just like IDA's findcrypt plugin)\n- Can submit hashes to VirusTotal\n- Verifies authenticode signatures (on Windows only)\n\n## How to build\nThere are few things I hate more than checking out an open-source project and spending two hours trying to build it. This is why I did my best to make Manalyze as easy to build as possible. If these few lines don't work for you, then I have failed at my job and you should drop me a line so I can fix this.\n\n### On Linux and BSD (tested on Debian Bullseye and FreeBSD 10.2)\n```\n$\u003e [sudo or as root] apt-get install libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git\n$\u003e [alternatively, also sudo or as root] pkg install boost-libs-1.55.0_8 libressl cmake git\n$\u003e git clone https://github.com/JusticeRage/Manalyze.git \u0026\u0026 cd Manalyze\n$\u003e cmake .\n$\u003e make -j5\n$\u003e cd bin \u0026\u0026 ./manalyze --version\n```\n\nFinally, if you want to access Manalyze from every directory on your machine, install it using `$\u003e make install` from the root folder of the project.\n\n### On Windows\n- Get the Boost libraries from [boost.org](http://boost.org) and install [CMake](http://www.cmake.org/download/).\n- Build the boost libraries\n  - `cd boost_1_XX_0 \u0026\u0026 ./bootstrap.bat \u0026\u0026 ./b2.exe --build-type=complete --with-regex --with-program_options --with-system --with-filesystem`\n  - Add an environment variable `BOOST_ROOT` which contains the path to your `boost_1_XX_0` folder.\n- Download and install [Git](https://git-scm.com/download/win)\n- `git clone https://github.com/JusticeRage/Manalyze.git \u0026\u0026 cd Manalyze \u0026\u0026 cmake .`\n- A Visual Studio project `manalyze.sln` should have appeared in the `Manalyze` folder!\n\n### On OS X (tested on Mojave)\n```\n# Skip these two lines if you already have a sane build environment\nuser$ xcode-select --install\nuser$ sudo installer -pkg /Library/Developer/CommandLineTools/Packages/macOS_SDK_headers_for_macOS_10.14.pkg -target /\n\nuser$ git clone https://github.com/JusticeRage/Manalyze.git \u0026\u0026 cd Manalyze\nuser$ brew install openssl boost\nuser$ cmake . -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/ \u0026\u0026 make -j5\nuser$ bin \u0026\u0026 ./manalyze --version\n```\n\n### Offline builds\nIf you need to build Manalyze on a machine with no internet access, you have to manually check out the following projects:\n- [Yara](https://github.com/JusticeRage/yara/archive/master.zip)\n- [hash-library](https://github.com/JusticeRage/hash-library/archive/master.zip)\n\nPlace the two folders in the `external` folder as `external/yara` and `external/hash-library` respectively. Then run `cmake . -DGitHub=OFF` and continue as you normally would.\n\n### Binaries\n- [Windows x64 binaries](https://manalyzer.org/static/manalyze_x64.zip)\n\n### Docker image\nA Docker image for Manalyze is provided by the community. Run `docker pull evanowe/manalyze` and get additional information [here](https://hub.docker.com/r/evanowe/manalyze).\n\n## Generating ClamAV rules\nSince ClamAV signatures are voluminous and updated regularly, it didn't make a lot of sense to distribute them from GitHub or with the binary. When you try using the ClamAV plugin for the first time, you will likely encounter the following error message: `[!] Error: Could not load yara_rules/clamav.yara`. In order to generate them, run the `update_clamav_signatures.py` Python script located in `bin/yara_rules` (source tree) or `${CMAKE_INSTALL_DATADIR}/manalyze/yara_rules` (installed, commonly `/usr/share/manalyze/yara_rules` or `/usr/local/share/manalyze/yara_rules`).\n\nRun the script whenever you want to refresh the signatures. Compiled Yara caches are stored in `$XDG_CACHE_HOME/manalyze/yara_rules` or `~/.cache/manalyze/yara_rules`, and can be overridden with `MANALYZE_CACHE_DIR`.\n\n## Paths and overrides\nDefault install locations (honoring `CMAKE_INSTALL_PREFIX`) are:\n- config: `${CMAKE_INSTALL_SYSCONFDIR}/manalyze/manalyze.conf` (often `/etc/manalyze/manalyze.conf` or `/usr/local/etc/manalyze/manalyze.conf`)\n- rules: `${CMAKE_INSTALL_DATADIR}/manalyze/yara_rules` (often `/usr/share/manalyze/yara_rules` or `/usr/local/share/manalyze/yara_rules`)\n- plugins: `${CMAKE_INSTALL_LIBDIR}/manalyze/plugins`\n\nYou can override these with environment variables:\n`MANALYZE_CONFIG_DIR`, `MANALYZE_DATA_DIR`, `MANALYZE_PLUGIN_DIR`, `MANALYZE_CACHE_DIR`.\n\n## Usage\n\n```\n$ ./manalyze.exe --help\nUsage:\n  -h [ --help ]         Displays this message.\n  -v [ --version ]      Prints the program's version.\n  --pe arg              The PE to analyze. Also accepted as a positional\n                        argument. Multiple files may be specified.\n  -r [ --recursive ]    Scan all files in a directory (subdirectories will be\n                        ignored).\n  -o [ --output ] arg   The output format. May be 'raw' (default) or 'json'.\n  -d [ --dump ] arg     Dump PE information. Available choices are any\n                        combination of: all, summary, dos (dos header), pe (pe\n                        header), opt (pe optional header), sections, imports,\n                        exports, resources, version, debug, tls, config, delay, rich\n  --hashes              Calculate various hashes of the file (may slow down the\n                        analysis!)\n  -x [ --extract ] arg  Extract the PE resources to the target directory.\n  -p [ --plugins ] arg  Analyze the binary with additional plugins. (may slow\n                        down the analysis!)\n\nAvailable plugins:\n  - clamav: Scans the binary with ClamAV virus definitions.\n  - compilers: Tries to determine which compiler generated the binary.\n  - peid: Returns the PEiD signature of the binary.\n  - strings: Looks for suspicious strings (anti-VM, process names...).\n  - findcrypt: Detects embedded cryptographic constants.\n  - packer: Tries to structurally detect packer presence.\n  - imports: Looks for suspicious imports.\n  - resources: Analyzes the program's resources.\n  - mitigation: Displays the enabled exploit mitigation techniques (DEP, ASLR, etc.).\n  - overlay: Analyzes data outside of the PE's boundaries.\n  - authenticode: Checks if the digital signature of the PE is valid.\n  - virustotal: Checks existing AV results on VirusTotal.\n  - all: Run all the available plugins.\n\nExamples:\n  manalyze.exe program.exe\n  manalyze.exe -dresources -dexports -x out/ program.exe\n  manalyze.exe --dump=imports,sections --hashes program.exe\n  manalyze.exe -r malwares/ --plugins=peid,clamav --dump all\n````\n\n## People using Manalyze\n\n- [ANY.RUN](https://any.run/)\n- [CinCan](https://cincan.io/)\n- [DFN-CERT](https://www.dfn-cert.de/)\n- [The Hive](https://blog.thehive-project.org/tag/manalyze/)\n- [Yomi](https://yomi.yoroi.company)\n- [Threat.Zone](https://threat.zone)\n\nContact me or open a pull request if you would like to be added to this list!\n\n## Contact\n[![E-Mail](https://manalyzer.org/static/img/mail.png)](mailto:justicerage@manalyzer[.]org)\n[![Twitter](http://manalyzer.org/static/img/twitter.png)](https://twitter.com/JusticeRage)\n[![GnuPG](http://manalyzer.org/static/img/gpg.png)](https://pgp.mit.edu/pks/lookup?op=vindex\u0026search=0x40E9F0A8F5EA8754)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjusticerage%2Fmanalyze","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjusticerage%2Fmanalyze","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjusticerage%2Fmanalyze/lists"}