Merge pull request #2433 from mandiant/fix/vmray-string-call-args

fix backslash handling in string call arguments
2025-12-05 20:40:05 -08:00 · 2024-10-03 11:28:34 +02:00
parent 389a5eb84f 6d3b96f0b0
commit 030954d556
3 changed files with 31 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@
 - vmray: collect more process information from flog.xml #2394 @mr-tz @mike-hunhoff
 - replace tabulate, tqdm, and termcolor with rich #2374 @s-ff
 - dynamic: emit complete features for A/W APIs #2409 @mike-hunhoff
+- vmray: fix backslash handling in string call arguments #2428 @mr-tz

 ### capa Explorer Web
 - improve navigation in capa Explorer Web @s-ff #2425
--- a/capa/features/extractors/vmray/call.py
+++ b/capa/features/extractors/vmray/call.py
@@ -27,7 +27,11 @@ def get_call_param_features(param: Param, ch: CallHandle) -> Iterator[Tuple[Feat
            if param.deref.type_ in PARAM_TYPE_INT:
                yield Number(hexint(param.deref.value)), ch.address
            elif param.deref.type_ in PARAM_TYPE_STR:
-                yield String(param.deref.value), ch.address
+                # TODO(mr-tz): remove FPS like " \\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\..."
+                # https://github.com/mandiant/capa/issues/2432
+
+                # parsing the data up to here results in double-escaped backslashes, remove those here
+                yield String(param.deref.value.replace("\\\\", "\\")), ch.address
            else:
                logger.debug("skipping deref param type %s", param.deref.type_)
    elif param.value is not None:
--- a/tests/test_vmray_features.py
+++ b/tests/test_vmray_features.py
@@ -35,6 +35,31 @@ DYNAMIC_VMRAY_FEATURE_PRESENCE_TESTS = sorted(
            capa.features.common.String("raw.githubusercontent.com"),
            True,
        ),
+        # backslashes in paths; see #2428
+        (
+            "93b2d1-vmray",
+            "process=(2176:0),thread=2180,call=267",
+            capa.features.common.String("C:\\Users\\WhuOXYsD\\Desktop\\filename.exe"),
+            True,
+        ),
+        (
+            "93b2d1-vmray",
+            "process=(2176:0),thread=2180,call=267",
+            capa.features.common.String("C:\\\\Users\\\\WhuOXYsD\\\\Desktop\\\\filename.exe"),
+            False,
+        ),
+        (
+            "93b2d1-vmray",
+            "process=(2176:0),thread=2204,call=2395",
+            capa.features.common.String("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"),
+            True,
+        ),
+        (
+            "93b2d1-vmray",
+            "process=(2176:0),thread=2204,call=2395",
+            capa.features.common.String("Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System"),
+            False,
+        ),
        # call/number argument
        # VirtualAlloc(4096, 4)
        ("93b2d1-vmray", "process=(2176:0),thread=2420,call=2358", capa.features.insn.Number(4096), True),