Merge branch 'master' of github.com:fireeye/capa

README.md

@@ -70,10 +70,10 @@ For more information about how to use capa, including running it as an IDA scrip
 # example
 
 In the above sample output, we ran capa against an unknown binary (`suspicious.exe`),
-and the tool reported that the program can decode data via XOR,
-contains an embedded PE, writes to a file, and spawns a new process.
-Taken together, this makes us think that `suspicious.exe` could be a dropper or backdoor.
-Therefore, our next analysis step might be to run `suspicious.exe` in a sandbox and try to recover the payload.
+and the tool reported that the program can send HTTP requests, decode data via XOR and Base64,
+install services, and spawn new processes.
+Taken together, this makes us think that `suspicious.exe` could be a persistent backdoor.
+Therefore, our next analysis step might be to run `suspicious.exe` in a sandbox and try to recover the command and control server.
 
 By passing the `-vv` flag (for very verbose), capa reports exactly where it found evidence of these capabilities.
 This is useful for at least two reasons:
@@ -140,11 +140,19 @@ rule:
 The [github.com/fireeye/capa-rules](https://github.com/fireeye/capa-rules) repository contains hundreds of standard library rules that are distributed with capa.
 Please learn to write rules and contribute new entries as you find interesting techniques in malware.
 
+If you use IDA Pro, then you use can use the [IDA Pro plugin for capa](./capa/ida/ida_capa_explorer.py).
+This script adds new user interface elements to IDA, including an interactive tree view of rule matches and their locations within the current database.
+As you select the checkboxes, the plugin will highlight the addresses associated with the features.
+We use this plugin all the time to quickly jump to interesting parts of a program.
+
+![capa + IDA Pro integration](.github/capa-ida.jpg)
+
 # further information
 ## capa
 - [doc/installation](doc/installation.md)
 - [doc/usage](doc/usage.md)
 - [doc/limitations](doc/limitations.md)
+- [Contributing Guide](.github/CONTRIBUTING.md)
 
 ## capa rules
 - [capa-rules repository](https://github.com/fireeye/capa-rules)

doc/usage.md

@@ -22,7 +22,7 @@ IDA's analysis is generally a bit faster and more thorough than vivisect's, so y
 When run under IDA, capa supports both Python 2 and Python 3 interpreters.
 If you encounter issues with your specific setup, please open a new [Issue](https://github.com/fireeye/capa/issues).
 
-Additionally, capa comes with two IDA Pro plugins located in the `capa/ida` directory: the explorer and the rule generator.
+Additionally, capa comes with an IDA Pro plugin located in the `capa/ida` directory: the explorer.
 
 #### capa explorer
 The capa explorer allows you to interactively display and browse capabilities capa identified in a binary.
@@ -31,7 +31,10 @@ We like to use capa to help find the most interesting parts of a program, such a
 
 ![capa explorer](img/capa_explorer.png)
 
-#### rule generator
-The rule generator helps you to easily write new rules based on the function you are currently analyzing in your IDA disassembly view.
-It shows the features that capa can extract from the function, and lets you quickly pull these into a rule template.
-You'll still have to provide the logic structures (`and`, `or`, `not`, etc.) but the features will be prepared for you.
+To install the plugin, you'll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3.
+Next make sure pip commands are run using the Python install that is configured for your IDA install:
+
+  1. Only if running Python 2.7, run command `$ pip install https://github.com/williballenthin/vivisect/zipball/master`
+  2. Run `$ pip install .` from capa root directory
+  3. Open IDA and navigate to `File > Script file…` or `Alt+F7`
+  4. Navigate to `<capa_install_dir>\capa\ida\` and choose `ida_capa_explorer.py`