diff --git a/.github/capa-ida.jpg b/.github/capa-ida.jpg new file mode 100644 index 00000000..21805db4 Binary files /dev/null and b/.github/capa-ida.jpg differ diff --git a/README.md b/README.md index 33ac694a..f20d7b3a 100644 --- a/README.md +++ b/README.md @@ -70,10 +70,10 @@ For more information about how to use capa, including running it as an IDA scrip # example In the above sample output, we ran capa against an unknown binary (`suspicious.exe`), -and the tool reported that the program can decode data via XOR, -contains an embedded PE, writes to a file, and spawns a new process. -Taken together, this makes us think that `suspicious.exe` could be a dropper or backdoor. -Therefore, our next analysis step might be to run `suspicious.exe` in a sandbox and try to recover the payload. +and the tool reported that the program can send HTTP requests, decode data via XOR and Base64, +install services, and spawn new processes. +Taken together, this makes us think that `suspicious.exe` could be a persistent backdoor. +Therefore, our next analysis step might be to run `suspicious.exe` in a sandbox and try to recover the command and control server. By passing the `-vv` flag (for very verbose), capa reports exactly where it found evidence of these capabilities. This is useful for at least two reasons: @@ -140,11 +140,19 @@ rule: The [github.com/fireeye/capa-rules](https://github.com/fireeye/capa-rules) repository contains hundreds of standard library rules that are distributed with capa. Please learn to write rules and contribute new entries as you find interesting techniques in malware. +If you use IDA Pro, then you use can use the [IDA Pro plugin for capa](./capa/ida/ida_capa_explorer.py). +This script adds new user interface elements to IDA, including an interactive tree view of rule matches and their locations within the current database. +As you select the checkboxes, the plugin will highlight the addresses associated with the features. +We use this plugin all the time to quickly jump to interesting parts of a program. + +![capa + IDA Pro integration](.github/capa-ida.jpg) + # further information ## capa - [doc/installation](doc/installation.md) - [doc/usage](doc/usage.md) - [doc/limitations](doc/limitations.md) +- [Contributing Guide](.github/CONTRIBUTING.md) ## capa rules - [capa-rules repository](https://github.com/fireeye/capa-rules) diff --git a/doc/usage.md b/doc/usage.md index 10d38522..59d29ec0 100644 --- a/doc/usage.md +++ b/doc/usage.md @@ -22,7 +22,7 @@ IDA's analysis is generally a bit faster and more thorough than vivisect's, so y When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new [Issue](https://github.com/fireeye/capa/issues). -Additionally, capa comes with two IDA Pro plugins located in the `capa/ida` directory: the explorer and the rule generator. +Additionally, capa comes with an IDA Pro plugin located in the `capa/ida` directory: the explorer. #### capa explorer The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. @@ -31,7 +31,10 @@ We like to use capa to help find the most interesting parts of a program, such a ![capa explorer](img/capa_explorer.png) -#### rule generator -The rule generator helps you to easily write new rules based on the function you are currently analyzing in your IDA disassembly view. -It shows the features that capa can extract from the function, and lets you quickly pull these into a rule template. -You'll still have to provide the logic structures (`and`, `or`, `not`, etc.) but the features will be prepared for you. +To install the plugin, you'll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. +Next make sure pip commands are run using the Python install that is configured for your IDA install: + + 1. Only if running Python 2.7, run command `$ pip install https://github.com/williballenthin/vivisect/zipball/master` + 2. Run `$ pip install .` from capa root directory + 3. Open IDA and navigate to `File > Script fileā€¦` or `Alt+F7` + 4. Navigate to `\capa\ida\` and choose `ida_capa_explorer.py`