gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-23 07:28:34 -08:00
Code Issues Packages Projects Releases Wiki Activity

lint: show mod/imp names per rule

Browse Source 
fix bug where the same mod/imp name pair was shown for all rules
This commit is contained in:
William Ballenthin
2021-08-25 16:36:08 -06:00
parent fd7cff6109
commit 0569f9b242
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/lint.py
View File

@@ -353,7 +353,7 @@ class FeatureNegativeNumber(Lint):
class FeatureNtdllNtoskrnlApi(Lint): class FeatureNtdllNtoskrnlApi(Lint):
name = "feature api may overlap with ntdll and ntoskrnl" name = "feature api may overlap with ntdll and ntoskrnl"
level = Lint.WARN level = Lint.WARN
recommendation = ( recommendation_template = (
"check if {:s} is exported by both ntdll and ntoskrnl; if true, consider removing {:s} " "check if {:s} is exported by both ntdll and ntoskrnl; if true, consider removing {:s} "
"module requirement to improve detection" "module requirement to improve detection"
) )
@@ -363,7 +363,7 @@ class FeatureNtdllNtoskrnlApi(Lint):
if isinstance(feature, capa.features.insn.API): if isinstance(feature, capa.features.insn.API):
modname, _, impname = feature.value.rpartition(".") modname, _, impname = feature.value.rpartition(".")
if modname in ("ntdll", "ntoskrnl"): if modname in ("ntdll", "ntoskrnl"):
self.recommendation = self.recommendation.format(impname, modname) self.recommendation = self.recommendation_template.format(impname, modname)
return True return True
return False return False