extract ordinal and name imports

2026-02-04 19:12:01 -08:00 · 2020-10-20 14:56:38 +02:00
parent a442536246
commit 0a369c548b
1 changed files with 8 additions and 1 deletions
--- a/capa/features/extractors/ida/file.py
+++ b/capa/features/extractors/ida/file.py
@@ -95,7 +95,14 @@ def extract_file_import_names():
     - importname
    """
    for (ea, info) in capa.features.extractors.ida.helpers.get_file_imports().items():
-        if info[1]:
+        if info[1] and info[2]:
+            # e.g. in mimikatz: ('cabinet', 'FCIAddFile', 11L)
+            # extract by name here and by ordinal below
+            for name in capa.features.extractors.helpers.generate_symbols(info[0], info[1]):
+                yield Import(name), ea
+            dll = info[0]
+            symbol = "#%d" % (info[2])
+        elif info[1]:
            dll = info[0]
            symbol = info[1]
        elif info[2]: