From 0a369c548b7fe46a63466949c2ebe66fef0de0e8 Mon Sep 17 00:00:00 2001
From: Moritz Raabe <moritz.raabe@fireeye.com>
Date: Tue, 20 Oct 2020 14:56:38 +0200
Subject: [PATCH] extract ordinal and name imports

---
 capa/features/extractors/ida/file.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/capa/features/extractors/ida/file.py b/capa/features/extractors/ida/file.py
index b75c3475..5ca2370d 100644
--- a/capa/features/extractors/ida/file.py
+++ b/capa/features/extractors/ida/file.py
@@ -95,7 +95,14 @@ def extract_file_import_names():
      - importname
     """
     for (ea, info) in capa.features.extractors.ida.helpers.get_file_imports().items():
-        if info[1]:
+        if info[1] and info[2]:
+            # e.g. in mimikatz: ('cabinet', 'FCIAddFile', 11L)
+            # extract by name here and by ordinal below
+            for name in capa.features.extractors.helpers.generate_symbols(info[0], info[1]):
+                yield Import(name), ea
+            dll = info[0]
+            symbol = "#%d" % (info[2])
+        elif info[1]:
             dll = info[0]
             symbol = info[1]
         elif info[2]: