gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-23 07:28:34 -08:00
Code Issues Packages Projects Releases Wiki Activity

ida extract library funcs identified via flirt

Browse Source
This commit is contained in:
Moritz Raabe
2021-06-28 14:11:28 +02:00
parent b84cc3128d
commit 18c87e4e55
2 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
capa/features/extractors/ida/insn.py
View File

@@ -54,9 +54,6 @@ def get_imports(ctx):
def check_for_api_call(ctx, insn):
"""check instruction for API call"""
if not insn.get_canon_mnem() in ("call", "jmp"):
return
info = ()
ref = insn.ea
@@ -95,11 +92,29 @@ def extract_insn_api_features(f, bb, insn):
example:
call dword [0x00473038]
"""
if not insn.get_canon_mnem() in ("call", "jmp"):
return
for api in check_for_api_call(f.ctx, insn):
dll, _, symbol = api.rpartition(".")
for name in capa.features.extractors.helpers.generate_symbols(dll, symbol):
yield API(name), insn.ea
# extract IDA/FLIRT recognized API functions
targets = list(idautils.CodeRefsFrom(insn.ea, False))
if not targets:
return
target = targets[0]
target_func = idaapi.get_func(target)
if not target_func or target_func.start_ea != target:
# not a function (start)
return
if idaapi.get_func(target).flags & idaapi.FUNC_LIB:
name = idaapi.get_name(target)
yield API(name), insn.ea
def extract_insn_number_features(f, bb, insn):
"""parse instruction number features