From 31ec208a9bfdab4cb1b482a49f92ca4cfd3c1a54 Mon Sep 17 00:00:00 2001 From: Mike Hunhoff Date: Thu, 26 Sep 2024 14:27:45 -0600 Subject: [PATCH] dynamic: cape: fix A/W API detection --- capa/features/extractors/cape/call.py | 4 +++- tests/test_cape_features.py | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/capa/features/extractors/cape/call.py b/capa/features/extractors/cape/call.py index 88680b3f..0bee22fc 100644 --- a/capa/features/extractors/cape/call.py +++ b/capa/features/extractors/cape/call.py @@ -9,6 +9,7 @@ import logging from typing import Tuple, Iterator +import capa.features.extractors.helpers from capa.helpers import assert_never from capa.features.insn import API, Number from capa.features.common import String, Feature @@ -50,7 +51,8 @@ def extract_call_features(ph: ProcessHandle, th: ThreadHandle, ch: CallHandle) - else: assert_never(value) - yield API(call.api), ch.address + for name in capa.features.extractors.helpers.generate_symbols("", call.api): + yield API(name), ch.address def extract_features(ph: ProcessHandle, th: ThreadHandle, ch: CallHandle) -> Iterator[Tuple[Feature, Address]]: diff --git a/tests/test_cape_features.py b/tests/test_cape_features.py index d72caa9a..ade933e7 100644 --- a/tests/test_cape_features.py +++ b/tests/test_cape_features.py @@ -37,6 +37,8 @@ DYNAMIC_CAPE_FEATURE_PRESENCE_TESTS = sorted( ), ("0000a657", "process=(1180:3052)", capa.features.common.String("nope"), False), # thread/api calls + ("0000a657", "process=(2900:2852),thread=2904", capa.features.insn.API("RegQueryValueExA"), True), + ("0000a657", "process=(2900:2852),thread=2904", capa.features.insn.API("RegQueryValueEx"), True), ("0000a657", "process=(2852:3052),thread=2804", capa.features.insn.API("NtQueryValueKey"), True), ("0000a657", "process=(2852:3052),thread=2804", capa.features.insn.API("GetActiveWindow"), False), # thread/number call argument