gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-02-04 19:12:01 -08:00
Code Issues Packages Projects Releases Wiki Activity

vmray: implement get_call_name

Browse Source
This commit is contained in:
Mike Hunhoff
2024-07-17 15:04:00 -06:00
parent 19a6f3ad49
commit 330c77a32a
2 changed files with 30 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
capa/features/extractors/vmray/extractor.py
View File

@@ -7,7 +7,7 @@
# See the License for the specific language governing permissions and limitations under the License. # See the License for the specific language governing permissions and limitations under the License.
from typing import Tuple, Iterator from typing import List, Tuple, Iterator
from pathlib import Path from pathlib import Path
import capa.helpers import capa.helpers
@@ -17,7 +17,7 @@ import capa.features.extractors.vmray.global_
from capa.features.common import Feature, Characteristic from capa.features.common import Feature, Characteristic
from capa.features.address import NO_ADDRESS, Address, ThreadAddress, DynamicCallAddress, AbsoluteVirtualAddress from capa.features.address import NO_ADDRESS, Address, ThreadAddress, DynamicCallAddress, AbsoluteVirtualAddress
from capa.features.extractors.vmray import VMRayAnalysis from capa.features.extractors.vmray import VMRayAnalysis
from capa.features.extractors.vmray.models import Process, FunctionCall from capa.features.extractors.vmray.models import PARAM_TYPE_STR, Process, ParamList, FunctionCall
from capa.features.extractors.base_extractor import ( from capa.features.extractors.base_extractor import (
CallHandle, CallHandle,
SampleHashes, SampleHashes,
@@ -27,6 +27,20 @@ from capa.features.extractors.base_extractor import (
) )
def format_params(params: ParamList) -> List[str]:
params_list: List[str] = []
for param in params:
if param.deref and param.deref.value is not None:
deref_value: str = f'"{param.deref.value}"' if param.deref.type_ in PARAM_TYPE_STR else param.deref.value
params_list.append(f"{param.name}: {deref_value}")
else:
value: str = "" if param.value is None else param.value
params_list.append(f"{param.name}: {value}")
return params_list
class VMRayExtractor(DynamicFeatureExtractor): class VMRayExtractor(DynamicFeatureExtractor):
def __init__(self, analysis: VMRayAnalysis): def __init__(self, analysis: VMRayAnalysis):
assert analysis.sample_file_analysis is not None assert analysis.sample_file_analysis is not None
@@ -90,7 +104,19 @@ class VMRayExtractor(DynamicFeatureExtractor):
def get_call_name(self, ph, th, ch) -> str: def get_call_name(self, ph, th, ch) -> str:
call: FunctionCall = ch.inner call: FunctionCall = ch.inner
return call.name call_formatted: str = call.name
# format input parameters
if call.params_in:
call_formatted += f"({', '.join(format_params(call.params_in.params))})"
else:
call_formatted += "()"
# format output parameters
if call.params_out:
call_formatted += f" -> {', '.join(format_params(call.params_out.params))}"
return call_formatted
@classmethod @classmethod
def from_zipfile(cls, zipfile_path: Path): def from_zipfile(cls, zipfile_path: Path):

5
capa/features/extractors/vmray/models.py
View File

@@ -108,17 +108,14 @@ class FunctionCall(BaseModel):
# addr: HexInt # addr: HexInt
# from_addr: HexInt = Field(alias="from") # from_addr: HexInt = Field(alias="from")
params_in: Params = Field(alias="in", default=None) params_in: Params = Field(alias="in", default=None)
# params_out: Params = Field(alias="out", default=None) params_out: Params = Field(alias="out", default=None)
"""
# not useful for capa, but included for documentation in case
class FunctionReturn(BaseModel): class FunctionReturn(BaseModel):
ts: HexInt ts: HexInt
fncall_id: HexInt fncall_id: HexInt
addr: HexInt addr: HexInt
from_addr: HexInt = Field(alias="from") from_addr: HexInt = Field(alias="from")
"""
class Analysis(BaseModel): class Analysis(BaseModel):