From 1cee93005585344d37b513eceb0b961323669993 Mon Sep 17 00:00:00 2001 From: Michael Hunhoff Date: Thu, 10 Sep 2020 17:19:52 -0600 Subject: [PATCH 1/2] highlight regex in IDA ui --- capa/ida/plugin/item.py | 4 ++-- capa/ida/plugin/model.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/capa/ida/plugin/item.py b/capa/ida/plugin/item.py index b63886fc..6cf24267 100644 --- a/capa/ida/plugin/item.py +++ b/capa/ida/plugin/item.py @@ -341,12 +341,12 @@ class CapaExplorerByteViewItem(CapaExplorerFeatureItem): class CapaExplorerStringViewItem(CapaExplorerFeatureItem): """store data for string match""" - def __init__(self, parent, display, location): + def __init__(self, parent, display, location, value): """initialize item @param parent: parent node @param display: text to display in UI @param location: virtual address as seen by IDA """ - super(CapaExplorerStringViewItem, self).__init__(parent, display, location=location) + super(CapaExplorerStringViewItem, self).__init__(parent, display, location=location, details=value) self.ida_highlight = idc.get_color(location, idc.CIC_ITEM) diff --git a/capa/ida/plugin/model.py b/capa/ida/plugin/model.py index 4626a01d..e95e6b9a 100644 --- a/capa/ida/plugin/model.py +++ b/capa/ida/plugin/model.py @@ -522,7 +522,7 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel): ) if feature["type"] == "regex": - return CapaExplorerFeatureItem(parent, display, location, details=feature["match"]) + return CapaExplorerStringViewItem(parent, display, location, feature["match"]) if feature["type"] == "basicblock": return CapaExplorerBlockItem(parent, location) @@ -547,7 +547,7 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel): if feature["type"] in ("string",): # display string preview - return CapaExplorerStringViewItem(parent, display, location) + return CapaExplorerStringViewItem(parent, display, location, feature[feature["type"]]) if feature["type"] in ("import", "export"): # display no preview From 1cb45f35beab5075e72cbb11faa709312890d596 Mon Sep 17 00:00:00 2001 From: Michael Hunhoff Date: Fri, 11 Sep 2020 13:12:28 -0600 Subject: [PATCH 2/2] rename ida plugin --- capa/ida/plugin/__init__.py | 2 +- capa/ida/plugin/{capa_plugin_ida.py => capa_explorer.py} | 0 doc/usage.md | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename capa/ida/plugin/{capa_plugin_ida.py => capa_explorer.py} (100%) diff --git a/capa/ida/plugin/__init__.py b/capa/ida/plugin/__init__.py index ca52e561..f262f486 100644 --- a/capa/ida/plugin/__init__.py +++ b/capa/ida/plugin/__init__.py @@ -21,7 +21,7 @@ logger = logging.getLogger(__name__) class CapaExplorerPlugin(idaapi.plugin_t): # Mandatory definitions - PLUGIN_NAME = "FLARE capa plugin" + PLUGIN_NAME = "FLARE capa explorer" PLUGIN_VERSION = "1.0.0" PLUGIN_AUTHORS = "michael.hunhoff@mandiant.com, william.ballenthin@mandiant.com, moritz.raabe@mandiant.com" diff --git a/capa/ida/plugin/capa_plugin_ida.py b/capa/ida/plugin/capa_explorer.py similarity index 100% rename from capa/ida/plugin/capa_plugin_ida.py rename to capa/ida/plugin/capa_explorer.py diff --git a/doc/usage.md b/doc/usage.md index 750721f1..422aa965 100644 --- a/doc/usage.md +++ b/doc/usage.md @@ -32,7 +32,7 @@ We like to use capa to help find the most interesting parts of a program, such a ![capa explorer](img/capa_explorer.png) The plugin currently supports IDA Pro 7.1 through 7.5 with either Python 2 or Python 3. To use the plugin, install capa -by following method 2 or 3 from the [installation guide](installation.md) and copy [capa_plugin_ida.py](../capa/ida/plugin/capa_plugin_ida.py) +by following method 2 or 3 from the [installation guide](installation.md) and copy [capa_plugin_ida.py](../capa/ida/plugin/capa_explorer.py) to the plugins directory of your IDA Pro installation. Following these steps you can run capa explorer in IDA Pro by navigating to `Edit > Plugins > capa explorer`. The plugin will prompt you to select a rules directory to use for analysis. You can use the [default rule set](https://github.com/fireeye/capa-rules/) or point the plugin to your own directory of rules.