From 3acc0fe147b7928c347908452c1415580cc34b8d Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 19 Mar 2025 15:06:42 +0000
Subject: [PATCH] cape: detect OS via info.machine.platform

---
 capa/features/extractors/cape/global_.py | 4 ++++
 capa/features/extractors/cape/models.py  | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/capa/features/extractors/cape/global_.py b/capa/features/extractors/cape/global_.py
index 5dadf646..055176dd 100644
--- a/capa/features/extractors/cape/global_.py
+++ b/capa/features/extractors/cape/global_.py
@@ -81,6 +81,10 @@ def extract_os(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
             # if the operating system information is missing from the cape report, it's likely a bug
             logger.warning("unrecognized OS: %s", file_output)
             raise ValueError(f"unrecognized OS from the CAPE report; output of file command: {file_output}")
+    elif report.info.machine and report.info.machine.platform == "windows":
+        yield OS(OS_WINDOWS), NO_ADDRESS
+    elif report.info.machine and report.info.machine.platform == "linux":
+        yield OS(OS_LINUX), NO_ADDRESS
     else:
         # the sample is shellcode
         logger.debug("unsupported file format, file command output: %s", file_output)
diff --git a/capa/features/extractors/cape/models.py b/capa/features/extractors/cape/models.py
index d5cd556c..a416e138 100644
--- a/capa/features/extractors/cape/models.py
+++ b/capa/features/extractors/cape/models.py
@@ -71,8 +71,13 @@ Emptydict: TypeAlias = BaseModel
 EmptyList: TypeAlias = list[Any]
 
 
+class Machine(FlexibleModel):
+    platform: Optional[str] = None
+
+
 class Info(FlexibleModel):
     version: str
+    machine: Optional[Machine] = None
 
 
 class ImportedSymbol(FlexibleModel):