PR change requests

capa/ida/plugin/README.md

@@ -1,38 +1,48 @@
 # capa explorer
 
-capa explorer is an IDA Pro plugin that integrates the FLARE team's open-source framework 
-[capa](https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html) with IDA. You can
-use capa explorer to quickly identify and navigate to interesting areas of a program and dissect capa rule matches at
-the assembly level.
+capa explorer is an IDA Pro plugin that integrates the FLARE team's open-source framework, capa, with IDA. capa is a framework that uses a well-defined collection of rules to 
+identify capabilities in a program. You can run capa against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that 
+the program is a backdoor, can install services, or relies on HTTP to communicate. 
 
-For example, we run capa explorer against a suspicious executable loaded into IDA and see that capa detected a rule match
-for `self delete via COMSPEC environment variable`:
+The capa explorer IDA plugin brings capa's detection capabilities to IDA. You can use capa explorer to run capa directly on an IDA database without needing access
+to the source binary. Once a database has been analyzed, capa explorer can be used to quickly identify and navigate to interesting areas of a program 
+and dissect capa rule matches at the assembly level.
+
+To illustrate, we use capa explorer to analyze Lab 14-02 from [Practical Malware Analysis](https://nostarch.com/malware) (PMA) available [here](https://practicalmalwareanalysis.com/labs/). Our
+goal is to understand the program's functionality.
+
+After loading Lab 14-02 into IDA and analyzing the database with capa explorer, we see that capa detected a rule match for `self delete via COMSPEC environment variable`:
 
 ![](../../../doc/img/ida_plugin_example_1.png)
 
-We can use capa explorer to navigate the IDA Disassembly view directly to the suspect function and get an assembly-level breakdown
-of why capa matched `self delete via COMSPEC environment variable` for this particular function.
+We can use capa explorer to navigate the IDA Disassembly view directly to the suspect function and get an assembly-level breakdown of why capa matched `self delete via COMSPEC environment variable` 
+for this particular function.
 
 ![](../../../doc/img/ida_plugin_example_2.png)
 
+Using the `Rule Information` and `Details` columns capa explorer shows us that the suspect function matched `self delete via COMSPEC environment variable` because it contains capa rule matches for `create process`, `get COMSPEC environment variable`,
+and `query environment variable`, references to the strings `COMSPEC`, ` > nul`, and `/c del`, and a call to the Windows API function `GetEnvironmentVariableA`.
+
+For more information on the FLARE team's open-source framework, capa, check out the overview in our first [blog](https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html).
+
 ## Features
 
 ![](../../../doc/img/ida_plugin_intro.gif)
 
 * Display capa results in an interactive tree view of rule matches and their locations in the current database
-* Export results as formatted JSON by navigating to `File > Export results...`
-* Remember a user's capa rules directory for future runs; change capa rules directory by navigating to `Rules > Change rules directory...`
 * Search for keywords or phrases found in the `Rule Information`, `Address`, or `Details` columns
 * Display rule source content when a user hovers their cursor over a rule match
 * Double-click `Address` column to view associated feature in the IDA Disassembly view
 * Limit tree view results to the function currently displayed in the IDA Disassembly view; update results as a user navigates to different functions
-* Sort results by column
-* Reset tree view and IDA Disassembly view highlighting by clicking `Reset`
+* Export results as formatted JSON by navigating to `File > Export results...`
+* Remember a user's capa rules directory for future runs; change capa rules directory by navigating to `Rules > Change rules directory...`
 * Automatically re-analyze database when user performs a program rebase
 * Automatically update results when IDA is used to rename a function
 * Select one or more checkboxes to highlight the associated addresses in the IDA Disassembly view
 * Right-click a function match to rename it; the new function name is propagated to the current IDA database
 * Right-click to copy a result by column or by row
+* Sort results by column
+* Reset tree view and IDA Disassembly view highlighting by clicking `Reset`
 
 ## Getting Started
 
@@ -59,7 +69,8 @@ You can install capa explorer using the following steps:
     ```
     $ pip install flare-capa
     ```
-3. Copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) to your IDA plugins directory
+3. Download the [standard collection of capa rules](https://github.com/fireeye/capa-rules) (capa explorer needs capa rules to analyze a database)
+4. Copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) to your IDA plugins directory
 
 ### Usage
 
@@ -86,7 +97,7 @@ downloading and using the [standard collection of capa rules](https://github.com
 Because capa explorer is packaged with capa you will need to install capa locally for development.
 
 You can install capa locally by following the steps outlined in `Method 3: Inspecting the capa source code` of the [capa 
-installation guide](https://github.com/fireeye/capa/blob/ida_plugin_documentation/doc/installation.md). Once installed, copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) 
+installation guide](https://github.com/fireeye/capa/blob/ida_plugin_documentation/doc/installation.md#method-3-inspecting-the-capa-source-code). Once installed, copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) 
 to your IDA plugins directory to run the plugin in IDA.
 
 ### Components