diff --git a/capa/ida/plugin/README.md b/capa/ida/plugin/README.md index 3610e61d..3cd10574 100644 --- a/capa/ida/plugin/README.md +++ b/capa/ida/plugin/README.md @@ -1,38 +1,48 @@ # capa explorer -capa explorer is an IDA Pro plugin that integrates the FLARE team's open-source framework -[capa](https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html) with IDA. You can -use capa explorer to quickly identify and navigate to interesting areas of a program and dissect capa rule matches at -the assembly level. +capa explorer is an IDA Pro plugin that integrates the FLARE team's open-source framework, capa, with IDA. capa is a framework that uses a well-defined collection of rules to +identify capabilities in a program. You can run capa against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that +the program is a backdoor, can install services, or relies on HTTP to communicate. -For example, we run capa explorer against a suspicious executable loaded into IDA and see that capa detected a rule match -for `self delete via COMSPEC environment variable`: +The capa explorer IDA plugin brings capa's detection capabilities to IDA. You can use capa explorer to run capa directly on an IDA database without needing access +to the source binary. Once a database has been analyzed, capa explorer can be used to quickly identify and navigate to interesting areas of a program +and dissect capa rule matches at the assembly level. + +To illustrate, we use capa explorer to analyze Lab 14-02 from [Practical Malware Analysis](https://nostarch.com/malware) (PMA) available [here](https://practicalmalwareanalysis.com/labs/). Our +goal is to understand the program's functionality. + +After loading Lab 14-02 into IDA and analyzing the database with capa explorer, we see that capa detected a rule match for `self delete via COMSPEC environment variable`: ![](../../../doc/img/ida_plugin_example_1.png) -We can use capa explorer to navigate the IDA Disassembly view directly to the suspect function and get an assembly-level breakdown -of why capa matched `self delete via COMSPEC environment variable` for this particular function. +We can use capa explorer to navigate the IDA Disassembly view directly to the suspect function and get an assembly-level breakdown of why capa matched `self delete via COMSPEC environment variable` +for this particular function. ![](../../../doc/img/ida_plugin_example_2.png) +Using the `Rule Information` and `Details` columns capa explorer shows us that the suspect function matched `self delete via COMSPEC environment variable` because it contains capa rule matches for `create process`, `get COMSPEC environment variable`, +and `query environment variable`, references to the strings `COMSPEC`, ` > nul`, and `/c del`, and a call to the Windows API function `GetEnvironmentVariableA`. + +For more information on the FLARE team's open-source framework, capa, check out the overview in our first [blog](https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html). + ## Features ![](../../../doc/img/ida_plugin_intro.gif) * Display capa results in an interactive tree view of rule matches and their locations in the current database -* Export results as formatted JSON by navigating to `File > Export results...` -* Remember a user's capa rules directory for future runs; change capa rules directory by navigating to `Rules > Change rules directory...` * Search for keywords or phrases found in the `Rule Information`, `Address`, or `Details` columns * Display rule source content when a user hovers their cursor over a rule match * Double-click `Address` column to view associated feature in the IDA Disassembly view * Limit tree view results to the function currently displayed in the IDA Disassembly view; update results as a user navigates to different functions -* Sort results by column -* Reset tree view and IDA Disassembly view highlighting by clicking `Reset` +* Export results as formatted JSON by navigating to `File > Export results...` +* Remember a user's capa rules directory for future runs; change capa rules directory by navigating to `Rules > Change rules directory...` * Automatically re-analyze database when user performs a program rebase * Automatically update results when IDA is used to rename a function * Select one or more checkboxes to highlight the associated addresses in the IDA Disassembly view * Right-click a function match to rename it; the new function name is propagated to the current IDA database * Right-click to copy a result by column or by row +* Sort results by column +* Reset tree view and IDA Disassembly view highlighting by clicking `Reset` ## Getting Started @@ -59,7 +69,8 @@ You can install capa explorer using the following steps: ``` $ pip install flare-capa ``` -3. Copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) to your IDA plugins directory +3. Download the [standard collection of capa rules](https://github.com/fireeye/capa-rules) (capa explorer needs capa rules to analyze a database) +4. Copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) to your IDA plugins directory ### Usage @@ -86,7 +97,7 @@ downloading and using the [standard collection of capa rules](https://github.com Because capa explorer is packaged with capa you will need to install capa locally for development. You can install capa locally by following the steps outlined in `Method 3: Inspecting the capa source code` of the [capa -installation guide](https://github.com/fireeye/capa/blob/ida_plugin_documentation/doc/installation.md). Once installed, copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) +installation guide](https://github.com/fireeye/capa/blob/ida_plugin_documentation/doc/installation.md#method-3-inspecting-the-capa-source-code). Once installed, copy [capa_explorer.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_explorer.py) to your IDA plugins directory to run the plugin in IDA. ### Components