ida: loader: load resource sections to help discovery of embedded files

2026-01-13 13:27:41 -08:00 · 2026-01-13 13:42:57 +01:00
parent 77654cb2f7
commit 4bea577dc1
2 changed files with 6 additions and 7 deletions
--- a/capa/loader.py
+++ b/capa/loader.py
@@ -332,6 +332,8 @@ def get_extractor(
            # we set the primary and secondary Lumina servers to 0.0.0.0 to disable Lumina,
            # which sometimes provides bad names, including overwriting names from debug info.
            #
+            # use -R to load resources, which can help us embedded PE files.
+            #
            # return values from open_database:
            #   0 - Success
            #   2 - User cancelled or 32-64 bit conversion failed
@@ -339,7 +341,7 @@ def get_extractor(
            #   -1 - Generic errors (database already open, auto-analysis failed, etc.)
            #   -2 - User cancelled operation
            ret = idapro.open_database(
-                str(input_path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0"
+                str(input_path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0 -R"
            )
            if ret != 0:
                raise RuntimeError("failed to analyze input file")
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -220,14 +220,11 @@ def get_idalib_extractor(path: Path):

    idapro.enable_console_messages(False)

-    # load resource if explicitly needed for test
-    load_resource = ""
-    if "Lab 12-04.exe_" in path.name:
-        load_resource = " -R"
-
    # we set the primary and secondary Lumina servers to 0.0.0.0 to disable Lumina,
    # which sometimes provides bad names, including overwriting names from debug info.
    #
+    # use -R to load resources, which can help us embedded PE files.
+    #
    # return values from open_database:
    #   0 - Success
    #   2 - User cancelled or 32-64 bit conversion failed
@@ -235,7 +232,7 @@ def get_idalib_extractor(path: Path):
    #   -1 - Generic errors (database already open, auto-analysis failed, etc.)
    #   -2 - User cancelled operation
    ret = idapro.open_database(
-        str(path), run_auto_analysis=True, args=f"-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0{load_resource}"
+        str(path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0 -R"
    )
    if ret != 0:
        raise RuntimeError("failed to analyze input file")