Merge branch 'feature-571' of github.com:fireeye/capa into feature-571

scripts/lint.py

@@ -218,6 +218,29 @@ class DoesntMatchExample(Lint):
                 return True
 
 
+class StatementWithSingleChildStatement(Lint):
+    name = "rule contains one or more statements with a single child statement"
+    recommendation = "remove the superfluous parent statement"
+    recommendation_template = "remove the superfluous parent statement: {:s}"
+    violation = False
+
+    def check_rule(self, ctx, rule):
+        self.violation = False
+
+        def rec(statement, is_root=False):
+            if isinstance(statement, (capa.engine.And, capa.engine.Or)):
+                children = list(statement.get_children())
+                if not is_root and len(children) == 1 and isinstance(children[0], capa.engine.Statement):
+                    self.recommendation = self.recommendation_template.format(str(statement))
+                    self.violation = True
+                for child in children:
+                    rec(child)
+
+        rec(rule.statement, is_root=True)
+
+        return self.violation
+
+
 class UnusualMetaField(Lint):
     name = "unusual meta field"
     recommendation = "Remove the meta field"
@@ -472,7 +495,10 @@ def get_rule_features(rule):
     return features
 
 
-LOGIC_LINTS = (DoesntMatchExample(),)
+LOGIC_LINTS = (
+    DoesntMatchExample(),
+    StatementWithSingleChildStatement(),
+)
 
 
 def lint_logic(ctx, rule):

scripts/show-features.py

@@ -182,6 +182,13 @@ def ida_main():
 
 def print_features(functions, extractor):
     for f in functions:
+        function_address = int(f)
+
+        if extractor.is_library_function(function_address):
+            function_name = extractor.get_function_name(function_address)
+            logger.debug("skipping library function 0x%x (%s)", function_address, function_name)
+            continue
+
         for feature, va in extractor.extract_function_features(f):
             print("func: 0x%08x: %s" % (va, feature))