Merge pull request #1418 from stevemk14ebr/master

Remove dynsym library name for ELF imports
2026-02-04 11:07:53 -08:00 · 2023-04-01 13:54:07 +02:00
parent 06c71a7f2b 270350f8d1
commit 6f416dfefb
2 changed files with 6 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,6 +41,7 @@
 -

 ### Bug Fixes
+- extractor: removed '.dynsym' as the library name for ELF imports #1318 @stevemk14ebr 
 - extractor: fix vivisect loop detection corner case #1310 @mr-tz
 - match: extend OS characteristic to match OS_ANY to all supported OSes #1324 @mike-hunhoff
 - extractor: fix IDA and vivisect string and bytes features overlap and tests #1327 #1336 @xusheng6 
--- a/capa/features/extractors/ida/helpers.py
+++ b/capa/features/extractors/ida/helpers.py
@@ -90,8 +90,11 @@ def get_file_imports() -> Dict[int, Tuple[str, str, int]]:
        if not library:
            continue

-        # IDA uses section names for the library of ELF imports, like ".dynsym"
-        library = library.lstrip(".")
+        # IDA uses section names for the library of ELF imports, like ".dynsym".
+        # These are not useful to us, we may need to expand this list over time
+        # TODO: exhaust this list, see #1419 
+        if library == ".dynsym":
+            library = ""

        def inspect_import(ea, function, ordinal):
            if function and function.startswith("__imp_"):