From 5e8262d3c0dd6e7d5fff32cdb404d36794df2e87 Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Wed, 29 Mar 2023 15:58:16 -0400 Subject: [PATCH 1/6] Remove dynsym from elf entirely --- capa/features/extractors/ida/helpers.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/capa/features/extractors/ida/helpers.py b/capa/features/extractors/ida/helpers.py index dbb9bd1d..a6068451 100644 --- a/capa/features/extractors/ida/helpers.py +++ b/capa/features/extractors/ida/helpers.py @@ -90,8 +90,10 @@ def get_file_imports() -> Dict[int, Tuple[str, str, int]]: if not library: continue - # IDA uses section names for the library of ELF imports, like ".dynsym" - library = library.lstrip(".") + # IDA uses section names for the library of ELF imports, like ".dynsym". + # These are not useful to us, we may need to expand this list over time (TODO: exhaust this list) + if library == ".dynsym": + library = "" def inspect_import(ea, function, ordinal): if function and function.startswith("__imp_"): From 66e374a3433278e8755f99d21e3c14b9ec3b7355 Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Wed, 29 Mar 2023 16:01:31 -0400 Subject: [PATCH 2/6] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b17b00c5..c4ba5f3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Change Log ## master (unreleased) +- removed '.dynsym' as the library name for ELF imports. get_file_imports now only returns the API name. ### New Features - add protobuf format for result documents #1219 @williballenthin @mr-tz From 3cd766630faba3a630ebfcf5c19c7934f3cf3bf1 Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Thu, 30 Mar 2023 13:21:37 -0400 Subject: [PATCH 3/6] Update changelog --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ba5f3a..97c32f85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,6 @@ # Change Log ## master (unreleased) -- removed '.dynsym' as the library name for ELF imports. get_file_imports now only returns the API name. ### New Features - add protobuf format for result documents #1219 @williballenthin @mr-tz @@ -38,9 +37,9 @@ - nursery/enumerate-pe-sections-in-dotnet @mr-tz - nursery/destroy-software-breakpoint-capability echernofsky@google.com - nursery/send-data-to-internet michael.hunhoff@mandiant.com -- ### Bug Fixes +- extractor: removed '.dynsym' as the library name for ELF imports. get_file_imports now only returns the API name. - extractor: fix vivisect loop detection corner case #1310 @mr-tz - match: extend OS characteristic to match OS_ANY to all supported OSes #1324 @mike-hunhoff - extractor: fix IDA and vivisect string and bytes features overlap and tests #1327 #1336 @xusheng6 From 1921961cff5d1babb098cc92e333a8de17be2710 Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Thu, 30 Mar 2023 13:23:29 -0400 Subject: [PATCH 4/6] Update todo comment to link issue Co-authored-by: Willi Ballenthin --- capa/features/extractors/ida/helpers.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/capa/features/extractors/ida/helpers.py b/capa/features/extractors/ida/helpers.py index a6068451..daec2152 100644 --- a/capa/features/extractors/ida/helpers.py +++ b/capa/features/extractors/ida/helpers.py @@ -91,7 +91,8 @@ def get_file_imports() -> Dict[int, Tuple[str, str, int]]: continue # IDA uses section names for the library of ELF imports, like ".dynsym". - # These are not useful to us, we may need to expand this list over time (TODO: exhaust this list) + # These are not useful to us, we may need to expand this list over time + # TODO: exhaust this list, see #1419 if library == ".dynsym": library = "" From 59be399dac266ed0c45d3e1bddfba033b98da4de Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Fri, 31 Mar 2023 13:25:37 -0400 Subject: [PATCH 5/6] Revert line removal --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97c32f85..06072a17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ - nursery/enumerate-pe-sections-in-dotnet @mr-tz - nursery/destroy-software-breakpoint-capability echernofsky@google.com - nursery/send-data-to-internet michael.hunhoff@mandiant.com +- ### Bug Fixes - extractor: removed '.dynsym' as the library name for ELF imports. get_file_imports now only returns the API name. From 270350f8d13497e3ec777f1ee79103882ebbe4aa Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Fri, 31 Mar 2023 13:26:41 -0400 Subject: [PATCH 6/6] Update CHANGELOG.md Co-authored-by: Willi Ballenthin --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06072a17..69f3dd74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,7 +40,7 @@ - ### Bug Fixes -- extractor: removed '.dynsym' as the library name for ELF imports. get_file_imports now only returns the API name. +- extractor: removed '.dynsym' as the library name for ELF imports #1318 @stevemk14ebr - extractor: fix vivisect loop detection corner case #1310 @mr-tz - match: extend OS characteristic to match OS_ANY to all supported OSes #1324 @mike-hunhoff - extractor: fix IDA and vivisect string and bytes features overlap and tests #1327 #1336 @xusheng6