Add the ability to select which functions or processes you which to extract capabilities from (#2156)

2025-12-27 05:03:05 -08:00 · 2024-08-20 13:09:46 +01:00
parent c409b2b7ed
commit 791f5e2359
6 changed files with 180 additions and 7 deletions
--- a/tests/test_capabilities.py
+++ b/tests/test_capabilities.py
@@ -9,6 +9,7 @@
 import textwrap

 import capa.capabilities.common
+from capa.features.extractors.base_extractor import FunctionFilter


 def test_match_across_scopes_file_function(z9324d_extractor):
@@ -174,6 +175,37 @@ def test_subscope_bb_rules(z9324d_extractor):
    assert "test rule" in capabilities


+def test_match_specific_functions(z9324d_extractor):
+    rules = capa.rules.RuleSet(
+        [
+            capa.rules.Rule.from_yaml(
+                textwrap.dedent(
+                    """
+                    rule:
+                        meta:
+                            name: receive data
+                            scopes:
+                                static: function
+                                dynamic: call
+                            examples:
+                            - 9324d1a8ae37a36ae560c37448c9705a:0x401CD0
+                        features:
+                            - or:
+                                - api: recv
+                    """
+                )
+            )
+        ]
+    )
+    extractor = FunctionFilter(z9324d_extractor, {0x4019C0})
+    capabilities, meta = capa.capabilities.common.find_capabilities(rules, extractor)
+    matches = capabilities["receive data"]
+    # test that we received only one match
+    assert len(matches) == 1
+    # and that this match is from the specified function
+    assert matches[0][0] == 0x4019C0
+
+
 def test_byte_matching(z9324d_extractor):
    rules = capa.rules.RuleSet(
        [