cape: linux: handle status code return types

2025-12-05 20:40:05 -08:00 · 2025-03-19 16:04:15 +00:00
parent 664a6d8043
commit 81419db62a
2 changed files with 24 additions and 4 deletions
--- a/capa/features/extractors/cape/extractor.py
+++ b/capa/features/extractors/cape/extractor.py
@@ -21,9 +21,9 @@ import capa.features.extractors.cape.file
 import capa.features.extractors.cape.thread
 import capa.features.extractors.cape.global_
 import capa.features.extractors.cape.process
-from capa.exceptions import EmptyReportError, UnsupportedFormatError
+from capa.exceptions import EmptyReportError
 from capa.features.common import Feature
-from capa.features.address import Address, AbsoluteVirtualAddress, _NoAddress, NO_ADDRESS
+from capa.features.address import NO_ADDRESS, Address, AbsoluteVirtualAddress, _NoAddress
 from capa.features.extractors.cape.models import Call, Static, Process, CapeReport
 from capa.features.extractors.base_extractor import (
    CallHandle,
@@ -125,8 +125,10 @@ class CapeExtractor(DynamicFeatureExtractor):
        parts.append(" -> ")
        if call.pretty_return:
            parts.append(call.pretty_return)
-        else:
+        elif call.return_:
            parts.append(hex(call.return_))
+        else:
+            parts.append("?")

        return "".join(parts)

--- a/capa/features/extractors/cape/models.py
+++ b/capa/features/extractors/cape/models.py
@@ -29,8 +29,26 @@ def validate_hex_bytes(value):
    return bytes.fromhex(value) if isinstance(value, str) else value


+def validate_status_code(value):
+    if isinstance(value, str):
+        if value == "?":
+            # TODO: check for this in the return handling
+            return None
+
+        # like: -1 EINVAL (Invalid argument)
+        # like: 0 (Timeout)
+        # like: 0x8002 (flags O_RDWR|O_LARGEFILE)
+        assert value.endswith(")")
+        num = value.partition(" ")[0]
+        return int(num, 16) if num.startswith("0x") else int(num, 10)
+    else:
+        return value
+
+
 HexInt = Annotated[int, BeforeValidator(validate_hex_int)]
 HexBytes = Annotated[bytes, BeforeValidator(validate_hex_bytes)]
+# this is a status code, such as returned by CAPE for Linux, like: "0 (Timeout)" or "0x8002 (flags O_RDWR|O_LARGEFILE)
+StatusCode = Annotated[int | None, BeforeValidator(validate_status_code)]


 # a model that *cannot* have extra fields
@@ -301,7 +319,7 @@ class Call(FlexibleModel):

    arguments: list[Argument]
    # status: bool
-    return_: HexInt = Field(alias="return")
+    return_: HexInt | StatusCode = Field(alias="return")
    pretty_return: Optional[str] = None

    # repeated: int