From 470995a5417ea96b1744de15f05352e6b6c455c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Jun 2022 14:10:51 +0000 Subject: [PATCH 01/10] build(deps-dev): bump types-requests from 2.27.30 to 2.28.0 Bumps [types-requests](https://github.com/python/typeshed) from 2.27.30 to 2.28.0. - [Release notes](https://github.com/python/typeshed/releases) - [Commits](https://github.com/python/typeshed/commits) --- updated-dependencies: - dependency-name: types-requests dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index fdefe2f8..ca9acfd0 100644 --- a/setup.py +++ b/setup.py @@ -87,7 +87,7 @@ setuptools.setup( "types-tabulate==0.8.9", "types-termcolor==1.1.4", "types-psutil==5.8.23", - "types_requests==2.27.30", + "types_requests==2.28.0", ], "build": [ "pyinstaller==5.1", From bb1afb3356e126563c9692930a7b9bd58aa09018 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 28 Jun 2022 11:18:24 -0600 Subject: [PATCH 02/10] render: verbose: render metadata tokens correctly closes #1053 --- capa/render/verbose.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/capa/render/verbose.py b/capa/render/verbose.py index a8a99400..48733fe4 100644 --- a/capa/render/verbose.py +++ b/capa/render/verbose.py @@ -44,15 +44,11 @@ def format_address(address: frz.Address) -> str: return f"file+{rutils.hex(address.value)}" elif address.type == frz.AddressType.DN_TOKEN: token = dncil.clr.token.Token(address.value) - name = dnfile.mdtable.ClrMetaDataTableFactory._table_number_map[token.table].name - rid = token.rid - return f"{name}[{rid}]" + return f"token({rutils.hex(token.value)})" elif address.type == frz.AddressType.DN_TOKEN_OFFSET: token, offset = address.value token = dncil.clr.token.Token(token) - name = dnfile.mdtable.ClrMetaDataTableFactory._table_number_map[token.table].name - rid = token.rid - return f"{name}[{rid}]+{rutils.hex(offset)}" + return f"token({rutils.hex(token.value)})+{rutils.hex(offset)}" elif address.type == frz.AddressType.NO_ADDRESS: return "global" else: From b6f932ea158c9608a394514a1533e3c5593a42b4 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 28 Jun 2022 11:24:31 -0600 Subject: [PATCH 03/10] changelog: document upcoming deprecation of SMDA backend closes #1061 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c0c90d4..acfcfed7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,8 @@ - extractors must use handles to identify functions/basic blocks/instructions #981 @williballenthin - the freeze file format schema was updated, including format version bump to v2 #986 @williballenthin +Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issues/937), we plan to remove the SMDA backend for v5. If you rely on this backend, please reach out so we can discuss extending the support for SMDA or transitioning your workflow to use vivisect. + ### New Rules (7) - data-manipulation/encryption/aes/manually-build-aes-constants huynh.t.nhan@gmail.com From f72f8b054a05d159bf9d3295d6da888eeb5e4352 Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 28 Jun 2022 21:47:06 +0200 Subject: [PATCH 04/10] ci: use macos-11 (#1066) * ci: use macos-11 * ci: use macos-10.15 for build --- .github/workflows/build.yml | 1 + .github/workflows/tests.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ca56d4e3..54e3b490 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,7 @@ jobs: artifact_name: capa.exe asset_name: windows - os: macos-10.15 + # use older macOS for assumed better portability artifact_name: capa asset_name: macos steps: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 128c4591..ed866547 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -65,7 +65,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-20.04, windows-2019, macos-10.15] + os: [ubuntu-20.04, windows-2019, macos-11] # across all operating systems python-version: ["3.7", "3.10"] include: From 0e6a050921a9b60650916a2d3013a8dec9667157 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 28 Jun 2022 20:04:14 +0000 Subject: [PATCH 05/10] Sync capa rules submodule --- README.md | 2 +- rules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 184e6198..8ecfbe98 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-666-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-665-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index cb28b9b8..aa6b2fda 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit cb28b9b8bec419a2d1582542dc93cef001589c78 +Subproject commit aa6b2fda3d67b0b089783904a6e44d0d52727936 From 46ad23fb30ff79b06352db729720bfb3ddc5a3e5 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 28 Jun 2022 20:04:59 +0000 Subject: [PATCH 06/10] Sync capa rules submodule --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index aa6b2fda..3fff4d84 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit aa6b2fda3d67b0b089783904a6e44d0d52727936 +Subproject commit 3fff4d84ccf7260d1c27b1c1727514ebc3b28643 From 45c39cfd7a6f566820c2401e0dc33acce20f66a9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 28 Jun 2022 20:11:57 +0000 Subject: [PATCH 07/10] Sync capa rules submodule --- README.md | 2 +- rules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8ecfbe98..184e6198 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-665-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-666-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 3fff4d84..991e64c6 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 3fff4d84ccf7260d1c27b1c1727514ebc3b28643 +Subproject commit 991e64c627ef6a07af5cb0f32ead48ae75067540 From ecd88680ddec459290b789ab484dcd7459e37b50 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 28 Jun 2022 20:26:53 +0000 Subject: [PATCH 08/10] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index acfcfed7..e46be1b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,7 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issues/937), we plan to remove the SMDA backend for v5. If you rely on this backend, please reach out so we can discuss extending the support for SMDA or transitioning your workflow to use vivisect. -### New Rules (7) +### New Rules (8) - data-manipulation/encryption/aes/manually-build-aes-constants huynh.t.nhan@gmail.com - nursery/get-process-image-filename michael.hunhoff@mandiant.com @@ -37,6 +37,7 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issu - anti-analysis/packer/huan/packed-with-huan jakub.jozwiak@mandiant.com - internal/limitation/file/internal-dotnet-file-limitation william.ballenthin@mandiant.com - nursery/get-os-information-via-kuser_shared_data @mr-tz +- load-code/pe/resolve-function-by-parsing-PE-exports sara-rn - ### Bug Fixes diff --git a/README.md b/README.md index 184e6198..34cc62d5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-666-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-667-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 991e64c6..c5a50a04 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 991e64c627ef6a07af5cb0f32ead48ae75067540 +Subproject commit c5a50a0489b0fa94a82380012648edce20f529de From b87b03300a9f59e42ecee7ffc8025a12676bc9e7 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 28 Jun 2022 14:27:48 -0600 Subject: [PATCH 09/10] Revert "fix: temporarily accept x32/x64 flavors but ignore (#1014)" This reverts commit daf483309eb74c1b9bf04c10efdd0869de6ae000. --- capa/rules.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/capa/rules.py b/capa/rules.py index 499eff87..00d9260c 100644 --- a/capa/rules.py +++ b/capa/rules.py @@ -264,13 +264,6 @@ def parse_feature(key: str): return capa.features.insn.Number elif key == "offset": return capa.features.insn.Offset - # TODO remove x32/x64 flavor keys once fixed master/rules - elif key.startswith("number/"): - logger.warning("x32/x64 flavor currently not supported and deprecated") - return capa.features.insn.Number - elif key.startswith("offset/"): - logger.warning("x32/x64 flavor currently not supported and deprecated") - return capa.features.insn.Offset elif key == "mnemonic": return capa.features.insn.Mnemonic elif key == "basic blocks": From 82e8f8f090c1de18ae71a5aab02fd93848d4474f Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 28 Jun 2022 21:34:02 +0000 Subject: [PATCH 10/10] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e46be1b2..2255ba2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,7 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issues/937), we plan to remove the SMDA backend for v5. If you rely on this backend, please reach out so we can discuss extending the support for SMDA or transitioning your workflow to use vivisect. -### New Rules (8) +### New Rules (9) - data-manipulation/encryption/aes/manually-build-aes-constants huynh.t.nhan@gmail.com - nursery/get-process-image-filename michael.hunhoff@mandiant.com @@ -38,6 +38,7 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issu - internal/limitation/file/internal-dotnet-file-limitation william.ballenthin@mandiant.com - nursery/get-os-information-via-kuser_shared_data @mr-tz - load-code/pe/resolve-function-by-parsing-PE-exports sara-rn +- anti-analysis/packer/huan/packed-with-huan jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 34cc62d5..5edb268b 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-667-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-677-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index c5a50a04..d2ad3a04 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit c5a50a0489b0fa94a82380012648edce20f529de +Subproject commit d2ad3a045a39e7656ddff7cdec5fc0561816728e