gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-02-04 11:07:53 -08:00
Code Issues Packages Projects Releases Wiki Activity

add check for pointer to string

Browse Source 
Check if memory referenced is a pointer to a string. Fixes mimikatz
string test.
This commit is contained in:
Jon Crussell
2020-10-30 07:01:07 -07:00
parent 74b2c18296
commit 8f6a46e2d8
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
capa/features/extractors/smda/insn.py
View File

@@ -1,5 +1,6 @@
import re
import string
import struct
from smda.common.SmdaReport import SmdaReport
@@ -172,6 +173,18 @@ def extract_insn_string_features(f, bb, insn):
string_read = read_string(f.smda_report, data_ref)
if string_read:
yield String(string_read.rstrip("\x00")), insn.offset
continue
# test to see if we're referencing a pointer and that points to a string
bytes_ = read_bytes(insn.smda_function.smda_report, data_ref, num_bytes=4)
val = struct.unpack("I", bytes_)[0]
if val and insn.smda_function.smda_report.isAddrWithinMemoryImage(val):
# it is a pointer, check if it points to a string
string_read = read_string(f.smda_report, val)
if string_read:
yield String(string_read.rstrip("\x00")), insn.offset
continue
def extract_insn_offset_features(f, bb, insn):