From 91f1d4132419ced2d819118564e32606a449c294 Mon Sep 17 00:00:00 2001 From: Yacine Elhamer Date: Wed, 14 Jun 2023 22:57:41 +0100 Subject: [PATCH] extract registry keys, files, and mutexes from the sample --- capa/features/extractors/cape/extractor.py | 2 +- capa/features/extractors/cape/file.py | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/capa/features/extractors/cape/extractor.py b/capa/features/extractors/cape/extractor.py index 1d3e37c1..a37b9d4c 100644 --- a/capa/features/extractors/cape/extractor.py +++ b/capa/features/extractors/cape/extractor.py @@ -57,11 +57,11 @@ class CapeExtractor(DynamicExtractor): format_ = list(static.keys())[0] static = static[format_] static.update(report["target"]) + static.update(report["behavior"].pop("summary")) static.update({"strings": report["strings"]}) static.update({"format": format_}) behavior = report.pop("behavior") - behavior.update(behavior.pop("summary")) behavior["network"] = report.pop("network") return cls(static, behavior) \ No newline at end of file diff --git a/capa/features/extractors/cape/file.py b/capa/features/extractors/cape/file.py index 00ea597f..03ae992a 100644 --- a/capa/features/extractors/cape/file.py +++ b/capa/features/extractors/cape/file.py @@ -9,7 +9,7 @@ import logging from typing import Any, Dict, List, Tuple, Iterator -from capa.features.common import Feature, String +from capa.features.common import Feature, String, Registry, Filename, Mutex from capa.features.file import Section, Import, Export, FunctionName from capa.features.address import Address, AbsoluteVirtualAddress, NO_ADDRESS @@ -53,6 +53,21 @@ def extract_file_strings(static: Dict) -> Iterator[Tuple[Feature, Address]]: yield String(string_), NO_ADDRESS +def extract_used_regkeys(static: Dict) -> Iterator[Tuple[Feature, Address]]: + for regkey in static["keys"]: + yield Registry(regkey), NO_ADDRESS + + +def extract_used_files(static: Dict) -> Iterator[Tuple[Feature, Address]]: + for filename in static["files"]: + yield Filename(filename), NO_ADDRESS + + +def extract_used_mutexes(static: Dict) -> Iterator[Tuple[Feature, Address]]: + for mutex in static["mutexes"]: + yield Mutex(mutex), NO_ADDRESS + + def extract_features(static: Dict) -> Iterator[Tuple[Feature, Address]]: for handler in FILE_HANDLERS: for feature, addr in handler(static): @@ -65,4 +80,7 @@ FILE_HANDLERS = ( extract_section_names, extract_function_names, extract_file_strings, + extract_used_regkeys, + extract_used_files, + extract_used_mutexes, ) \ No newline at end of file