gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-02-04 19:12:01 -08:00
Code Issues Packages Projects Releases Wiki Activity

viv: insn: extract OperandOffset and OperandImmediate

Browse Source
This commit is contained in:
Willi Ballenthin
2022-03-30 13:14:08 -06:00
parent c7aadca25c
commit 997daf537e
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
capa/features/extractors/viv/insn.py
View File

@@ -17,7 +17,7 @@ import envi.archs.amd64.disasm
import capa.features.extractors.helpers
import capa.features.extractors.viv.helpers
from capa.features.insn import API, Number, Offset, Mnemonic
from capa.features.insn import API, Number, Offset, Mnemonic, OperandOffset, OperandImmediate
from capa.features.common import (
BITNESS_X32,
BITNESS_X64,
@@ -554,6 +554,7 @@ def extract_op_number_features(f, bb, insn, i, oper):
yield Number(v), insn.va
yield Number(v, bitness=get_bitness(f.vw)), insn.va
yield OperandImmediate(i, v), insn.va
def extract_op_offset_features(f, bb, insn, i, oper):
@@ -582,6 +583,7 @@ def extract_op_offset_features(f, bb, insn, i, oper):
yield Offset(v), insn.va
yield Offset(v, bitness=get_bitness(f.vw)), insn.va
yield OperandOffset(i, v), insn.va
# like: [esi + ecx + 16384]
# reg ^ ^
@@ -593,6 +595,7 @@ def extract_op_offset_features(f, bb, insn, i, oper):
yield Offset(v), insn.va
yield Offset(v, bitness=get_bitness(f.vw)), insn.va
yield OperandOffset(i, v), insn.va
def extract_op_string_features(f, bb, insn, i, oper):

6
tests/fixtures.py
View File

@@ -418,6 +418,12 @@ FEATURE_PRESENCE_TESTS = sorted(
("mimikatz", "function=0x40105D", capa.features.insn.Mnemonic("xor"), True),
("mimikatz", "function=0x40105D", capa.features.insn.Mnemonic("in"), False),
("mimikatz", "function=0x40105D", capa.features.insn.Mnemonic("out"), False),
# insn/operand.immediate
("mimikatz", "function=0x40105D,bb=0x401073", capa.features.insn.OperandImmediate(1, 0xFF), True),
("mimikatz", "function=0x40105D,bb=0x401073", capa.features.insn.OperandImmediate(0, 0xFF), False),
# insn/operand.offset
("mimikatz", "function=0x40105D,bb=0x4010B0", capa.features.insn.OperandOffset(0, 4), True),
("mimikatz", "function=0x40105D,bb=0x4010B0", capa.features.insn.OperandOffset(1, 4), False),
# insn/number
("mimikatz", "function=0x40105D", capa.features.insn.Number(0xFF), True),
("mimikatz", "function=0x40105D", capa.features.insn.Number(0x3136B0), True),