From 997daf537e3087802c5fac37044a0958454b27ca Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 30 Mar 2022 13:14:08 -0600
Subject: [PATCH] viv: insn: extract OperandOffset and OperandImmediate

---
 capa/features/extractors/viv/insn.py | 5 ++++-
 tests/fixtures.py                    | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/capa/features/extractors/viv/insn.py b/capa/features/extractors/viv/insn.py
index f9c339f6..0620a3a4 100644
--- a/capa/features/extractors/viv/insn.py
+++ b/capa/features/extractors/viv/insn.py
@@ -17,7 +17,7 @@ import envi.archs.amd64.disasm
 
 import capa.features.extractors.helpers
 import capa.features.extractors.viv.helpers
-from capa.features.insn import API, Number, Offset, Mnemonic
+from capa.features.insn import API, Number, Offset, Mnemonic, OperandOffset, OperandImmediate
 from capa.features.common import (
     BITNESS_X32,
     BITNESS_X64,
@@ -554,6 +554,7 @@ def extract_op_number_features(f, bb, insn, i, oper):
 
     yield Number(v), insn.va
     yield Number(v, bitness=get_bitness(f.vw)), insn.va
+    yield OperandImmediate(i, v), insn.va
 
 
 def extract_op_offset_features(f, bb, insn, i, oper):
@@ -582,6 +583,7 @@ def extract_op_offset_features(f, bb, insn, i, oper):
 
         yield Offset(v), insn.va
         yield Offset(v, bitness=get_bitness(f.vw)), insn.va
+        yield OperandOffset(i, v), insn.va
 
     # like: [esi + ecx + 16384]
     #        reg   ^     ^
@@ -593,6 +595,7 @@ def extract_op_offset_features(f, bb, insn, i, oper):
 
         yield Offset(v), insn.va
         yield Offset(v, bitness=get_bitness(f.vw)), insn.va
+        yield OperandOffset(i, v), insn.va
 
 
 def extract_op_string_features(f, bb, insn, i, oper):
diff --git a/tests/fixtures.py b/tests/fixtures.py
index fc35a16b..ef1935f0 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -418,6 +418,12 @@ FEATURE_PRESENCE_TESTS = sorted(
         ("mimikatz", "function=0x40105D", capa.features.insn.Mnemonic("xor"), True),
         ("mimikatz", "function=0x40105D", capa.features.insn.Mnemonic("in"), False),
         ("mimikatz", "function=0x40105D", capa.features.insn.Mnemonic("out"), False),
+        # insn/operand.immediate
+        ("mimikatz", "function=0x40105D,bb=0x401073", capa.features.insn.OperandImmediate(1, 0xFF), True),
+        ("mimikatz", "function=0x40105D,bb=0x401073", capa.features.insn.OperandImmediate(0, 0xFF), False),
+        # insn/operand.offset
+        ("mimikatz", "function=0x40105D,bb=0x4010B0", capa.features.insn.OperandOffset(0, 4), True),
+        ("mimikatz", "function=0x40105D,bb=0x4010B0", capa.features.insn.OperandOffset(1, 4), False),
         # insn/number
         ("mimikatz", "function=0x40105D", capa.features.insn.Number(0xFF), True),
         ("mimikatz", "function=0x40105D", capa.features.insn.Number(0x3136B0), True),