gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-22 15:16:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

update OS to match OS_ANY for all supported OSes (#1324)

Browse Source
This commit is contained in:
Mike Hunhoff
2023-02-24 07:51:40 -07:00
committed by GitHub
parent 84df8baa5f
commit a07ca443f0
3 changed files with 65 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -21,6 +21,7 @@
### Bug Fixes ### Bug Fixes
- extractor: fix vivisect loop detection corner case #1310 @mr-tz - extractor: fix vivisect loop detection corner case #1310 @mr-tz
- match: extend OS characteristic to match OS_ANY to all supported OSes #1324 @mike-hunhoff
### capa explorer IDA Pro plugin ### capa explorer IDA Pro plugin

14
capa/features/common.py
View File

@@ -428,6 +428,20 @@ class OS(Feature):
super().__init__(value, description=description) super().__init__(value, description=description)
self.name = "os" self.name = "os"
def evaluate(self, ctx, **kwargs):
capa.perf.counters["evaluate.feature"] += 1
capa.perf.counters["evaluate.feature." + self.name] += 1
for feature, locations in ctx.items():
if not isinstance(feature, (OS,)):
continue
assert isinstance(feature.value, str)
if OS_ANY in (self.value, feature.value) or self.value == feature.value:
return Result(True, self, [], locations=locations)
return Result(False, self, [])
FORMAT_PE = "pe" FORMAT_PE = "pe"
FORMAT_ELF = "elf" FORMAT_ELF = "elf"

51
tests/test_match.py
View File

@@ -13,7 +13,6 @@ import capa.engine
import capa.features.insn import capa.features.insn
import capa.features.common import capa.features.common
from capa.rules import Scope from capa.rules import Scope
from capa.features import *
from capa.features.insn import * from capa.features.insn import *
from capa.features.common import * from capa.features.common import *
@@ -626,3 +625,53 @@ def test_match_property_access():
0x0, 0x0,
) )
assert "test rule" not in matches assert "test rule" not in matches
def test_match_os_any():
rule = textwrap.dedent(
"""
rule:
meta:
name: test rule
features:
- or:
- and:
- or:
- os: windows
- os: linux
- os: macos
- string: "Hello world"
- and:
- os: any
- string: "Goodbye world"
"""
)
r = capa.rules.Rule.from_yaml(rule)
_, matches = match(
[r],
{OS(OS_ANY): {1}, String("Hello world"): {1}},
0x0,
)
assert "test rule" in matches
_, matches = match(
[r],
{OS(OS_WINDOWS): {1}, String("Hello world"): {1}},
0x0,
)
assert "test rule" in matches
_, matches = match(
[r],
{OS(OS_ANY): {1}, String("Goodbye world"): {1}},
0x0,
)
assert "test rule" in matches
_, matches = match(
[r],
{OS(OS_WINDOWS): {1}, String("Goodbye world"): {1}},
0x0,
)
assert "test rule" in matches