adding support checks for AMD64/binary files in capa explorer and capa main

2025-12-05 20:40:05 -08:00 · 2020-06-25 10:05:19 -06:00
parent 83dbf81d2b
commit a5004b2014
3 changed files with 59 additions and 15 deletions
--- a/capa/ida/helpers/init.py
+++ b/capa/ida/helpers/init.py
@@ -1,6 +1,53 @@
+import logging
+
 import idaapi
 import idc

+logger = logging.getLogger()
+
+# file type names as returned by idaapi.get_file_type_name()
+SUPPORTED_FILE_TYPES = [
+    'Portable executable for 80386 (PE)',
+    'Portable executable for AMD64 (PE)',
+    'Binary file'  # x86/AMD64 shellcode support
+]
+
+
+def inform_user_ida_ui(message):
+    idaapi.info('%s. Please refer to IDA Output window for more information.' % message)
+
+
+def is_supported_file_type():
+    file_type = idaapi.get_file_type_name()
+
+    if file_type not in SUPPORTED_FILE_TYPES:
+        logger.error('-' * 80)
+        logger.error(' Input file does not appear to be a PE file.')
+        logger.error(' ')
+        logger.error(' capa currently only supports analyzing PE files (or x86/AMD64 shellcode).')
+        logger.error(' If you don\'t know the input file type, you can try using the `file` utility to guess it.')
+        logger.error('-' * 80)
+
+        inform_user_ida_ui('capa does not support the format of this file')
+
+        return False
+
+    # support binary files specifically for x86/AMD64 shellcode
+    # warn user binary file is loaded but still allow capa to process it
+    # TODO: check specific architecture of binary files based on how user configured IDA processors
+    if file_type == 'Binary file':
+        logger.warning('-' * 80)
+        logger.warning(' Input file appears to be a binary file.')
+        logger.warning(' ')
+        logger.warning(' capa currently only supports analyzing binary files containing x86/AMD64 shellcode.')
+        logger.warning(' This means the results may be misleading or incomplete if the binary file is not x86/AMD64.')
+        logger.warning(' If you don\'t know the input file type, you can try using the `file` utility to guess it.')
+        logger.warning('-' * 80)
+
+        inform_user_ida_ui('capa encountered warnings during analysis')
+
+    return True
+

 def get_disasm_line(va):
    ''' '''
--- a/capa/ida/ida_capa_explorer.py
+++ b/capa/ida/ida_capa_explorer.py
@@ -26,18 +26,14 @@ import idaapi
 import capa.main
 import capa.rules
 import capa.features.extractors.ida
+import capa.ida.helpers

 from capa.ida.explorer.view import CapaExplorerQtreeView
 from capa.ida.explorer.model import CapaExplorerDataModel
 from capa.ida.explorer.proxy import CapaExplorerSortFilterProxyModel

-
 PLUGIN_NAME = 'capa explorer'

-SUPPORTED_FILE_TYPES = [
-    'Portable executable for 80386 (PE)',
-]
-
 logger = logging.getLogger(PLUGIN_NAME)


@@ -332,7 +328,7 @@ class CapaExplorerForm(idaapi.PluginForm):
        capabilities = capa.main.find_capabilities(rules, capa.features.extractors.ida.IdaFeatureExtractor(), True)

        if capa.main.is_file_limitation(rules, capabilities):
-            idaapi.info('capa encountered warnings during analysis. Please refer to the IDA Output window for more information.')
+            capa.ida.helpers.inform_user_ida_ui('capa encountered warnings during analysis')

        logger.info('analysis completed.')

@@ -447,13 +443,7 @@ def main():
    ''' TODO: move to idaapi.plugin_t class '''
    logging.basicConfig(level=logging.INFO)

-    if idaapi.get_file_type_name() not in SUPPORTED_FILE_TYPES:
-        logger.error('-' * 80)
-        logger.error(' Input file does not appear to be a PE file.')
-        logger.error(' ')
-        logger.error(' capa explorer currently only supports analyzing PE files.')
-        logger.error('-' * 80)
-        idaapi.info('capa does not support the format of this file. Please refer to the IDA output window for more information.')
+    if not capa.ida.helpers.is_supported_file_type():
        return -1

    global CAPA_EXPLORER_FORM
--- a/capa/main.py
+++ b/capa/main.py
@@ -761,13 +761,20 @@ def ida_main():
    import capa.features.extractors.ida
    capabilities = find_capabilities(rules, capa.features.extractors.ida.IdaFeatureExtractor())

-    if not is_file_limitation(rules, capabilities):
-        render_capabilities_default(rules, capabilities)
+    import capa.ida.helpers
+    if not capa.ida.helpers.is_supported_file_type():
+        return -1
+
+    if is_file_limitation(rules, capabilities):
+        capa.ida.helpers.inform_user_ida_ui('capa encountered warnings during analysis')
+
+    render_capabilities_default(rules, capabilities)


 def is_runtime_ida():
    try:
        import idc
+        import idaapi
    except ImportError:
        return False
    else: