From a7e4d265e264cff14609a8fc9a1b3084d41c38b1 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 8 Mar 2023 14:45:26 +0100 Subject: [PATCH] convert rd meta to proto --- capa/render/proto/capa.proto | 6 +- capa/render/proto/capa_pb2.py | 226 +++++++++++++++++----------------- capa/render/proto/proto.py | 120 ++++++++++++++++++ tests/test_proto.py | 92 +++++++++++++- 4 files changed, 322 insertions(+), 122 deletions(-) create mode 100644 capa/render/proto/proto.py diff --git a/capa/render/proto/capa.proto b/capa/render/proto/capa.proto index 0fbb18a4..0a70b12f 100644 --- a/capa/render/proto/capa.proto +++ b/capa/render/proto/capa.proto @@ -90,7 +90,7 @@ message ExportFeature { } message FeatureCounts { - Integer file = 1; + uint64 file = 1; // TODO just int here and general int vs uint?! repeated FunctionFeatureCount functions = 2; } @@ -131,7 +131,7 @@ message FormatFeature { message FunctionFeatureCount { Address address = 1; - Integer count = 2; + uint64 count = 2; } message FunctionLayout { @@ -194,7 +194,7 @@ message MatchFeature { } message Metadata { - string timestamp = 1; + string timestamp = 1; // TODO Timestamp? string version = 2; repeated string argv = 3; Sample sample = 4; diff --git a/capa/render/proto/capa_pb2.py b/capa/render/proto/capa_pb2.py index 9423f700..a307c8a8 100644 --- a/capa/render/proto/capa_pb2.py +++ b/capa/render/proto/capa_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # Generated by the protocol buffer compiler. DO NOT EDIT! -# source: capa.proto +# source: capa/render/proto/capa.proto """Generated protocol buffer code.""" from google.protobuf.internal import builder as _builder from google.protobuf import descriptor as _descriptor @@ -13,10 +13,10 @@ _sym_db = _symbol_database.Default() -DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\ncapa.proto\"<\n\nAPIFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0b\n\x03\x61pi\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"k\n\x07\x41\x64\x64ress\x12\x1a\n\x04type\x18\x01 \x01(\x0e\x32\x0c.AddressType\x12\x16\n\x02v0\x18\x02 \x01(\x0b\x32\x08.IntegerH\x00\x12#\n\x02v1\x18\x03 \x01(\x0b\x32\x15.Pair_Integer_IntegerH\x00\x42\x07\n\x05value\"\xe4\x01\n\x08\x41nalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12\x1e\n\x0c\x62\x61se_address\x18\x06 \x01(\x0b\x32\x08.Address\x12\x17\n\x06layout\x18\x07 \x01(\x0b\x32\x07.Layout\x12&\n\x0e\x66\x65\x61ture_counts\x18\x08 \x01(\x0b\x32\x0e.FeatureCounts\x12+\n\x11library_functions\x18\t \x03(\x0b\x32\x10.LibraryFunction\">\n\x0b\x41rchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"`\n\nAttackSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x0e\n\x06tactic\x18\x02 \x01(\t\x12\x11\n\ttechnique\x18\x03 \x01(\t\x12\x14\n\x0csubtechnique\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"6\n\x11\x42\x61sicBlockFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\"-\n\x10\x42\x61sicBlockLayout\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\"@\n\x0c\x42ytesFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05\x62ytes\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"R\n\x15\x43haracteristicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x16\n\x0e\x63haracteristic\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"@\n\x0c\x43lassFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\x12\r\n\x05\x63lass\x18\x03 \x01(\t\"6\n\x11\x43ompoundStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\"B\n\rExportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x65xport\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"Q\n\rFeatureCounts\x12\x16\n\x04\x66ile\x18\x01 \x01(\x0b\x32\x08.Integer\x12(\n\tfunctions\x18\x02 \x03(\x0b\x32\x15.FunctionFeatureCount\"\x83\x06\n\x0b\x46\x65\x61tureNode\x12\x18\n\x02v0\x18\x01 \x01(\x0b\x32\n.OSFeatureH\x00\x12\x1a\n\x02v1\x18\x02 \x01(\x0b\x32\x0c.ArchFeatureH\x00\x12\x1c\n\x02v2\x18\x03 \x01(\x0b\x32\x0e.FormatFeatureH\x00\x12\x1b\n\x02v3\x18\x04 \x01(\x0b\x32\r.MatchFeatureH\x00\x12$\n\x02v4\x18\x05 \x01(\x0b\x32\x16.CharacteristicFeatureH\x00\x12\x1c\n\x02v5\x18\x06 \x01(\x0b\x32\x0e.ExportFeatureH\x00\x12\x1c\n\x02v6\x18\x07 \x01(\x0b\x32\x0e.ImportFeatureH\x00\x12\x1d\n\x02v7\x18\x08 \x01(\x0b\x32\x0f.SectionFeatureH\x00\x12\"\n\x02v8\x18\t \x01(\x0b\x32\x14.FunctionNameFeatureH\x00\x12\x1f\n\x02v9\x18\n \x01(\x0b\x32\x11.SubstringFeatureH\x00\x12\x1c\n\x03v10\x18\x0b \x01(\x0b\x32\r.RegexFeatureH\x00\x12\x1d\n\x03v11\x18\x0c \x01(\x0b\x32\x0e.StringFeatureH\x00\x12\x1c\n\x03v12\x18\r \x01(\x0b\x32\r.ClassFeatureH\x00\x12 \n\x03v13\x18\x0e \x01(\x0b\x32\x11.NamespaceFeatureH\x00\x12\x1a\n\x03v14\x18\x0f \x01(\x0b\x32\x0b.APIFeatureH\x00\x12\x1f\n\x03v15\x18\x10 \x01(\x0b\x32\x10.PropertyFeatureH\x00\x12\x1d\n\x03v16\x18\x11 \x01(\x0b\x32\x0e.NumberFeatureH\x00\x12\x1c\n\x03v17\x18\x12 \x01(\x0b\x32\r.BytesFeatureH\x00\x12\x1d\n\x03v18\x18\x13 \x01(\x0b\x32\x0e.OffsetFeatureH\x00\x12\x1f\n\x03v19\x18\x14 \x01(\x0b\x32\x10.MnemonicFeatureH\x00\x12$\n\x03v20\x18\x15 \x01(\x0b\x32\x15.OperandNumberFeatureH\x00\x12$\n\x03v21\x18\x16 \x01(\x0b\x32\x15.OperandOffsetFeatureH\x00\x12!\n\x03v22\x18\x17 \x01(\x0b\x32\x12.BasicBlockFeatureH\x00\x12\x0c\n\x04type\x18\x19 \x01(\tB\t\n\x07\x66\x65\x61ture\"B\n\rFormatFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x66ormat\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"J\n\x14\x46unctionFeatureCount\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\x12\x17\n\x05\x63ount\x18\x02 \x01(\x0b\x32\x08.Integer\"\\\n\x0e\x46unctionLayout\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\x12/\n\x14matched_basic_blocks\x18\x02 \x03(\x0b\x32\x11.BasicBlockLayout\"O\n\x13\x46unctionNameFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x15\n\rfunction_name\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"B\n\rImportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\x12\x0e\n\x06import\x18\x03 \x01(\t\",\n\x06Layout\x12\"\n\tfunctions\x18\x01 \x03(\x0b\x32\x0f.FunctionLayout\":\n\x0fLibraryFunction\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\x12\x0c\n\x04name\x18\x02 \x01(\t\"Y\n\x07MBCSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x11\n\tobjective\x18\x02 \x01(\t\x12\x10\n\x08\x62\x65havior\x18\x03 \x01(\t\x12\x0e\n\x06method\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"\x9a\x01\n\x0cMaecMetadata\x12\x1b\n\x13\x61nalysis_conclusion\x18\x01 \x01(\t\x12\x1e\n\x16\x61nalysis_conclusion_ov\x18\x02 \x01(\t\x12\x16\n\x0emalware_family\x18\x03 \x01(\t\x12\x18\n\x10malware_category\x18\x04 \x01(\t\x12\x1b\n\x13malware_category_ov\x18\x05 \x01(\t\"\xfa\x01\n\x05Match\x12\x0f\n\x07success\x18\x01 \x01(\x08\x12\x1c\n\x02v0\x18\x02 \x01(\x0b\x32\x0e.StatementNodeH\x00\x12\x1a\n\x02v1\x18\x03 \x01(\x0b\x32\x0c.FeatureNodeH\x00\x12\x18\n\x08\x63hildren\x18\x05 \x03(\x0b\x32\x06.Match\x12\x1b\n\tlocations\x18\x06 \x03(\x0b\x32\x08.Address\x12&\n\x08\x63\x61ptures\x18\x07 \x03(\x0b\x32\x14.Match.CapturesEntry\x1a?\n\rCapturesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x1d\n\x05value\x18\x02 \x01(\x0b\x32\x0e.Array_Address:\x02\x38\x01\x42\x06\n\x04node\"@\n\x0cMatchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05match\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"r\n\x08Metadata\x12\x11\n\ttimestamp\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x0c\n\x04\x61rgv\x18\x03 \x03(\t\x12\x17\n\x06sample\x18\x04 \x01(\x0b\x32\x07.Sample\x12\x1b\n\x08\x61nalysis\x18\x05 \x01(\x0b\x32\t.Analysis\"F\n\x0fMnemonicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x10\n\x08mnemonic\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"H\n\x10NamespaceFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"k\n\rNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x16\n\x02v0\x18\x02 \x01(\x0b\x32\x08.IntegerH\x00\x12\x15\n\x02v1\x18\x03 \x01(\x0b\x32\x07.NumberH\x00\x12\x13\n\x0b\x64\x65scription\x18\x05 \x01(\tB\x08\n\x06number\":\n\tOSFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\n\n\x02os\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"L\n\rOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x18\n\x06offset\x18\x02 \x01(\x0b\x32\x08.Integer\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"t\n\x14OperandNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x17\n\x05index\x18\x02 \x01(\x0b\x32\x08.Integer\x12 \n\x0eoperand_number\x18\x03 \x01(\x0b\x32\x08.Integer\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"t\n\x14OperandOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x17\n\x05index\x18\x02 \x01(\x0b\x32\x08.Integer\x12 \n\x0eoperand_offset\x18\x03 \x01(\x0b\x32\x08.Integer\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"V\n\x0fPropertyFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x61\x63\x63\x65ss\x18\x02 \x01(\t\x12\x10\n\x08property\x18\x03 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"\xc7\x06\n\x0eRangeStatement\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x15\n\x03min\x18\x02 \x01(\x0b\x32\x08.Integer\x12\x15\n\x03max\x18\x03 \x01(\x0b\x32\x08.Integer\x12\x18\n\x02v0\x18\x04 \x01(\x0b\x32\n.OSFeatureH\x00\x12\x1a\n\x02v1\x18\x05 \x01(\x0b\x32\x0c.ArchFeatureH\x00\x12\x1c\n\x02v2\x18\x06 \x01(\x0b\x32\x0e.FormatFeatureH\x00\x12\x1b\n\x02v3\x18\x07 \x01(\x0b\x32\r.MatchFeatureH\x00\x12$\n\x02v4\x18\x08 \x01(\x0b\x32\x16.CharacteristicFeatureH\x00\x12\x1c\n\x02v5\x18\t \x01(\x0b\x32\x0e.ExportFeatureH\x00\x12\x1c\n\x02v6\x18\n \x01(\x0b\x32\x0e.ImportFeatureH\x00\x12\x1d\n\x02v7\x18\x0b \x01(\x0b\x32\x0f.SectionFeatureH\x00\x12\"\n\x02v8\x18\x0c \x01(\x0b\x32\x14.FunctionNameFeatureH\x00\x12\x1f\n\x02v9\x18\r \x01(\x0b\x32\x11.SubstringFeatureH\x00\x12\x1c\n\x03v10\x18\x0e \x01(\x0b\x32\r.RegexFeatureH\x00\x12\x1d\n\x03v11\x18\x0f \x01(\x0b\x32\x0e.StringFeatureH\x00\x12\x1c\n\x03v12\x18\x10 \x01(\x0b\x32\r.ClassFeatureH\x00\x12 \n\x03v13\x18\x11 \x01(\x0b\x32\x11.NamespaceFeatureH\x00\x12\x1a\n\x03v14\x18\x12 \x01(\x0b\x32\x0b.APIFeatureH\x00\x12\x1f\n\x03v15\x18\x13 \x01(\x0b\x32\x10.PropertyFeatureH\x00\x12\x1d\n\x03v16\x18\x14 \x01(\x0b\x32\x0e.NumberFeatureH\x00\x12\x1c\n\x03v17\x18\x15 \x01(\x0b\x32\r.BytesFeatureH\x00\x12\x1d\n\x03v18\x18\x16 \x01(\x0b\x32\x0e.OffsetFeatureH\x00\x12\x1f\n\x03v19\x18\x17 \x01(\x0b\x32\x10.MnemonicFeatureH\x00\x12$\n\x03v20\x18\x18 \x01(\x0b\x32\x15.OperandNumberFeatureH\x00\x12$\n\x03v21\x18\x19 \x01(\x0b\x32\x15.OperandOffsetFeatureH\x00\x12!\n\x03v22\x18\x1a \x01(\x0b\x32\x12.BasicBlockFeatureH\x00\x12\x0c\n\x04type\x18\x1c \x01(\tB\x07\n\x05\x63hild\"@\n\x0cRegexFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05regex\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"\x90\x01\n\x0eResultDocument\x12\x17\n\x04meta\x18\x01 \x01(\x0b\x32\t.Metadata\x12)\n\x05rules\x18\x02 \x03(\x0b\x32\x1a.ResultDocument.RulesEntry\x1a:\n\nRulesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x1b\n\x05value\x18\x02 \x01(\x0b\x32\x0c.RuleMatches:\x02\x38\x01\"`\n\x0bRuleMatches\x12\x1b\n\x04meta\x18\x01 \x01(\x0b\x32\r.RuleMetadata\x12\x0e\n\x06source\x18\x02 \x01(\t\x12$\n\x07matches\x18\x03 \x03(\x0b\x32\x13.Pair_Address_Match\"\x87\x02\n\x0cRuleMetadata\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x0f\n\x07\x61uthors\x18\x03 \x03(\t\x12\x15\n\x05scope\x18\x04 \x01(\x0e\x32\x06.Scope\x12\x1b\n\x06\x61ttack\x18\x05 \x03(\x0b\x32\x0b.AttackSpec\x12\x15\n\x03mbc\x18\x06 \x03(\x0b\x32\x08.MBCSpec\x12\x12\n\nreferences\x18\x07 \x03(\t\x12\x10\n\x08\x65xamples\x18\x08 \x03(\t\x12\x13\n\x0b\x64\x65scription\x18\t \x01(\t\x12\x0b\n\x03lib\x18\n \x01(\x08\x12\x1b\n\x04maec\x18\x0b \x01(\x0b\x32\r.MaecMetadata\x12\x15\n\rcapa_subscope\x18\x0c \x01(\x08\"A\n\x06Sample\x12\x0b\n\x03md5\x18\x01 \x01(\t\x12\x0c\n\x04sha1\x18\x02 \x01(\t\x12\x0e\n\x06sha256\x18\x03 \x01(\t\x12\x0c\n\x04path\x18\x04 \x01(\t\"D\n\x0eSectionFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0f\n\x07section\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"K\n\rSomeStatement\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x17\n\x05\x63ount\x18\x02 \x01(\x0b\x32\x08.Integer\x12\x0c\n\x04type\x18\x03 \x01(\t\"\xab\x01\n\rStatementNode\x12\x1d\n\x02v0\x18\x01 \x01(\x0b\x32\x0f.RangeStatementH\x00\x12\x1c\n\x02v1\x18\x02 \x01(\x0b\x32\x0e.SomeStatementH\x00\x12 \n\x02v2\x18\x03 \x01(\x0b\x32\x12.SubscopeStatementH\x00\x12 \n\x02v3\x18\x04 \x01(\x0b\x32\x12.CompoundStatementH\x00\x12\x0c\n\x04type\x18\x06 \x01(\tB\x0b\n\tstatement\"B\n\rStringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06string\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"M\n\x11SubscopeStatement\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x15\n\x05scope\x18\x02 \x01(\x0e\x32\x06.Scope\x12\x0c\n\x04type\x18\x03 \x01(\t\"H\n\x10SubstringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tsubstring\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\")\n\rArray_Address\x12\x18\n\x06values\x18\x01 \x03(\x0b\x32\x08.Address\">\n\x12Pair_Address_Match\x12\x14\n\x02v0\x18\x01 \x01(\x0b\x32\x08.Address\x12\x12\n\x02v1\x18\x02 \x01(\x0b\x32\x06.Match\"B\n\x14Pair_Integer_Integer\x12\x14\n\x02v0\x18\x01 \x01(\x0b\x32\x08.Integer\x12\x14\n\x02v1\x18\x02 \x01(\x0b\x32\x08.Integer\",\n\x07Integer\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x03H\x00\x42\x07\n\x05value\"8\n\x06Number\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x03H\x00\x12\x0b\n\x01\x66\x18\x03 \x01(\x01H\x00\x42\x07\n\x05value*\xcb\x01\n\x0b\x41\x64\x64ressType\x12\x1b\n\x17\x41\x44\x44RESSTYPE_UNSPECIFIED\x10\x00\x12\x18\n\x14\x41\x44\x44RESSTYPE_ABSOLUTE\x10\x01\x12\x18\n\x14\x41\x44\x44RESSTYPE_RELATIVE\x10\x02\x12\x14\n\x10\x41\x44\x44RESSTYPE_FILE\x10\x03\x12\x18\n\x14\x41\x44\x44RESSTYPE_DN_TOKEN\x10\x04\x12\x1f\n\x1b\x41\x44\x44RESSTYPE_DN_TOKEN_OFFSET\x10\x05\x12\x1a\n\x16\x41\x44\x44RESSTYPE_NO_ADDRESS\x10\x06*p\n\x05Scope\x12\x15\n\x11SCOPE_UNSPECIFIED\x10\x00\x12\x0e\n\nSCOPE_FILE\x10\x01\x12\x12\n\x0eSCOPE_FUNCTION\x10\x02\x12\x15\n\x11SCOPE_BASIC_BLOCK\x10\x03\x12\x15\n\x11SCOPE_INSTRUCTION\x10\x04\x62\x06proto3') +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1c\x63\x61pa/render/proto/capa.proto\"<\n\nAPIFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0b\n\x03\x61pi\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"k\n\x07\x41\x64\x64ress\x12\x1a\n\x04type\x18\x01 \x01(\x0e\x32\x0c.AddressType\x12\x16\n\x02v0\x18\x02 \x01(\x0b\x32\x08.IntegerH\x00\x12#\n\x02v1\x18\x03 \x01(\x0b\x32\x15.Pair_Integer_IntegerH\x00\x42\x07\n\x05value\"\xe4\x01\n\x08\x41nalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12\x1e\n\x0c\x62\x61se_address\x18\x06 \x01(\x0b\x32\x08.Address\x12\x17\n\x06layout\x18\x07 \x01(\x0b\x32\x07.Layout\x12&\n\x0e\x66\x65\x61ture_counts\x18\x08 \x01(\x0b\x32\x0e.FeatureCounts\x12+\n\x11library_functions\x18\t \x03(\x0b\x32\x10.LibraryFunction\">\n\x0b\x41rchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"`\n\nAttackSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x0e\n\x06tactic\x18\x02 \x01(\t\x12\x11\n\ttechnique\x18\x03 \x01(\t\x12\x14\n\x0csubtechnique\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"6\n\x11\x42\x61sicBlockFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\"-\n\x10\x42\x61sicBlockLayout\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\"@\n\x0c\x42ytesFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05\x62ytes\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"R\n\x15\x43haracteristicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x16\n\x0e\x63haracteristic\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"@\n\x0c\x43lassFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\x12\r\n\x05\x63lass\x18\x03 \x01(\t\"6\n\x11\x43ompoundStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\"B\n\rExportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x65xport\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"G\n\rFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12(\n\tfunctions\x18\x02 \x03(\x0b\x32\x15.FunctionFeatureCount\"\x83\x06\n\x0b\x46\x65\x61tureNode\x12\x18\n\x02v0\x18\x01 \x01(\x0b\x32\n.OSFeatureH\x00\x12\x1a\n\x02v1\x18\x02 \x01(\x0b\x32\x0c.ArchFeatureH\x00\x12\x1c\n\x02v2\x18\x03 \x01(\x0b\x32\x0e.FormatFeatureH\x00\x12\x1b\n\x02v3\x18\x04 \x01(\x0b\x32\r.MatchFeatureH\x00\x12$\n\x02v4\x18\x05 \x01(\x0b\x32\x16.CharacteristicFeatureH\x00\x12\x1c\n\x02v5\x18\x06 \x01(\x0b\x32\x0e.ExportFeatureH\x00\x12\x1c\n\x02v6\x18\x07 \x01(\x0b\x32\x0e.ImportFeatureH\x00\x12\x1d\n\x02v7\x18\x08 \x01(\x0b\x32\x0f.SectionFeatureH\x00\x12\"\n\x02v8\x18\t \x01(\x0b\x32\x14.FunctionNameFeatureH\x00\x12\x1f\n\x02v9\x18\n \x01(\x0b\x32\x11.SubstringFeatureH\x00\x12\x1c\n\x03v10\x18\x0b \x01(\x0b\x32\r.RegexFeatureH\x00\x12\x1d\n\x03v11\x18\x0c \x01(\x0b\x32\x0e.StringFeatureH\x00\x12\x1c\n\x03v12\x18\r \x01(\x0b\x32\r.ClassFeatureH\x00\x12 \n\x03v13\x18\x0e \x01(\x0b\x32\x11.NamespaceFeatureH\x00\x12\x1a\n\x03v14\x18\x0f \x01(\x0b\x32\x0b.APIFeatureH\x00\x12\x1f\n\x03v15\x18\x10 \x01(\x0b\x32\x10.PropertyFeatureH\x00\x12\x1d\n\x03v16\x18\x11 \x01(\x0b\x32\x0e.NumberFeatureH\x00\x12\x1c\n\x03v17\x18\x12 \x01(\x0b\x32\r.BytesFeatureH\x00\x12\x1d\n\x03v18\x18\x13 \x01(\x0b\x32\x0e.OffsetFeatureH\x00\x12\x1f\n\x03v19\x18\x14 \x01(\x0b\x32\x10.MnemonicFeatureH\x00\x12$\n\x03v20\x18\x15 \x01(\x0b\x32\x15.OperandNumberFeatureH\x00\x12$\n\x03v21\x18\x16 \x01(\x0b\x32\x15.OperandOffsetFeatureH\x00\x12!\n\x03v22\x18\x17 \x01(\x0b\x32\x12.BasicBlockFeatureH\x00\x12\x0c\n\x04type\x18\x19 \x01(\tB\t\n\x07\x66\x65\x61ture\"B\n\rFormatFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x66ormat\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"@\n\x14\x46unctionFeatureCount\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\x12\r\n\x05\x63ount\x18\x02 \x01(\x04\"\\\n\x0e\x46unctionLayout\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\x12/\n\x14matched_basic_blocks\x18\x02 \x03(\x0b\x32\x11.BasicBlockLayout\"O\n\x13\x46unctionNameFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x15\n\rfunction_name\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"B\n\rImportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\x12\x0e\n\x06import\x18\x03 \x01(\t\",\n\x06Layout\x12\"\n\tfunctions\x18\x01 \x03(\x0b\x32\x0f.FunctionLayout\":\n\x0fLibraryFunction\x12\x19\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x08.Address\x12\x0c\n\x04name\x18\x02 \x01(\t\"Y\n\x07MBCSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x11\n\tobjective\x18\x02 \x01(\t\x12\x10\n\x08\x62\x65havior\x18\x03 \x01(\t\x12\x0e\n\x06method\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"\x9a\x01\n\x0cMaecMetadata\x12\x1b\n\x13\x61nalysis_conclusion\x18\x01 \x01(\t\x12\x1e\n\x16\x61nalysis_conclusion_ov\x18\x02 \x01(\t\x12\x16\n\x0emalware_family\x18\x03 \x01(\t\x12\x18\n\x10malware_category\x18\x04 \x01(\t\x12\x1b\n\x13malware_category_ov\x18\x05 \x01(\t\"\xfa\x01\n\x05Match\x12\x0f\n\x07success\x18\x01 \x01(\x08\x12\x1c\n\x02v0\x18\x02 \x01(\x0b\x32\x0e.StatementNodeH\x00\x12\x1a\n\x02v1\x18\x03 \x01(\x0b\x32\x0c.FeatureNodeH\x00\x12\x18\n\x08\x63hildren\x18\x05 \x03(\x0b\x32\x06.Match\x12\x1b\n\tlocations\x18\x06 \x03(\x0b\x32\x08.Address\x12&\n\x08\x63\x61ptures\x18\x07 \x03(\x0b\x32\x14.Match.CapturesEntry\x1a?\n\rCapturesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x1d\n\x05value\x18\x02 \x01(\x0b\x32\x0e.Array_Address:\x02\x38\x01\x42\x06\n\x04node\"@\n\x0cMatchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05match\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"r\n\x08Metadata\x12\x11\n\ttimestamp\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x0c\n\x04\x61rgv\x18\x03 \x03(\t\x12\x17\n\x06sample\x18\x04 \x01(\x0b\x32\x07.Sample\x12\x1b\n\x08\x61nalysis\x18\x05 \x01(\x0b\x32\t.Analysis\"F\n\x0fMnemonicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x10\n\x08mnemonic\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"H\n\x10NamespaceFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"k\n\rNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x16\n\x02v0\x18\x02 \x01(\x0b\x32\x08.IntegerH\x00\x12\x15\n\x02v1\x18\x03 \x01(\x0b\x32\x07.NumberH\x00\x12\x13\n\x0b\x64\x65scription\x18\x05 \x01(\tB\x08\n\x06number\":\n\tOSFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\n\n\x02os\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"L\n\rOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x18\n\x06offset\x18\x02 \x01(\x0b\x32\x08.Integer\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"t\n\x14OperandNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x17\n\x05index\x18\x02 \x01(\x0b\x32\x08.Integer\x12 \n\x0eoperand_number\x18\x03 \x01(\x0b\x32\x08.Integer\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"t\n\x14OperandOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x17\n\x05index\x18\x02 \x01(\x0b\x32\x08.Integer\x12 \n\x0eoperand_offset\x18\x03 \x01(\x0b\x32\x08.Integer\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"V\n\x0fPropertyFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x61\x63\x63\x65ss\x18\x02 \x01(\t\x12\x10\n\x08property\x18\x03 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"\xc7\x06\n\x0eRangeStatement\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x15\n\x03min\x18\x02 \x01(\x0b\x32\x08.Integer\x12\x15\n\x03max\x18\x03 \x01(\x0b\x32\x08.Integer\x12\x18\n\x02v0\x18\x04 \x01(\x0b\x32\n.OSFeatureH\x00\x12\x1a\n\x02v1\x18\x05 \x01(\x0b\x32\x0c.ArchFeatureH\x00\x12\x1c\n\x02v2\x18\x06 \x01(\x0b\x32\x0e.FormatFeatureH\x00\x12\x1b\n\x02v3\x18\x07 \x01(\x0b\x32\r.MatchFeatureH\x00\x12$\n\x02v4\x18\x08 \x01(\x0b\x32\x16.CharacteristicFeatureH\x00\x12\x1c\n\x02v5\x18\t \x01(\x0b\x32\x0e.ExportFeatureH\x00\x12\x1c\n\x02v6\x18\n \x01(\x0b\x32\x0e.ImportFeatureH\x00\x12\x1d\n\x02v7\x18\x0b \x01(\x0b\x32\x0f.SectionFeatureH\x00\x12\"\n\x02v8\x18\x0c \x01(\x0b\x32\x14.FunctionNameFeatureH\x00\x12\x1f\n\x02v9\x18\r \x01(\x0b\x32\x11.SubstringFeatureH\x00\x12\x1c\n\x03v10\x18\x0e \x01(\x0b\x32\r.RegexFeatureH\x00\x12\x1d\n\x03v11\x18\x0f \x01(\x0b\x32\x0e.StringFeatureH\x00\x12\x1c\n\x03v12\x18\x10 \x01(\x0b\x32\r.ClassFeatureH\x00\x12 \n\x03v13\x18\x11 \x01(\x0b\x32\x11.NamespaceFeatureH\x00\x12\x1a\n\x03v14\x18\x12 \x01(\x0b\x32\x0b.APIFeatureH\x00\x12\x1f\n\x03v15\x18\x13 \x01(\x0b\x32\x10.PropertyFeatureH\x00\x12\x1d\n\x03v16\x18\x14 \x01(\x0b\x32\x0e.NumberFeatureH\x00\x12\x1c\n\x03v17\x18\x15 \x01(\x0b\x32\r.BytesFeatureH\x00\x12\x1d\n\x03v18\x18\x16 \x01(\x0b\x32\x0e.OffsetFeatureH\x00\x12\x1f\n\x03v19\x18\x17 \x01(\x0b\x32\x10.MnemonicFeatureH\x00\x12$\n\x03v20\x18\x18 \x01(\x0b\x32\x15.OperandNumberFeatureH\x00\x12$\n\x03v21\x18\x19 \x01(\x0b\x32\x15.OperandOffsetFeatureH\x00\x12!\n\x03v22\x18\x1a \x01(\x0b\x32\x12.BasicBlockFeatureH\x00\x12\x0c\n\x04type\x18\x1c \x01(\tB\x07\n\x05\x63hild\"@\n\x0cRegexFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05regex\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"\x90\x01\n\x0eResultDocument\x12\x17\n\x04meta\x18\x01 \x01(\x0b\x32\t.Metadata\x12)\n\x05rules\x18\x02 \x03(\x0b\x32\x1a.ResultDocument.RulesEntry\x1a:\n\nRulesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x1b\n\x05value\x18\x02 \x01(\x0b\x32\x0c.RuleMatches:\x02\x38\x01\"`\n\x0bRuleMatches\x12\x1b\n\x04meta\x18\x01 \x01(\x0b\x32\r.RuleMetadata\x12\x0e\n\x06source\x18\x02 \x01(\t\x12$\n\x07matches\x18\x03 \x03(\x0b\x32\x13.Pair_Address_Match\"\x87\x02\n\x0cRuleMetadata\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x0f\n\x07\x61uthors\x18\x03 \x03(\t\x12\x15\n\x05scope\x18\x04 \x01(\x0e\x32\x06.Scope\x12\x1b\n\x06\x61ttack\x18\x05 \x03(\x0b\x32\x0b.AttackSpec\x12\x15\n\x03mbc\x18\x06 \x03(\x0b\x32\x08.MBCSpec\x12\x12\n\nreferences\x18\x07 \x03(\t\x12\x10\n\x08\x65xamples\x18\x08 \x03(\t\x12\x13\n\x0b\x64\x65scription\x18\t \x01(\t\x12\x0b\n\x03lib\x18\n \x01(\x08\x12\x1b\n\x04maec\x18\x0b \x01(\x0b\x32\r.MaecMetadata\x12\x15\n\rcapa_subscope\x18\x0c \x01(\x08\"A\n\x06Sample\x12\x0b\n\x03md5\x18\x01 \x01(\t\x12\x0c\n\x04sha1\x18\x02 \x01(\t\x12\x0e\n\x06sha256\x18\x03 \x01(\t\x12\x0c\n\x04path\x18\x04 \x01(\t\"D\n\x0eSectionFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0f\n\x07section\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"K\n\rSomeStatement\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x17\n\x05\x63ount\x18\x02 \x01(\x0b\x32\x08.Integer\x12\x0c\n\x04type\x18\x03 \x01(\t\"\xab\x01\n\rStatementNode\x12\x1d\n\x02v0\x18\x01 \x01(\x0b\x32\x0f.RangeStatementH\x00\x12\x1c\n\x02v1\x18\x02 \x01(\x0b\x32\x0e.SomeStatementH\x00\x12 \n\x02v2\x18\x03 \x01(\x0b\x32\x12.SubscopeStatementH\x00\x12 \n\x02v3\x18\x04 \x01(\x0b\x32\x12.CompoundStatementH\x00\x12\x0c\n\x04type\x18\x06 \x01(\tB\x0b\n\tstatement\"B\n\rStringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06string\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\"M\n\x11SubscopeStatement\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x15\n\x05scope\x18\x02 \x01(\x0e\x32\x06.Scope\x12\x0c\n\x04type\x18\x03 \x01(\t\"H\n\x10SubstringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tsubstring\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\")\n\rArray_Address\x12\x18\n\x06values\x18\x01 \x03(\x0b\x32\x08.Address\">\n\x12Pair_Address_Match\x12\x14\n\x02v0\x18\x01 \x01(\x0b\x32\x08.Address\x12\x12\n\x02v1\x18\x02 \x01(\x0b\x32\x06.Match\"B\n\x14Pair_Integer_Integer\x12\x14\n\x02v0\x18\x01 \x01(\x0b\x32\x08.Integer\x12\x14\n\x02v1\x18\x02 \x01(\x0b\x32\x08.Integer\",\n\x07Integer\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x03H\x00\x42\x07\n\x05value\"8\n\x06Number\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x03H\x00\x12\x0b\n\x01\x66\x18\x03 \x01(\x01H\x00\x42\x07\n\x05value*\xcb\x01\n\x0b\x41\x64\x64ressType\x12\x1b\n\x17\x41\x44\x44RESSTYPE_UNSPECIFIED\x10\x00\x12\x18\n\x14\x41\x44\x44RESSTYPE_ABSOLUTE\x10\x01\x12\x18\n\x14\x41\x44\x44RESSTYPE_RELATIVE\x10\x02\x12\x14\n\x10\x41\x44\x44RESSTYPE_FILE\x10\x03\x12\x18\n\x14\x41\x44\x44RESSTYPE_DN_TOKEN\x10\x04\x12\x1f\n\x1b\x41\x44\x44RESSTYPE_DN_TOKEN_OFFSET\x10\x05\x12\x1a\n\x16\x41\x44\x44RESSTYPE_NO_ADDRESS\x10\x06*p\n\x05Scope\x12\x15\n\x11SCOPE_UNSPECIFIED\x10\x00\x12\x0e\n\nSCOPE_FILE\x10\x01\x12\x12\n\x0eSCOPE_FUNCTION\x10\x02\x12\x15\n\x11SCOPE_BASIC_BLOCK\x10\x03\x12\x15\n\x11SCOPE_INSTRUCTION\x10\x04\x62\x06proto3') _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) -_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'capa_pb2', globals()) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'capa.render.proto.capa_pb2', globals()) if _descriptor._USE_C_DESCRIPTORS == False: DESCRIPTOR._options = None @@ -24,114 +24,114 @@ if _descriptor._USE_C_DESCRIPTORS == False: _MATCH_CAPTURESENTRY._serialized_options = b'8\001' _RESULTDOCUMENT_RULESENTRY._options = None _RESULTDOCUMENT_RULESENTRY._serialized_options = b'8\001' - _ADDRESSTYPE._serialized_start=6079 - _ADDRESSTYPE._serialized_end=6282 - _SCOPE._serialized_start=6284 - _SCOPE._serialized_end=6396 - _APIFEATURE._serialized_start=14 - _APIFEATURE._serialized_end=74 - _ADDRESS._serialized_start=76 - _ADDRESS._serialized_end=183 - _ANALYSIS._serialized_start=186 - _ANALYSIS._serialized_end=414 - _ARCHFEATURE._serialized_start=416 - _ARCHFEATURE._serialized_end=478 - _ATTACKSPEC._serialized_start=480 - _ATTACKSPEC._serialized_end=576 - _BASICBLOCKFEATURE._serialized_start=578 - _BASICBLOCKFEATURE._serialized_end=632 - _BASICBLOCKLAYOUT._serialized_start=634 - _BASICBLOCKLAYOUT._serialized_end=679 - _BYTESFEATURE._serialized_start=681 - _BYTESFEATURE._serialized_end=745 - _CHARACTERISTICFEATURE._serialized_start=747 - _CHARACTERISTICFEATURE._serialized_end=829 - _CLASSFEATURE._serialized_start=831 - _CLASSFEATURE._serialized_end=895 - _COMPOUNDSTATEMENT._serialized_start=897 - _COMPOUNDSTATEMENT._serialized_end=951 - _EXPORTFEATURE._serialized_start=953 - _EXPORTFEATURE._serialized_end=1019 - _FEATURECOUNTS._serialized_start=1021 - _FEATURECOUNTS._serialized_end=1102 - _FEATURENODE._serialized_start=1105 - _FEATURENODE._serialized_end=1876 - _FORMATFEATURE._serialized_start=1878 - _FORMATFEATURE._serialized_end=1944 - _FUNCTIONFEATURECOUNT._serialized_start=1946 - _FUNCTIONFEATURECOUNT._serialized_end=2020 - _FUNCTIONLAYOUT._serialized_start=2022 - _FUNCTIONLAYOUT._serialized_end=2114 - _FUNCTIONNAMEFEATURE._serialized_start=2116 - _FUNCTIONNAMEFEATURE._serialized_end=2195 - _IMPORTFEATURE._serialized_start=2197 - _IMPORTFEATURE._serialized_end=2263 - _LAYOUT._serialized_start=2265 - _LAYOUT._serialized_end=2309 - _LIBRARYFUNCTION._serialized_start=2311 - _LIBRARYFUNCTION._serialized_end=2369 - _MBCSPEC._serialized_start=2371 - _MBCSPEC._serialized_end=2460 - _MAECMETADATA._serialized_start=2463 - _MAECMETADATA._serialized_end=2617 - _MATCH._serialized_start=2620 - _MATCH._serialized_end=2870 - _MATCH_CAPTURESENTRY._serialized_start=2799 - _MATCH_CAPTURESENTRY._serialized_end=2862 - _MATCHFEATURE._serialized_start=2872 - _MATCHFEATURE._serialized_end=2936 - _METADATA._serialized_start=2938 - _METADATA._serialized_end=3052 - _MNEMONICFEATURE._serialized_start=3054 - _MNEMONICFEATURE._serialized_end=3124 - _NAMESPACEFEATURE._serialized_start=3126 - _NAMESPACEFEATURE._serialized_end=3198 - _NUMBERFEATURE._serialized_start=3200 - _NUMBERFEATURE._serialized_end=3307 - _OSFEATURE._serialized_start=3309 - _OSFEATURE._serialized_end=3367 - _OFFSETFEATURE._serialized_start=3369 - _OFFSETFEATURE._serialized_end=3445 - _OPERANDNUMBERFEATURE._serialized_start=3447 - _OPERANDNUMBERFEATURE._serialized_end=3563 - _OPERANDOFFSETFEATURE._serialized_start=3565 - _OPERANDOFFSETFEATURE._serialized_end=3681 - _PROPERTYFEATURE._serialized_start=3683 - _PROPERTYFEATURE._serialized_end=3769 - _RANGESTATEMENT._serialized_start=3772 - _RANGESTATEMENT._serialized_end=4611 - _REGEXFEATURE._serialized_start=4613 - _REGEXFEATURE._serialized_end=4677 - _RESULTDOCUMENT._serialized_start=4680 - _RESULTDOCUMENT._serialized_end=4824 - _RESULTDOCUMENT_RULESENTRY._serialized_start=4766 - _RESULTDOCUMENT_RULESENTRY._serialized_end=4824 - _RULEMATCHES._serialized_start=4826 - _RULEMATCHES._serialized_end=4922 - _RULEMETADATA._serialized_start=4925 - _RULEMETADATA._serialized_end=5188 - _SAMPLE._serialized_start=5190 - _SAMPLE._serialized_end=5255 - _SECTIONFEATURE._serialized_start=5257 - _SECTIONFEATURE._serialized_end=5325 - _SOMESTATEMENT._serialized_start=5327 - _SOMESTATEMENT._serialized_end=5402 - _STATEMENTNODE._serialized_start=5405 - _STATEMENTNODE._serialized_end=5576 - _STRINGFEATURE._serialized_start=5578 - _STRINGFEATURE._serialized_end=5644 - _SUBSCOPESTATEMENT._serialized_start=5646 - _SUBSCOPESTATEMENT._serialized_end=5723 - _SUBSTRINGFEATURE._serialized_start=5725 - _SUBSTRINGFEATURE._serialized_end=5797 - _ARRAY_ADDRESS._serialized_start=5799 - _ARRAY_ADDRESS._serialized_end=5840 - _PAIR_ADDRESS_MATCH._serialized_start=5842 - _PAIR_ADDRESS_MATCH._serialized_end=5904 - _PAIR_INTEGER_INTEGER._serialized_start=5906 - _PAIR_INTEGER_INTEGER._serialized_end=5972 - _INTEGER._serialized_start=5974 - _INTEGER._serialized_end=6018 - _NUMBER._serialized_start=6020 - _NUMBER._serialized_end=6076 + _ADDRESSTYPE._serialized_start=6077 + _ADDRESSTYPE._serialized_end=6280 + _SCOPE._serialized_start=6282 + _SCOPE._serialized_end=6394 + _APIFEATURE._serialized_start=32 + _APIFEATURE._serialized_end=92 + _ADDRESS._serialized_start=94 + _ADDRESS._serialized_end=201 + _ANALYSIS._serialized_start=204 + _ANALYSIS._serialized_end=432 + _ARCHFEATURE._serialized_start=434 + _ARCHFEATURE._serialized_end=496 + _ATTACKSPEC._serialized_start=498 + _ATTACKSPEC._serialized_end=594 + _BASICBLOCKFEATURE._serialized_start=596 + _BASICBLOCKFEATURE._serialized_end=650 + _BASICBLOCKLAYOUT._serialized_start=652 + _BASICBLOCKLAYOUT._serialized_end=697 + _BYTESFEATURE._serialized_start=699 + _BYTESFEATURE._serialized_end=763 + _CHARACTERISTICFEATURE._serialized_start=765 + _CHARACTERISTICFEATURE._serialized_end=847 + _CLASSFEATURE._serialized_start=849 + _CLASSFEATURE._serialized_end=913 + _COMPOUNDSTATEMENT._serialized_start=915 + _COMPOUNDSTATEMENT._serialized_end=969 + _EXPORTFEATURE._serialized_start=971 + _EXPORTFEATURE._serialized_end=1037 + _FEATURECOUNTS._serialized_start=1039 + _FEATURECOUNTS._serialized_end=1110 + _FEATURENODE._serialized_start=1113 + _FEATURENODE._serialized_end=1884 + _FORMATFEATURE._serialized_start=1886 + _FORMATFEATURE._serialized_end=1952 + _FUNCTIONFEATURECOUNT._serialized_start=1954 + _FUNCTIONFEATURECOUNT._serialized_end=2018 + _FUNCTIONLAYOUT._serialized_start=2020 + _FUNCTIONLAYOUT._serialized_end=2112 + _FUNCTIONNAMEFEATURE._serialized_start=2114 + _FUNCTIONNAMEFEATURE._serialized_end=2193 + _IMPORTFEATURE._serialized_start=2195 + _IMPORTFEATURE._serialized_end=2261 + _LAYOUT._serialized_start=2263 + _LAYOUT._serialized_end=2307 + _LIBRARYFUNCTION._serialized_start=2309 + _LIBRARYFUNCTION._serialized_end=2367 + _MBCSPEC._serialized_start=2369 + _MBCSPEC._serialized_end=2458 + _MAECMETADATA._serialized_start=2461 + _MAECMETADATA._serialized_end=2615 + _MATCH._serialized_start=2618 + _MATCH._serialized_end=2868 + _MATCH_CAPTURESENTRY._serialized_start=2797 + _MATCH_CAPTURESENTRY._serialized_end=2860 + _MATCHFEATURE._serialized_start=2870 + _MATCHFEATURE._serialized_end=2934 + _METADATA._serialized_start=2936 + _METADATA._serialized_end=3050 + _MNEMONICFEATURE._serialized_start=3052 + _MNEMONICFEATURE._serialized_end=3122 + _NAMESPACEFEATURE._serialized_start=3124 + _NAMESPACEFEATURE._serialized_end=3196 + _NUMBERFEATURE._serialized_start=3198 + _NUMBERFEATURE._serialized_end=3305 + _OSFEATURE._serialized_start=3307 + _OSFEATURE._serialized_end=3365 + _OFFSETFEATURE._serialized_start=3367 + _OFFSETFEATURE._serialized_end=3443 + _OPERANDNUMBERFEATURE._serialized_start=3445 + _OPERANDNUMBERFEATURE._serialized_end=3561 + _OPERANDOFFSETFEATURE._serialized_start=3563 + _OPERANDOFFSETFEATURE._serialized_end=3679 + _PROPERTYFEATURE._serialized_start=3681 + _PROPERTYFEATURE._serialized_end=3767 + _RANGESTATEMENT._serialized_start=3770 + _RANGESTATEMENT._serialized_end=4609 + _REGEXFEATURE._serialized_start=4611 + _REGEXFEATURE._serialized_end=4675 + _RESULTDOCUMENT._serialized_start=4678 + _RESULTDOCUMENT._serialized_end=4822 + _RESULTDOCUMENT_RULESENTRY._serialized_start=4764 + _RESULTDOCUMENT_RULESENTRY._serialized_end=4822 + _RULEMATCHES._serialized_start=4824 + _RULEMATCHES._serialized_end=4920 + _RULEMETADATA._serialized_start=4923 + _RULEMETADATA._serialized_end=5186 + _SAMPLE._serialized_start=5188 + _SAMPLE._serialized_end=5253 + _SECTIONFEATURE._serialized_start=5255 + _SECTIONFEATURE._serialized_end=5323 + _SOMESTATEMENT._serialized_start=5325 + _SOMESTATEMENT._serialized_end=5400 + _STATEMENTNODE._serialized_start=5403 + _STATEMENTNODE._serialized_end=5574 + _STRINGFEATURE._serialized_start=5576 + _STRINGFEATURE._serialized_end=5642 + _SUBSCOPESTATEMENT._serialized_start=5644 + _SUBSCOPESTATEMENT._serialized_end=5721 + _SUBSTRINGFEATURE._serialized_start=5723 + _SUBSTRINGFEATURE._serialized_end=5795 + _ARRAY_ADDRESS._serialized_start=5797 + _ARRAY_ADDRESS._serialized_end=5838 + _PAIR_ADDRESS_MATCH._serialized_start=5840 + _PAIR_ADDRESS_MATCH._serialized_end=5902 + _PAIR_INTEGER_INTEGER._serialized_start=5904 + _PAIR_INTEGER_INTEGER._serialized_end=5970 + _INTEGER._serialized_start=5972 + _INTEGER._serialized_end=6016 + _NUMBER._serialized_start=6018 + _NUMBER._serialized_end=6074 # @@protoc_insertion_point(module_scope) diff --git a/capa/render/proto/proto.py b/capa/render/proto/proto.py new file mode 100644 index 00000000..1b1f0720 --- /dev/null +++ b/capa/render/proto/proto.py @@ -0,0 +1,120 @@ +import sys +import json + +import capa.features.freeze +import capa.render.proto.capa_pb2 +import capa.render.result_document +from capa.features.freeze import AddressType + + +def main(): + # first compile protobuf + # protoc.exe --python_out . capa/render/proto/capa.proto + + fpath = sys.argv[1] + with open(fpath, "r", encoding="utf-8") as f: + fdata = f.read() + + doc = capa.render.result_document.ResultDocument.parse_obj(json.loads(fdata)) + + p = to_proto(doc) + + print(p) + + +def to_proto(doc): + m = metadata_from_capa(doc.meta) + return m + + +def metadata_from_capa(meta: capa.render.result_document.Metadata) -> capa.render.proto.capa_pb2.Metadata: + m = capa.render.proto.capa_pb2.Metadata() + + m.timestamp = str(meta.timestamp) # TODO google.protobuf.timestamp_pb2.Timestamp? + m.version = meta.version + m.argv.extend(meta.argv) + + m.sample.md5 = meta.sample.md5 + m.sample.sha1 = meta.sample.sha1 + m.sample.sha256 = meta.sample.sha256 + m.sample.path = meta.sample.path + + m.analysis.format = meta.analysis.format + m.analysis.arch = meta.analysis.arch + m.analysis.os = meta.analysis.os + m.analysis.extractor = meta.analysis.extractor + m.analysis.rules.extend(meta.analysis.rules) + m.analysis.base_address.CopyFrom(addr_from_freeze(meta.analysis.base_address)) + + m.analysis.layout.CopyFrom( + capa.render.proto.capa_pb2.Layout( + functions=[ + capa.render.proto.capa_pb2.FunctionLayout( + address=addr_from_freeze(func.address), + matched_basic_blocks=[ + capa.render.proto.capa_pb2.BasicBlockLayout(address=addr_from_freeze(bb.address)) + for bb in func.matched_basic_blocks + ], + ) + for func in meta.analysis.layout.functions + ] + ) + ) + + m.analysis.feature_counts.file = meta.analysis.feature_counts.file + m.analysis.feature_counts.functions.extend( + [ + capa.render.proto.capa_pb2.FunctionFeatureCount(address=addr_from_freeze(ffc.address), count=ffc.count) + for ffc in meta.analysis.feature_counts.functions + ] + ) + m.analysis.library_functions.extend( + [ + capa.render.proto.capa_pb2.LibraryFunction(address=addr_from_freeze(lf.address), name=lf.name) + for lf in meta.analysis.library_functions + ] + ) + + return m + + +def addr_from_freeze(a: capa.features.freeze.Address) -> capa.render.proto.capa_pb2.Address: + address = capa.render.proto.capa_pb2.Address() + if a.type is AddressType.ABSOLUTE: + address.type = capa.render.proto.capa_pb2.AddressType.ADDRESSTYPE_ABSOLUTE + address.v0.CopyFrom(capa.render.proto.capa_pb2.Integer(u=a.value)) + return address + + elif a.type is AddressType.RELATIVE: + address.type = capa.render.proto.capa_pb2.AddressType.ADDRESSTYPE_RELATIVE + address.v0.CopyFrom(capa.render.proto.capa_pb2.Integer(u=a.value)) + return address + + elif a.type is AddressType.FILE: + address.type = capa.render.proto.capa_pb2.AddressType.ADDRESSTYPE_FILE + address.v0.CopyFrom(capa.render.proto.capa_pb2.Integer(u=a.value)) + return address + + elif a.type is AddressType.DN_TOKEN: + address.type = capa.render.proto.capa_pb2.AddressType.ADDRESSTYPE_DN_TOKEN + address.v0.u = a.value # TODO or v0.CopyFrom(Integer(a.value))? + return address + + elif a.type is AddressType.DN_TOKEN_OFFSET: + token, offset = a.value + address.type = capa.render.proto.capa_pb2.AddressType.ADDRESSTYPE_DN_TOKEN_OFFSET + address.v1.v0.CopyFrom(capa.render.proto.capa_pb2.Integer(u=token)) + address.v1.v1.CopyFrom(capa.render.proto.capa_pb2.Integer(u=offset)) + return address + + elif a.type is AddressType.NO_ADDRESS: + address.type = capa.render.proto.capa_pb2.AddressType.ADDRESSTYPE_NO_ADDRESS + # value == None so just don't set here + return address + + else: + raise NotImplementedError(f"type {a.type} not implemented") + + +if __name__ == "__main__": + main() diff --git a/tests/test_proto.py b/tests/test_proto.py index 5211171e..7e1639fa 100644 --- a/tests/test_proto.py +++ b/tests/test_proto.py @@ -10,20 +10,21 @@ import pathlib import subprocess import pydantic - -from fixtures import * - import capa.render import capa.render.proto import capa.render.utils import capa.features.freeze +import capa.features.address +import capa.render.proto.proto import capa.render.proto.capa_pb2 import capa.render.result_document import capa.features.freeze.features +from fixtures import * from capa.render.result_document import ResultDocument -def test_generate_proto(tmp_path: pathlib.Path): +# TODO enable/remove +def _test_generate_proto(tmp_path: pathlib.Path): tmp_path.mkdir(exist_ok=True, parents=True) proto_path = tmp_path / "capa.proto" json_path = tmp_path / "capa.json" @@ -60,6 +61,85 @@ def test_generate_proto(tmp_path: pathlib.Path): def test_translate_to_proto(pma0101_rd: ResultDocument): src = pma0101_rd - dst = capa.render.proto.capa_pb2.ResultDocument() + meta = src.meta + dst = capa.render.proto.proto.metadata_from_capa(meta) - assert True + assert str(meta.timestamp) == dst.timestamp # TODO type? + assert meta.version == dst.version + assert list(meta.argv) == dst.argv + + assert meta.sample.md5 == dst.sample.md5 + assert meta.sample.sha1 == dst.sample.sha1 + assert meta.sample.sha256 == dst.sample.sha256 + assert meta.sample.path == dst.sample.path + + assert meta.analysis.format == dst.analysis.format + assert meta.analysis.arch == dst.analysis.arch + assert meta.analysis.os == dst.analysis.os + assert meta.analysis.extractor == dst.analysis.extractor + assert list(meta.analysis.rules) == dst.analysis.rules + assert capa.render.proto.proto.addr_from_freeze(meta.analysis.base_address) == dst.analysis.base_address + + assert len(meta.analysis.layout.functions) == len(dst.analysis.layout.functions) + # TODO use zip() + for i, f in enumerate(meta.analysis.layout.functions): + assert capa.render.proto.proto.addr_from_freeze(f.address) == dst.analysis.layout.functions[i].address + + assert len(f.matched_basic_blocks) == len(dst.analysis.layout.functions[i].matched_basic_blocks) + for j, bb in enumerate(f.matched_basic_blocks): + assert ( + capa.render.proto.proto.addr_from_freeze(bb.address) + == dst.analysis.layout.functions[i].matched_basic_blocks[j].address + ) + + assert meta.analysis.feature_counts.file == dst.analysis.feature_counts.file + assert len(meta.analysis.feature_counts.functions) == len(dst.analysis.feature_counts.functions) + for rd_f, proto_f in zip(meta.analysis.feature_counts.functions, dst.analysis.feature_counts.functions): + assert capa.render.proto.proto.addr_from_freeze(rd_f.address) == proto_f.address + assert rd_f.count == proto_f.count + + assert len(meta.analysis.library_functions) == len(dst.analysis.library_functions) + for rd_lf, proto_lf in zip(meta.analysis.library_functions, dst.analysis.library_functions): + assert capa.render.proto.proto.addr_from_freeze(rd_lf.address) == proto_lf.address + assert rd_lf.name == proto_lf.name + + +def test_addr_from_freeze(): + a = capa.features.address.AbsoluteVirtualAddress(0x400000) + a = capa.features.freeze.Address.from_capa(a) + a = capa.render.proto.proto.addr_from_freeze(a) + assert a.type == capa.render.proto.capa_pb2.ADDRESSTYPE_ABSOLUTE + assert a.v0.u == 0x400000 + + a = capa.features.address.RelativeVirtualAddress(0x100) + a = capa.features.freeze.Address.from_capa(a) + a = capa.render.proto.proto.addr_from_freeze(a) + assert a.type == capa.render.proto.capa_pb2.ADDRESSTYPE_RELATIVE + assert a.v0.u == 0x100 + + a = capa.features.address.FileOffsetAddress(0x200) + a = capa.features.freeze.Address.from_capa(a) + a = capa.render.proto.proto.addr_from_freeze(a) + assert a.type == capa.render.proto.capa_pb2.ADDRESSTYPE_FILE + assert a.v0.u == 0x200 + + a = capa.features.address.DNTokenAddress(0x123456) + a = capa.features.freeze.Address.from_capa(a) + a = capa.render.proto.proto.addr_from_freeze(a) + assert a.type == capa.render.proto.capa_pb2.ADDRESSTYPE_DN_TOKEN + assert a.v0.u == 0x123456 + + a = capa.features.address.DNTokenOffsetAddress(0x123456, 0x10) + a = capa.features.freeze.Address.from_capa(a) + a = capa.render.proto.proto.addr_from_freeze(a) + assert a.type == capa.render.proto.capa_pb2.ADDRESSTYPE_DN_TOKEN_OFFSET + assert a.v1.v0.u == 0x123456 + assert a.v1.v1.u == 0x10 + + a = capa.features.address._NoAddress() + a = capa.features.freeze.Address.from_capa(a) + a = capa.render.proto.proto.addr_from_freeze(a) + assert a.type == capa.render.proto.capa_pb2.ADDRESSTYPE_NO_ADDRESS + + +# TODO proto to RD?