Merge branch 'master' into capa-explorer-export-json-results

2025-12-23 15:37:37 -08:00 · 2020-07-15 14:26:14 -06:00
parent 940137fad8 e09979720a
commit a88ada3562
57 changed files with 154 additions and 35 deletions
--- a/.github/pyinstaller/hooks/hook-vivisect.py
+++ b/.github/pyinstaller/hooks/hook-vivisect.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from PyInstaller.utils.hooks import copy_metadata

 # in order for viv-utils to use pkg_resources to fetch
--- a/.github/pyinstaller/pyinstaller.spec
+++ b/.github/pyinstaller/pyinstaller.spec
@@ -1,4 +1,5 @@
 # -*- mode: python -*-
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 import os.path
 import subprocess

--- a/capa/engine.py
+++ b/capa/engine.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import re
 import sys
 import copy
--- a/capa/features/init.py
+++ b/capa/features/init.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import sys
 import codecs
 import logging
@@ -39,10 +41,13 @@ class Feature(object):
        return self.value

    def __str__(self):
-        if self.description:
-            return "%s(%s = %s)" % (self.name, self.get_value_str(), self.description)
+        if self.value:
+            if self.description:
+                return "%s(%s = %s)" % (self.name, self.get_value_str(), self.description)
+            else:
+                return "%s(%s)" % (self.name, self.get_value_str())
        else:
-            return "%s(%s)" % (self.name, self.get_value_str())
+            return "%s" % self.name

    def __repr__(self):
        return str(self)
--- a/capa/features/basicblock.py
+++ b/capa/features/basicblock.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from capa.features import Feature


@@ -8,6 +10,9 @@ class BasicBlock(Feature):
    def __str__(self):
        return "basic block"

+    def get_value_str(self):
+        return ""
+
    def freeze_serialize(self):
        return (self.__class__.__name__, [])

--- a/capa/features/extractors/init.py
+++ b/capa/features/extractors/init.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import abc


--- a/capa/features/extractors/helpers.py
+++ b/capa/features/extractors/helpers.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import sys
 import builtins

--- a/capa/features/extractors/ida/init.py
+++ b/capa/features/extractors/ida/init.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import sys
 import types

--- a/capa/features/extractors/ida/basicblock.py
+++ b/capa/features/extractors/ida/basicblock.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import sys
 import string
 import struct
--- a/capa/features/extractors/ida/file.py
+++ b/capa/features/extractors/ida/file.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import struct

 import idc
--- a/capa/features/extractors/ida/function.py
+++ b/capa/features/extractors/ida/function.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import idaapi
 import idautils

@@ -36,7 +38,8 @@ def extract_function_loop(f):

    # construct control flow graph
    for bb in idaapi.FlowChart(f):
-        map(lambda s: edges.append((bb.start_ea, s.start_ea)), bb.succs())
+        for succ in bb.succs():
+            edges.append((bb.start_ea, succ.start_ea))

    if loops.has_loop(edges):
        yield Characteristic("loop"), f.start_ea
--- a/capa/features/extractors/ida/helpers.py
+++ b/capa/features/extractors/ida/helpers.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import sys
 import string

--- a/capa/features/extractors/ida/insn.py
+++ b/capa/features/extractors/ida/insn.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import idc
 import idaapi
 import idautils
--- a/capa/features/extractors/loops.py
+++ b/capa/features/extractors/loops.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from networkx import nx
 from networkx.algorithms.components import strongly_connected_components

--- a/capa/features/extractors/strings.py
+++ b/capa/features/extractors/strings.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2017 FireEye, Inc. All Rights Reserved.
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 #
 # strings code from FLOSS, https://github.com/fireeye/flare-floss
 #
--- a/capa/features/extractors/viv/init.py
+++ b/capa/features/extractors/viv/init.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import types

 import viv_utils
--- a/capa/features/extractors/viv/basicblock.py
+++ b/capa/features/extractors/viv/basicblock.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import string
 import struct

--- a/capa/features/extractors/viv/file.py
+++ b/capa/features/extractors/viv/file.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import PE.carve as pe_carve  # vivisect PE

 import capa.features.extractors.strings
--- a/capa/features/extractors/viv/function.py
+++ b/capa/features/extractors/viv/function.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import vivisect.const

 from capa.features import Characteristic
--- a/capa/features/extractors/viv/indirect_calls.py
+++ b/capa/features/extractors/viv/indirect_calls.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import collections

 import envi
--- a/capa/features/extractors/viv/insn.py
+++ b/capa/features/extractors/viv/insn.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import envi.memory
 import vivisect.const
 import envi.archs.i386.disasm
--- a/capa/features/file.py
+++ b/capa/features/file.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from capa.features import Feature


--- a/capa/features/freeze.py
+++ b/capa/features/freeze.py
@@ -39,6 +39,8 @@ json format:
        ],
      }
    }
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import json
 import zlib
--- a/capa/features/insn.py
+++ b/capa/features/insn.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from capa.features import Feature


--- a/capa/helpers.py
+++ b/capa/helpers.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import os

 _hex = hex
--- a/capa/ida/explorer/item.py
+++ b/capa/ida/explorer/item.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import sys
 import codecs

--- a/capa/ida/explorer/model.py
+++ b/capa/ida/explorer/model.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from collections import deque

 import idc
@@ -467,10 +469,13 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel):

                bytes(01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_ShellLink)
        """
-        if feature.get("description", ""):
-            return "%s(%s = %s)" % (feature["type"], feature[feature["type"]], feature["description"])
+        if feature[feature["type"]]:
+            if feature.get("description", ""):
+                return "%s(%s = %s)" % (feature["type"], feature[feature["type"]], feature["description"])
+            else:
+                return "%s(%s)" % (feature["type"], feature[feature["type"]])
        else:
-            return "%s(%s)" % (feature["type"], feature[feature["type"]])
+            return "%s" % feature["type"]

    def render_capa_doc_feature_node(self, parent, feature, locations, doc):
        """ process capa doc feature node
--- a/capa/ida/explorer/proxy.py
+++ b/capa/ida/explorer/proxy.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 from PyQt5 import QtCore

 from capa.ida.explorer.model import CapaExplorerDataModel
--- a/capa/ida/explorer/view.py
+++ b/capa/ida/explorer/view.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import idc
 import idaapi
 from PyQt5 import QtGui, QtCore, QtWidgets
--- a/capa/ida/helpers/init.py
+++ b/capa/ida/helpers/init.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import logging
 import datetime

--- a/capa/ida/ida_capa_explorer.py
+++ b/capa/ida/ida_capa_explorer.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import os
 import json
 import logging
--- a/capa/ida/plugin_helpers.py
+++ b/capa/ida/plugin_helpers.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import os
 import logging

--- a/capa/main.py
+++ b/capa/main.py
@@ -1,6 +1,8 @@
 #!/usr/bin/env python2
 """
 identify capabilities in programs.
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import os
 import sys
@@ -413,41 +415,37 @@ def main(argv=None):
    parser = argparse.ArgumentParser(
        description=__doc__, epilog=epilog, formatter_class=argparse.RawDescriptionHelpFormatter
    )
-    parser.add_argument("sample", type=str, help="Path to sample to analyze")
+    parser.add_argument("sample", type=str, help="path to sample to analyze")
+    parser.add_argument("--version", action="version", version="%(prog)s {:s}".format(capa.version.__version__))
    parser.add_argument(
        "-r",
        "--rules",
        type=str,
        default=RULES_PATH_DEFAULT_STRING,
-        help="Path to rule file or directory, use embedded rules by default",
-    )
-    parser.add_argument("-t", "--tag", type=str, help="Filter on rule meta field values")
-    parser.add_argument("--version", action="store_true", help="Print the executable version and exit")
-    parser.add_argument("-j", "--json", action="store_true", help="Emit JSON instead of text")
-    parser.add_argument(
-        "-v", "--verbose", action="store_true", help="Enable verbose result document (no effect with --json)"
+        help="path to rule file or directory, use embedded rules by default",
    )
    parser.add_argument(
-        "-vv", "--vverbose", action="store_true", help="Enable very verbose result document (no effect with --json)"
+        "-f", "--format", choices=[f[0] for f in formats], default="auto", help="select sample format, %s" % format_help
    )
-    parser.add_argument("-d", "--debug", action="store_true", help="Enable debugging output on STDERR")
-    parser.add_argument("-q", "--quiet", action="store_true", help="Disable all output but errors")
+    parser.add_argument("-t", "--tag", type=str, help="filter on rule meta field values")
+    parser.add_argument("-j", "--json", action="store_true", help="emit JSON instead of text")
+    parser.add_argument(
+        "-v", "--verbose", action="store_true", help="enable verbose result document (no effect with --json)"
+    )
+    parser.add_argument(
+        "-vv", "--vverbose", action="store_true", help="enable very verbose result document (no effect with --json)"
+    )
+    parser.add_argument("-d", "--debug", action="store_true", help="enable debugging output on STDERR")
+    parser.add_argument("-q", "--quiet", action="store_true", help="disable all output but errors")
    parser.add_argument(
        "--color",
        type=str,
        choices=("auto", "always", "never"),
        default="auto",
-        help="Enable ANSI color codes in results, default: only during interactive session",
-    )
-    parser.add_argument(
-        "-f", "--format", choices=[f[0] for f in formats], default="auto", help="Select sample format, %s" % format_help
+        help="enable ANSI color codes in results, default: only during interactive session",
    )
    args = parser.parse_args(args=argv)

-    if args.version:
-        print(capa.version.__version__)
-        return 0
-
    if args.quiet:
        logging.basicConfig(level=logging.WARNING)
        logging.getLogger().setLevel(logging.WARNING)
--- a/capa/render/init.py
+++ b/capa/render/init.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import json

 import six
--- a/capa/render/default.py
+++ b/capa/render/default.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import collections

 import six
--- a/capa/render/utils.py
+++ b/capa/render/utils.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import six
 import termcolor

--- a/capa/render/verbose.py
+++ b/capa/render/verbose.py
@@ -13,6 +13,8 @@ example::
                 0x10003a13
                 0x10003415
                 0x10003797
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import tabulate

--- a/capa/render/vverbose.py
+++ b/capa/render/vverbose.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import collections

 import tabulate
@@ -44,12 +46,15 @@ def render_statement(ostream, match, statement, indent=0):
        # so, we have to inline some of the feature rendering here.

        child = statement["child"]
-        value = rutils.bold2(child[child["type"]])

-        if child.get("description"):
-            ostream.write("count(%s(%s = %s)): " % (child["type"], value, child["description"]))
+        if child[child["type"]]:
+            value = rutils.bold2(child[child["type"]])
+            if child.get("description"):
+                ostream.write("count(%s(%s = %s)): " % (child["type"], value, child["description"]))
+            else:
+                ostream.write("count(%s(%s)): " % (child["type"], value))
        else:
-            ostream.write("count(%s(%s)): " % (child["type"], value))
+            ostream.write("count(%s): " % child["type"])

        if statement["max"] == statement["min"]:
            ostream.write("%d" % (statement["min"]))
@@ -79,11 +84,13 @@ def render_feature(ostream, match, feature, indent=0):

    ostream.write(feature["type"])
    ostream.write(": ")
-    ostream.write(rutils.bold2(feature[feature["type"]]))

-    if "description" in feature:
-        ostream.write(capa.rules.DESCRIPTION_SEPARATOR)
-        ostream.write(feature["description"])
+    if feature[feature["type"]]:
+        ostream.write(rutils.bold2(feature[feature["type"]]))
+
+        if "description" in feature:
+            ostream.write(capa.rules.DESCRIPTION_SEPARATOR)
+            ostream.write(feature["description"])

    render_locations(ostream, match)
    ostream.write("\n")
--- a/capa/rules.py
+++ b/capa/rules.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import uuid
 import codecs
 import logging
--- a/scripts/capafmt.py
+++ b/scripts/capafmt.py
@@ -5,6 +5,8 @@ Use the -i flag to update the rule in-place.
 Usage:

   $ python capafmt.py -i foo.yml
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import sys
 import logging
--- a/scripts/hooks/post-commit
+++ b/scripts/hooks/post-commit
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 # doesn't matter if this gets repeated later on in a hooks file

 # Use a console with emojis support for a better experience
--- a/scripts/hooks/pre-push
+++ b/scripts/hooks/pre-push
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 # doesn't matter if this gets repeated later on in a hooks file

 # Use a console with emojis support for a better experience
--- a/scripts/import-to-ida.py
+++ b/scripts/import-to-ida.py
@@ -19,6 +19,8 @@ and then select the existing capa report from the file system.

 This script will verify that the report matches the workspace.
 Check the output window for any errors, and/or the summary of changes.
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import json
 import logging
--- a/scripts/lint.py
+++ b/scripts/lint.py
@@ -4,6 +4,8 @@ Check the given capa rules for style issues.
 Usage:

   $ python scripts/lint.py rules/
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import os
 import sys
--- a/scripts/migrate-rules.py
+++ b/scripts/migrate-rules.py
@@ -5,6 +5,8 @@ migrate rules and their namespaces.
 example:

    $ python scripts/migrate-rules.py migration.csv ./rules ./new-rules
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import os
 import csv
--- a/scripts/setup-hooks.sh
+++ b/scripts/setup-hooks.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.

 set -euo pipefail

--- a/scripts/show-capabilities-by-function.py
+++ b/scripts/show-capabilities-by-function.py
@@ -39,6 +39,8 @@ Example::
      - set socket configuration
      - connect TCP socket
    ...
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import os
 import sys
--- a/scripts/show-features.py
+++ b/scripts/show-features.py
@@ -55,6 +55,8 @@ Example::
    insn: 0x10001027: number(0x1)
    insn: 0x10001027: mnemonic(shl)
    ...
+
+Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
 """
 import sys
 import logging
--- a/setup.py
+++ b/setup.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import os
 import sys

--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import os
 import os.path
 import collections
--- a/tests/test_engine.py
+++ b/tests/test_engine.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import textwrap

 import capa.rules
--- a/tests/test_fmt.py
+++ b/tests/test_fmt.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import textwrap

 import capa.rules
--- a/tests/test_freeze.py
+++ b/tests/test_freeze.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import textwrap

 import capa.main
--- a/tests/test_helpers.py
+++ b/tests/test_helpers.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import codecs

 from capa.features.extractors import helpers
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import textwrap

 import capa.main
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import textwrap

 import pytest
--- a/tests/test_viv_features.py
+++ b/tests/test_viv_features.py
@@ -1,3 +1,5 @@
+# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.
+
 import viv_utils

 import capa.features