From b2b94e6a8e64aa60c35eea4f494ae97776a64f2d Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Tue, 29 Jun 2021 10:52:07 -0600
Subject: [PATCH] main: load signatures in order of their basename

closes #656
---
 capa/main.py                                       |  13 +++++++++++--
 ...vc_rtf_32_64.sig => 1_flare_msvc_rtf_32_64.sig} | Bin
 ...mfc_32_64.sig => 2_flare_msvc_atlmfc_32_64.sig} | Bin
 ...are_common_libs.sig => 3_flare_common_libs.sig} | Bin
 4 files changed, 11 insertions(+), 2 deletions(-)
 rename sigs/{flare_msvc_rtf_32_64.sig => 1_flare_msvc_rtf_32_64.sig} (100%)
 rename sigs/{flare_msvc_atlmfc_32_64.sig => 2_flare_msvc_atlmfc_32_64.sig} (100%)
 rename sigs/{flare_common_libs.sig => 3_flare_common_libs.sig} (100%)

diff --git a/capa/main.py b/capa/main.py
index 32ef811d..e76ff8c6 100644
--- a/capa/main.py
+++ b/capa/main.py
@@ -548,14 +548,23 @@ def get_signatures(sigs_path):
     if os.path.isfile(sigs_path):
         paths.append(sigs_path)
     elif os.path.isdir(sigs_path):
-        logger.debug("reading signatures from directory %s", sigs_path)
+        logger.debug("reading signatures from directory %s", os.path.abspath(os.path.normpath(sigs_path)))
         for root, dirs, files in os.walk(sigs_path):
             for file in files:
                 if file.endswith((".pat", ".pat.gz", ".sig")):
                     sig_path = os.path.join(root, file)
-                    logger.debug("found signature: %s", sig_path)
                     paths.append(sig_path)
 
+    # nicely normalize and format path so that debugging messages are clearer
+    paths = [os.path.abspath(os.path.normpath(path)) for path in paths]
+
+    # load signatures in deterministic order: the alphabetic sorting of filename.
+    # this means that `0_sigs.pat` loads before `1_sigs.pat`.
+    paths = sorted(paths, key=os.path.basename)
+
+    for path in paths:
+        logger.debug("found signature file: %s", path)
+
     return paths
 
 
diff --git a/sigs/flare_msvc_rtf_32_64.sig b/sigs/1_flare_msvc_rtf_32_64.sig
similarity index 100%
rename from sigs/flare_msvc_rtf_32_64.sig
rename to sigs/1_flare_msvc_rtf_32_64.sig
diff --git a/sigs/flare_msvc_atlmfc_32_64.sig b/sigs/2_flare_msvc_atlmfc_32_64.sig
similarity index 100%
rename from sigs/flare_msvc_atlmfc_32_64.sig
rename to sigs/2_flare_msvc_atlmfc_32_64.sig
diff --git a/sigs/flare_common_libs.sig b/sigs/3_flare_common_libs.sig
similarity index 100%
rename from sigs/flare_common_libs.sig
rename to sigs/3_flare_common_libs.sig