extractors: viv: match flirt signatures [wip]

2025-12-23 07:28:34 -08:00 · 2021-02-25 12:21:27 -07:00
parent 1b2c8880ee
commit bfcae0e754
3 changed files with 206 additions and 2 deletions
--- a/capa/features/extractors/viv/insn.py
+++ b/capa/features/extractors/viv/insn.py
@@ -6,6 +6,7 @@
 #  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and limitations under the License.

+import viv_utils
 import envi.memory
 import envi.archs.i386.disasm

@@ -74,7 +75,6 @@ def extract_insn_api_features(f, bb, insn):
    # example:
    #
    #    call dword [0x00473038]
-
    if insn.mnem not in ("call", "jmp"):
        return

@@ -96,7 +96,7 @@ def extract_insn_api_features(f, bb, insn):
    # call via thunk on x86,
    # see 9324d1a8ae37a36ae560c37448c9705a at 0x407985
    #
-    # this is also how calls to internal functions may be decoded on x64.
+    # this is also how calls to internal functions may be decoded on x32 and x64.
    # see Lab21-01.exe_:0x140001178
    #
    # follow chained thunks, e.g. in 82bf6347acf15e5d883715dc289d8a2b at 0x14005E0FF in
@@ -111,6 +111,11 @@ def extract_insn_api_features(f, bb, insn):
        if not target:
            return

+        if f.vw.funcmeta.get(target, {}).get("capa/library"):
+            name = viv_utils.get_function_name(f.vw, target)
+            yield API(name), insn.va
+            return
+
        for _ in range(THUNK_CHAIN_DEPTH_DELTA):
            if target in imports:
                dll, symbol = imports[target]