From d210645aee8dd5492d43d9118e62deedefbf8385 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Fri, 1 Jul 2022 17:37:56 +0200
Subject: [PATCH] fix: api handling workaround (#1079)

* fix: api handling workaround

* fix: workaround .NET api handling
---
 scripts/capa2yara.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py
index 835c1b41..06a1d031 100644
--- a/scripts/capa2yara.py
+++ b/scripts/capa2yara.py
@@ -180,7 +180,15 @@ def convert_rule(rule, rulename, cround, depth):
             logger.info("doing api: " + repr(api))
 
             #    e.g. kernel32.CreateNamedPipe => look for kernel32.dll and CreateNamedPipe
-            if "." in api:
+            # TODO: improve .NET API call handling
+            if "::" in api:
+                mod, api = api.split("::")
+
+                var_name = "api_" + var_names.pop(0)
+                yara_strings += "\t$" + var_name + " = /\\b" + api + "(A|W)?\\b/ ascii wide\n"
+                yara_condition += "\t$" + var_name + " "
+
+            elif api.count(".") == 1:
                 dll, api = api.split(".")
 
                 # usage of regex is needed and /i because string search for "CreateMutex" in imports() doesn't look for e.g. CreateMutexA