From bb053561ef215034282fef0de11303811a07a6fb Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:03:57 +0200 Subject: [PATCH 01/19] import-to-ida: decode MD5 to hex --- scripts/import-to-ida.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index 058c2553..c0f788c6 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -28,6 +28,7 @@ Unless required by applicable law or agreed to in writing, software distributed is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ +import binascii import json import logging @@ -77,7 +78,7 @@ def main(): # # see: https://github.com/idapython/bin/issues/11 a = doc["meta"]["sample"]["md5"].lower() - b = ida_nalt.retrieve_input_file_md5().lower() + b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower() if not a.startswith(b): logger.error("sample mismatch") return -2 From 169b3d60a81ff0ac8fc7be1ef2d1c67ea3292678 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:04:15 +0200 Subject: [PATCH 02/19] import-to-ida: update to use v5 JSON format closes #1584 --- scripts/import-to-ida.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index c0f788c6..fd762f58 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -94,8 +94,11 @@ def main(): name = rule["meta"]["name"] ns = rule["meta"].get("namespace", "") - for va in rule["matches"].keys(): - va = int(va) + for address, match in rule["matches"]: + if address["type"] != "absolute": + continue + + va = address["value"] rows.append((ns, name, va)) # order by (namespace, name) so that like things show up together From 19a5ef8a644327f2fe436a73ccea390adaf95c6e Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:21:03 +0200 Subject: [PATCH 03/19] import-to-ida: use existing result document json parser --- scripts/import-to-ida.py | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index fd762f58..8b9b3471 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -29,13 +29,16 @@ Unless required by applicable law or agreed to in writing, software distributed See the License for the specific language governing permissions and limitations under the License. """ import binascii -import json import logging import ida_nalt import ida_funcs import ida_kernwin +import capa.rules +import capa.features.freeze +import capa.render.result_document + logger = logging.getLogger("capa") @@ -65,40 +68,37 @@ def main(): if not path: return 0 - with open(path, "rb") as f: - doc = json.loads(f.read().decode("utf-8")) - - if "meta" not in doc or "rules" not in doc: - logger.error("doesn't appear to be a capa report") - return -1 + result_doc = capa.render.result_document.ResultDocument.parse_file(path) + meta, capabilities = result_doc.to_capa() # in IDA 7.4, the MD5 hash may be truncated, for example: # wanted: 84882c9d43e23d63b82004fae74ebb61 # found: b'84882C9D43E23D63B82004FAE74EBB6\x00' # # see: https://github.com/idapython/bin/issues/11 - a = doc["meta"]["sample"]["md5"].lower() + a = meta["sample"]["md5"].lower() b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower() if not a.startswith(b): logger.error("sample mismatch") return -2 rows = [] - for rule in doc["rules"].values(): - if rule["meta"].get("lib"): + for name in capabilities.keys(): + rule = result_doc.rules[name] + if rule.meta.lib: continue - if rule["meta"].get("capa/subscope"): + if rule.meta.is_subscope_rule: continue - if rule["meta"]["scope"] != "function": + if rule.meta.scope != capa.rules.Scope.FUNCTION: continue - name = rule["meta"]["name"] - ns = rule["meta"].get("namespace", "") - for address, match in rule["matches"]: - if address["type"] != "absolute": + ns = rule.meta.namespace + + for address, _ in rule.matches: + if address.type != capa.features.freeze.AddressType.ABSOLUTE: continue - va = address["value"] + va = address.value rows.append((ns, name, va)) # order by (namespace, name) so that like things show up together From 694143ce6bf31eca8669c05ef51262d29a97aad3 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:24:37 +0200 Subject: [PATCH 04/19] import-to-ida: use Metadata type not json document --- scripts/import-to-ida.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index 8b9b3471..42c56445 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -28,8 +28,8 @@ Unless required by applicable law or agreed to in writing, software distributed is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ -import binascii import logging +import binascii import ida_nalt import ida_funcs @@ -76,7 +76,7 @@ def main(): # found: b'84882C9D43E23D63B82004FAE74EBB6\x00' # # see: https://github.com/idapython/bin/issues/11 - a = meta["sample"]["md5"].lower() + a = meta.sample.md5.lower() b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower() if not a.startswith(b): logger.error("sample mismatch") From bf5b2612c89acfe6ae5923a610cf1bc9c1a3851b Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:27:20 +0200 Subject: [PATCH 05/19] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..23294012 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ - Add logging and print redirect to tqdm for capa main [#749](https://github.com/mandiant/capa/issues/749) [@Aayush-Goel-04](https://github.com/aayush-goel-04) - extractor: fix binja installation path detection does not work with Python 3.11 - tests: refine the IDA test runner script #1513 @williballenthin +- import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin ### capa explorer IDA Pro plugin From 5d1e26a95e477ab125743d3fd28134b3a249a42a Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:34:41 +0200 Subject: [PATCH 06/19] update minimum supported python version to 3.8 --- .github/workflows/publish.yml | 2 +- .github/workflows/tests.yml | 4 ++-- CHANGELOG.md | 1 + capa/helpers.py | 2 +- capa/ida/plugin/README.md | 4 ++-- capa/main.py | 4 ++-- setup.py | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 520e0894..002a7095 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,7 +15,7 @@ jobs: - name: Set up Python uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: - python-version: '3.7' + python-version: '3.8' - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 64475f65..b6db661b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -69,7 +69,7 @@ jobs: matrix: os: [ubuntu-20.04, windows-2019, macos-11] # across all operating systems - python-version: ["3.7", "3.11"] + python-version: ["3.8", "3.11"] include: # on Ubuntu run these as well - os: ubuntu-20.04 @@ -104,7 +104,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.7", "3.11"] + python-version: ["3.8", "3.11"] steps: - name: Checkout capa with submodules # do only run if BN_SERIAL is available, have to do this in every step, see https://github.com/orgs/community/discussions/26726#discussioncomment-3253118 diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..a001f47f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat +- Python 3.8 is now the minimum supported Python version #1578 @williballenthin ### New Rules (21) diff --git a/capa/helpers.py b/capa/helpers.py index c03e0553..38bd2d56 100644 --- a/capa/helpers.py +++ b/capa/helpers.py @@ -155,7 +155,7 @@ def log_unsupported_runtime_error(): logger.error("-" * 80) logger.error(" Unsupported runtime or Python interpreter.") logger.error(" ") - logger.error(" capa supports running under Python 3.7 and higher.") + logger.error(" capa supports running under Python 3.8 and higher.") logger.error(" ") logger.error( " If you're seeing this message on the command line, please ensure you're running a supported Python version." diff --git a/capa/ida/plugin/README.md b/capa/ida/plugin/README.md index 6dd07002..4bf3616c 100644 --- a/capa/ida/plugin/README.md +++ b/capa/ida/plugin/README.md @@ -95,7 +95,7 @@ can update using the `Settings` button. ### Requirements -capa explorer supports Python versions >= 3.7.x and IDA Pro versions >= 7.4. The following IDA Pro versions have been tested: +capa explorer supports Python versions >= 3.8.x and IDA Pro versions >= 7.4. The following IDA Pro versions have been tested: * IDA 7.4 * IDA 7.5 @@ -105,7 +105,7 @@ capa explorer supports Python versions >= 3.7.x and IDA Pro versions >= 7.4. The * IDA 8.1 * IDA 8.2 -capa explorer is however limited to the Python versions supported by your IDA installation (which may not include all Python versions >= 3.7.x). +capa explorer is however limited to the Python versions supported by your IDA installation (which may not include all Python versions >= 3.8.x). If you encounter issues with your specific setup, please open a new [Issue](https://github.com/mandiant/capa/issues). diff --git a/capa/main.py b/capa/main.py index bdf0cec3..64b0509b 100644 --- a/capa/main.py +++ b/capa/main.py @@ -1072,8 +1072,8 @@ def handle_common_args(args): def main(argv=None): - if sys.version_info < (3, 7): - raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.7+") + if sys.version_info < (3, 8): + raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.8+") if argv is None: argv = sys.argv[1:] diff --git a/setup.py b/setup.py index 4a67c68c..52ad0a43 100644 --- a/setup.py +++ b/setup.py @@ -107,5 +107,5 @@ setuptools.setup( "Programming Language :: Python :: 3", "Topic :: Security", ], - python_requires=">=3.7", + python_requires=">=3.8", ) From dd2d5431a916e21eae99ea3d65cbfee0c449f77f Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:44:12 +0200 Subject: [PATCH 07/19] setup: bump networkx to 3.1 since we now have python 3.8 as min version --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 52ad0a43..85ce8ec0 100644 --- a/setup.py +++ b/setup.py @@ -20,7 +20,7 @@ requirements = [ "ida-settings==2.1.0", "viv-utils[flirt]==0.7.9", "halo==0.0.31", - "networkx==2.5.1", # newer versions no longer support py3.7. + "networkx==3.1", "ruamel.yaml==0.17.32", "vivisect==1.1.1", "pefile==2023.2.7", From 6a767600338a567ffcfc719c46b98e5fc51f0889 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:55:32 +0200 Subject: [PATCH 08/19] render: use fancy boxes closes #1586 --- capa/render/default.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/capa/render/default.py b/capa/render/default.py index 76659252..1bf1cf6d 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -40,7 +40,7 @@ def render_meta(doc: rd.ResultDocument, ostream: StringIO): ("path", doc.meta.sample.path), ] - ostream.write(tabulate.tabulate(rows, tablefmt="psql")) + ostream.write(tabulate.tabulate(rows, tablefmt="mixed_outline")) ostream.write("\n") @@ -102,7 +102,7 @@ def render_capabilities(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("CAPABILITY", 50), width("NAMESPACE", 50)], tablefmt="psql") + tabulate.tabulate(rows, headers=[width("Capability", 50), width("Namespace", 50)], tablefmt="mixed_outline") ) ostream.write("\n") else: @@ -148,7 +148,7 @@ def render_attack(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( tabulate.tabulate( - rows, headers=[width("ATT&CK Tactic", 20), width("ATT&CK Technique", 80)], tablefmt="psql" + rows, headers=[width("ATT&CK Tactic", 20), width("ATT&CK Technique", 80)], tablefmt="mixed_grid" ) ) ostream.write("\n") @@ -190,7 +190,7 @@ def render_mbc(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="psql") + tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="mixed_grid") ) ostream.write("\n") From 2b6cc6fee2dfe7034a39a89d9f881abb4574f5ab Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:57:37 +0200 Subject: [PATCH 09/19] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..ebc389e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### New Features - Utility script to detect feature overlap between new and existing CAPA rules [#1451](https://github.com/mandiant/capa/issues/1451) [@Aayush-Goel-04](https://github.com/aayush-goel-04) +- use fancy box drawing characters for default output #1586 @williballenthin ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat From 23ed0a5d9ddf88421e79c10a3928ed342afab30e Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:06:33 +0200 Subject: [PATCH 10/19] main: don't leave behind traces of the progress bar --- CHANGELOG.md | 1 + capa/main.py | 2 +- scripts/lint.py | 2 +- scripts/profile-time.py | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..8ef51d71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ - Add logging and print redirect to tqdm for capa main [#749](https://github.com/mandiant/capa/issues/749) [@Aayush-Goel-04](https://github.com/aayush-goel-04) - extractor: fix binja installation path detection does not work with Python 3.11 - tests: refine the IDA test runner script #1513 @williballenthin +- output: don't leave behind traces of progress bar @williballenthin ### capa explorer IDA Pro plugin diff --git a/capa/main.py b/capa/main.py index bdf0cec3..af52b82d 100644 --- a/capa/main.py +++ b/capa/main.py @@ -262,7 +262,7 @@ def find_capabilities(ruleset: RuleSet, extractor: FeatureExtractor, disable_pro functions = list(extractor.get_functions()) n_funcs = len(functions) - pb = pbar(functions, desc="matching", unit=" functions", postfix="skipped 0 library functions") + pb = pbar(functions, desc="matching", unit=" functions", postfix="skipped 0 library functions", leave=False) for f in pb: if extractor.is_library_function(f.address): function_name = extractor.get_function_name(f.address) diff --git a/scripts/lint.py b/scripts/lint.py index a80d3e12..8348cdea 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -873,7 +873,7 @@ def lint(ctx: Context): ret = {} source_rules = [rule for rule in ctx.rules.rules.values() if not rule.is_subscope_rule()] - with tqdm.contrib.logging.tqdm_logging_redirect(source_rules, unit="rule") as pbar: + with tqdm.contrib.logging.tqdm_logging_redirect(source_rules, unit="rule", leave=False) as pbar: with capa.helpers.redirecting_print_to_tqdm(False): for rule in pbar: name = rule.name diff --git a/scripts/profile-time.py b/scripts/profile-time.py index 09d125d8..7ce28962 100644 --- a/scripts/profile-time.py +++ b/scripts/profile-time.py @@ -109,7 +109,7 @@ def main(argv=None): args.sample, args.format, args.os, capa.main.BACKEND_VIV, sig_paths, should_save_workspace=False ) - with tqdm.tqdm(total=args.number * args.repeat) as pbar: + with tqdm.tqdm(total=args.number * args.repeat, leave=False) as pbar: def do_iteration(): capa.perf.reset() From 9bcd7678a43210fc76485c7177ecb122ba1730d6 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:14:15 +0200 Subject: [PATCH 11/19] main: fix console output on windows (in CI) --- capa/main.py | 16 ++++++++++++++++ setup.py | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/capa/main.py b/capa/main.py index bdf0cec3..b8730326 100644 --- a/capa/main.py +++ b/capa/main.py @@ -8,6 +8,7 @@ Unless required by applicable law or agreed to in writing, software distributed is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ +import io import os import sys import time @@ -997,6 +998,21 @@ def handle_common_args(args): codecs.register(lambda name: codecs.lookup("utf-8") if name == "cp65001" else None) + if isinstance(sys.stdout, io.TextIOWrapper) or hasattr(sys.stdout, "reconfigure"): + # from sys.stdout type hint: + # + # TextIO is used instead of more specific types for the standard streams, + # since they are often monkeypatched at runtime. At startup, the objects + # are initialized to instances of TextIOWrapper. + # + # To use methods from TextIOWrapper, use an isinstance check to ensure that + # the streams have not been overridden: + # + # if isinstance(sys.stdout, io.TextIOWrapper): + # sys.stdout.reconfigure(...) + sys.stdout.reconfigure(encoding="utf-8") + colorama.just_fix_windows_console() + if args.color == "always": colorama.init(strip=False) elif args.color == "auto": diff --git a/setup.py b/setup.py index 4a67c68c..f68e64d9 100644 --- a/setup.py +++ b/setup.py @@ -14,7 +14,7 @@ requirements = [ "tqdm==4.65.0", "pyyaml==6.0", "tabulate==0.9.0", - "colorama==0.4.5", + "colorama==0.4.6", "termcolor==2.3.0", "wcwidth==0.2.6", "ida-settings==2.1.0", From ba8040ace5b538168cb17e1e070dbc4b4cd108ba Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:15:33 +0200 Subject: [PATCH 12/19] main: remove old codec registration for py3.7 --- capa/main.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/capa/main.py b/capa/main.py index 64b0509b..e2470d19 100644 --- a/capa/main.py +++ b/capa/main.py @@ -990,13 +990,6 @@ def handle_common_args(args): # disable vivisect-related logging, it's verbose and not relevant for capa users set_vivisect_log_level(logging.CRITICAL) - # Since Python 3.8 cp65001 is an alias to utf_8, but not for Python < 3.8 - # TODO: remove this code when only supporting Python 3.8+ - # https://stackoverflow.com/a/3259271/87207 - import codecs - - codecs.register(lambda name: codecs.lookup("utf-8") if name == "cp65001" else None) - if args.color == "always": colorama.init(strip=False) elif args.color == "auto": From b5a063b0d982be78d337cb819b59787d0c369c8c Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:19:26 +0200 Subject: [PATCH 13/19] pep8 --- capa/render/default.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/capa/render/default.py b/capa/render/default.py index 1bf1cf6d..15e2a5e8 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -190,7 +190,9 @@ def render_mbc(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="mixed_grid") + tabulate.tabulate( + rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="mixed_grid" + ) ) ostream.write("\n") From 2e27745b5f481952ff1aa7b8654adf6683d74942 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:30:55 +0200 Subject: [PATCH 14/19] setup: bump mypy hints for colorama --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index f68e64d9..872c277c 100644 --- a/setup.py +++ b/setup.py @@ -84,7 +84,7 @@ setuptools.setup( "mypy-protobuf==3.4.0", # type stubs for mypy "types-backports==0.1.3", - "types-colorama==0.4.15", + "types-colorama==0.4.15.11", "types-PyYAML==6.0.8", "types-tabulate==0.9.0.1", "types-termcolor==1.1.4", From 49ffbdd54d7d331dea3dc259f964d08cb86e0248 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 08:04:33 +0000 Subject: [PATCH 15/19] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 76810b63..c2c61f05 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 76810b63f8bdf829d9b36133e961ea6c14967e8a +Subproject commit c2c61f05fbd8a7c3a6d5283dd05289507e0cbc2e From b57188e98c94b90b2b9ce47d3081fb8fd6870dc9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 08:17:32 +0000 Subject: [PATCH 16/19] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e78e731..9334beea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (20) +### New Rules (21) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -30,6 +30,7 @@ - persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com - persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com - anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com +- host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 2458b9b5..cd748a5d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-808-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-809-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 76eccb54..f109d758 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 76eccb548b502f83522d885c93256bfcd91ccc79 +Subproject commit f109d758ced8235892da97a5cfe31bcd6b09a4fa From 46ff798faed8feabb1722624266751442fc33be0 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 09:26:23 +0000 Subject: [PATCH 17/19] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index c2c61f05..bc0c0fe2 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit c2c61f05fbd8a7c3a6d5283dd05289507e0cbc2e +Subproject commit bc0c0fe29a445be7da2a45c40e59cb9ad14651ec From 5bc85f39a6676c7b9e68804fceae3b9815807818 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 7 Jul 2023 06:26:34 +0000 Subject: [PATCH 18/19] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5edae74..f461f392 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat - Python 3.8 is now the minimum supported Python version #1578 @williballenthin -### New Rules (21) +### New Rules (22) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -33,6 +33,7 @@ - persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com - anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com - host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com +- host-interaction/gui/switch-active-desktop jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index cd748a5d..723671a4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-809-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-810-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index f109d758..a2989e6b 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit f109d758ced8235892da97a5cfe31bcd6b09a4fa +Subproject commit a2989e6ba5e145617d2aa3a23d365bff6f752284 From b8f277b3c6c5634f4caaaa3b1068222478e862f6 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 7 Jul 2023 06:26:53 +0000 Subject: [PATCH 19/19] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index bc0c0fe2..8ff7e34c 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit bc0c0fe29a445be7da2a45c40e59cb9ad14651ec +Subproject commit 8ff7e34ce00bad26b3199d49f14d260f17da2d48