From 0569f9b242d2db0b3b59a8ea2a4674533bef07e6 Mon Sep 17 00:00:00 2001 From: William Ballenthin Date: Wed, 25 Aug 2021 16:36:08 -0600 Subject: [PATCH 1/3] lint: show mod/imp names per rule fix bug where the same mod/imp name pair was shown for all rules --- scripts/lint.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/lint.py b/scripts/lint.py index 4e467e3f..13f0a7a2 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -353,7 +353,7 @@ class FeatureNegativeNumber(Lint): class FeatureNtdllNtoskrnlApi(Lint): name = "feature api may overlap with ntdll and ntoskrnl" level = Lint.WARN - recommendation = ( + recommendation_template = ( "check if {:s} is exported by both ntdll and ntoskrnl; if true, consider removing {:s} " "module requirement to improve detection" ) @@ -363,7 +363,7 @@ class FeatureNtdllNtoskrnlApi(Lint): if isinstance(feature, capa.features.insn.API): modname, _, impname = feature.value.rpartition(".") if modname in ("ntdll", "ntoskrnl"): - self.recommendation = self.recommendation.format(impname, modname) + self.recommendation = self.recommendation_template.format(impname, modname) return True return False From 8195b7565fea25dc85cc7ee40c07bf2881add9f9 Mon Sep 17 00:00:00 2001 From: William Ballenthin Date: Wed, 25 Aug 2021 16:36:36 -0600 Subject: [PATCH 2/3] lint: hardcoded some exports of ntdll/ntoskrnl to reduce warning spam --- scripts/lint.py | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/scripts/lint.py b/scripts/lint.py index 13f0a7a2..ad2b9b11 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -362,6 +362,49 @@ class FeatureNtdllNtoskrnlApi(Lint): for feature in features: if isinstance(feature, capa.features.insn.API): modname, _, impname = feature.value.rpartition(".") + + if modname == "ntdll": + if impname in ( + "LdrGetProcedureAddress", + "LdrLoadDll", + "NtCreateThread", + "NtCreatUserProcess", + "NtLoadDriver", + "NtQueryDirectoryObject", + "NtResumeThread", + "NtSuspendThread", + "NtTerminateProcess", + "NtWriteVirtualMemory", + "RtlGetNativeSystemInformation", + "NtCreateThreadEx", + "NtCreateUserProcess", + "NtOpenDirectoryObject", + "NtQueueApcThread", + "ZwResumeThread", + "ZwSuspendThread", + "ZwWriteVirtualMemory", + "NtCreateProcess", + "ZwCreateThread", + "NtCreateProcessEx", + "ZwCreateThreadEx", + "ZwCreateProcess", + "ZwCreateUserProcess", + "RtlCreateUserProcess", + ): + # ntoskrnl.exe does not export these routines + continue + + if modname == "ntoskrnl": + if impname in ( + "PsGetVersion", + "PsLookupProcessByProcessId", + "KeStackAttachProcess", + "ObfDereferenceObject", + "KeUnstackDetachProcess", + ): + # ntdll.dll does not export these routines + continue + if modname in ("ntdll", "ntoskrnl"): self.recommendation = self.recommendation_template.format(impname, modname) return True From 9a20bbd4e15abd24c53283fe9f188810717151ad Mon Sep 17 00:00:00 2001 From: William Ballenthin Date: Wed, 25 Aug 2021 16:39:57 -0600 Subject: [PATCH 3/3] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5bbc8cd..e44e32ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -70,6 +70,7 @@ - main: fix `KeyError: 0` when reporting results @williballehtin #703 - main: fix potential false negatives due to namespaces across scopes @williballenthin #721 +- linter: suppress some warnings about imports from ntdll/ntoskrnl @williballenthin #743 ### capa explorer IDA Pro plugin