gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-23 07:28:34 -08:00
Code Issues Packages Projects Releases Wiki Activity
3,753 Commits 45 Branches 48 Tags
65e8300145c3c158d2740b0345c0f77f53efab06
Commit Graph

64 Commits

Author SHA1 Message Date
Willi Ballenthin
65e8300145 introduce flake8-simplify 2023-07-12 11:40:44 +02:00
Willi Ballenthin
d89dd499b6 add issue links for TODOs 2023-07-09 23:55:36 +02:00
Willi Ballenthin
ae10a2ea34 introduce flake8-todos linter 2023-07-09 23:35:52 +02:00
Willi Ballenthin
4a49543d12 introduce flake8-print linter 2023-07-09 22:44:47 +02:00
Willi Ballenthin
13a8e252f0 introduce flake8-comprehensions 2023-07-06 20:04:27 +02:00
Pratham Chauhan
a260b35c9d --fix 2023-04-04 18:28:43 +05:30
Moritz
52de09a032 Fix byte/string extraction and unit tests (#1339) 
* Fix wrong expected results on string and bytes tests. Fix https://github.com/mandiant/capa/issues/1336

* Fix IDA insn/byte extractor checks wrong address. Fix https://github.com/mandiant/capa/issues/1327

* fix vivisect string check and tests

---------

Co-authored-by: Xusheng <xusheng@vector35.com>
 2023-03-02 10:33:14 +01:00
Moritz
6a222a6139 Update black (#1307) 
* build(deps-dev): bump black from 22.12.0 to 23.1.0

Bumps [black](https://github.com/psf/black) from 22.12.0 to 23.1.0.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/22.12.0...23.1.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* reformat black 23.1.0

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-07 15:50:15 +01:00
Moritz
ca91051d1a Fix string length >= 4 and remove bytes/string overlaps (#1298) 
* fix min string length >= 4

* feat: don't extract bytes for strings
 2023-02-01 14:53:16 +01:00
Mike Hunhoff
5f77200108 explorer: assume 32-bit displacement for offsets (#1250) 
* explorer: assume 32-bit displacement for offsets
 2022-12-29 07:08:10 -07:00
Mike Hunhoff
447cd95bc5 ida: add support for COFF and extern functions (#1223) 2022-12-12 16:36:44 -07:00
Moritz Raabe
716a73dfb4 feat: add handles and type annotations 2022-05-12 15:42:25 +02:00
Willi Ballenthin
808b7fb4dc dnfile: fix types 2022-04-08 18:33:12 -06:00
Willi Ballenthin
ed1009096d Merge branch 'master' of github.com:mandiant/capa into feature-981 2022-04-08 16:01:59 -06:00
Moritz
c8a772d19a test: update dotnet dirs and sync master (#984) 2022-04-08 09:34:22 -06:00
Moritz
65552575f8 Update dotnet-main (#979) 
* Sync capa rules submodule

* Sync capa-testfiles submodule

* Sync capa rules submodule

* changelog

* *: remove /x32 and /x64 flavors from number and offset features

* *: remove more references to /x32 and /x64

* linter: accept instruction scope

* rules: fix max operand index (4)

* API: better support A/W functions

* vverbose: show lib rule matches

* main: accept multiple paths to rules

* main: fix removal of default rules path

* lint: fix rules path

* changelog

* capa_as_library: fix rules path is list now

* main: better handle multiple rules paths

* main: bail if python 3.6 or below

closes #964

* ida: readme: remove python 3.6 support

* capa2yara: fix rules paths

* render: meta: display rule paths on separate lines

closes #971

* render: verbose: add doc

* verbose: make rule path multiline more concise

* vverbose: don't show examples in output

closes #970

* vverbose: render subscope name, like "basic block:"

closes #963

* build(deps-dev): bump pytest from 7.0.1 to 7.1.1

Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.0.1 to 7.1.1.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/7.0.1...7.1.1)

---
updated-dependencies:
- dependency-name: pytest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci: build: update pip and setuptools

* ci: build: bump pyinstall to v4.10

* Sync capa rules submodule

* Dotnet mixed mode detect (#969)

* feat: start dotnet detection (#955)

* feat: start dotnet detection

* Apply suggestions from code review

Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>

* refactor: dn instead of dotnet

* refactor: format branches, extractor reorg

* refactor: format selection and dotnet detect

* feat: get format, arch, os

* refactor: log errors and exceptions

* ci: also test and build for dotnet-main dev

* fix: import path

* fix: circular dep

* fix: remove buf argument
feat: get runtime meta data

* fix: log unsupported runtime error

* fix: type ignore

Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>

* fix: imports and add tests

* feat: detect mixed mode and tests

* feat: start dotnet detection (#955)

* feat: start dotnet detection

* Apply suggestions from code review

Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>

* refactor: dn instead of dotnet

* refactor: format branches, extractor reorg

* refactor: format selection and dotnet detect

* feat: get format, arch, os

* refactor: log errors and exceptions

* ci: also test and build for dotnet-main dev

* fix: import path

* fix: circular dep

* fix: remove buf argument
feat: get runtime meta data

* fix: log unsupported runtime error

* fix: type ignore

Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>

* fix: imports and add tests

Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>

* test: checkout submodules recursively

Co-authored-by: Capa Bot <capa-dev@mandiant.com>
Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-04-07 17:45:29 +02:00
Willi Ballenthin
6b810a1f72 ida: insn: look for numbers in displ, not phrase 2022-04-06 15:41:17 -06:00
Willi Ballenthin
c36bde0f2d ida: insn: ignore numbers when SIB present 2022-04-06 15:38:04 -06:00
Willi Ballenthin
1a44dd8a2b insn: better detect offset/numbers 2022-04-06 15:12:59 -06:00
Willi Ballenthin
e2c6f5e393 ida: insn: use .ea not .va 2022-04-06 15:03:24 -06:00
Willi Ballenthin
47dfeafdc8 ida, viv: implement extra offset/number extraction 2022-04-06 14:57:51 -06:00
Willi Ballenthin
ecabd557a7 *: remove /x32 and /x64 flavors from number and offset features 2022-04-05 10:35:41 -06:00
Willi Ballenthin
5ffb73c5f5 ida: insn: extract operand number and offset features 2022-04-04 15:13:43 -06:00
Mike Hunhoff
fb34b1674b improve handling _ prefix added to library functions as compile/link artifact (#924) 2022-03-25 13:34:39 -06:00
Moritz Raabe
00f977fff9 add call $+5 characteristic for IDA extractor 2022-03-01 08:50:06 +01:00
Moritz Raabe
8de69c639a s/fireeye/mandiant 2021-09-29 12:55:16 +02:00
William Ballenthin
f013815b2a features: rename legacy term arch to bitness 
makes space for upcoming feature `arch: ` for things like i386/amd64/aarch64
 2021-08-16 12:21:25 -06:00
Michael Hunhoff
c9b7162a5f update IDA extractor to use non-canon mnemonics 2021-07-27 13:34:52 -06:00
Moritz Raabe
04b5949a05 address Mike's feedback 2021-06-29 08:57:43 +02:00
Moritz Raabe
18c87e4e55 ida extract library funcs identified via flirt 2021-06-29 08:49:48 +02:00
William Ballenthin
954ed3a408 pep8 2021-06-09 22:22:03 -06:00
William Ballenthin
ac59e50b5f move capa/features/__init__.py logic to common.py 
also cleanup imports across the board,
thanks to pylance.
 2021-06-09 22:20:53 -06:00
William Ballenthin
3111593ab8 pep8 2021-04-26 08:34:36 -06:00
Moritz Raabe
9b5aaa40de improve bytes feature extraction 2021-02-01 17:17:22 +01:00
Moritz Raabe
08c3372635 add more xor instructions 2020-12-08 09:21:50 +01:00
Moritz Raabe
69a4b99d70 extract apis called via jmp 
closes #337
 2020-10-21 12:39:45 +02:00
Moritz Raabe
9a738ba413 extract api features for thunk chains 
closes #341
 2020-10-20 14:49:09 +02:00
Michael Hunhoff
235d9d4ab5 improve detection of APIs called via two or more chained thunks 2020-10-15 14:31:23 -06:00
David Cannings
854e586f40 Fix #280: Test if op is an offset 
Check whether the auto-analyser (or user) has marked an operand as an offset, instead of checking whether the value is mapped.
 2020-09-05 16:00:36 +01:00
William Ballenthin
99d5f06383 pep8 2020-09-01 15:50:24 -06:00
William Ballenthin
2b2656c2a3 features: extractors: merge import and API variant generators 2020-09-01 01:04:51 -06:00
Michael Hunhoff
3772c5c0bc add additional nzxor stack cookie check for IDA extractor 2020-08-27 12:32:44 -06:00
Moritz Raabe
34e7991081 black 20.8b1 updates 2020-08-27 11:26:28 +02:00
Willi Ballenthin
744b4915c9 Merge pull request #226 from fireeye/enhancement-223 
IDA: resolve nested data references to strings/bytes
 2020-08-12 09:05:11 -06:00
Michael Hunhoff
791afd7ac8 adding code to emit number feature for unmapped immediate data reference 2020-08-11 14:12:41 -06:00
Michael Hunhoff
79d94144c6 adding IDA extractor code to resolve nested data references for string and bytes features 2020-08-11 08:44:44 -06:00
William Ballenthin
f993efb8f4 extractors: ida: cache data using shared context not globals 
attempts to close #218
 2020-08-04 10:23:47 -06:00
William Ballenthin
8b7a8b0956 rules: address comments in #216 2020-08-04 10:10:52 -06:00
William Ballenthin
b81b5e5993 rules: add support for arch flavors of Number and Offset features 
closes #210
 2020-08-03 16:28:47 -06:00
William Ballenthin
7236283b2f tests: ida: address comments 2020-07-25 11:40:04 -06:00