gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-06-12 19:11:32 -07:00
Code Issues Packages Projects Releases Wiki Activity
6,182 Commits 53 Branches 49 Tags
7e06ba0ffee860dce6ae07076594859906694ed3
Commit Graph

6182 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Capa Bot 7e06ba0ffe Sync capa rules submodule 2026-05-15 19:12:21 +00:00
Capa Bot d889085aad Sync capa rules submodule 2026-05-15 18:22:47 +00:00
Capa Bot cb5f56a02c Sync capa rules submodule 2026-05-15 14:06:20 +00:00
Capa Bot 5e8d8ac994 Sync capa rules submodule 2026-05-15 10:32:59 +00:00
dependabot[bot] 8acb79ab7b build(deps-dev): bump mypy from 1.20.0 to 2.1.0 (#3070) 
* build(deps-dev): bump mypy from 1.20.0 to 2.1.0

Bumps [mypy](https://github.com/python/mypy) from 1.20.0 to 2.1.0.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](https://github.com/python/mypy/compare/v1.20.0...v2.1.0)

---
updated-dependencies:
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix mypy lints

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>
 2026-05-13 15:05:51 -06:00
Capa Bot 4618822884 Sync capa-testfiles submodule 2026-05-13 17:50:02 +00:00
dependabot[bot] f9973d71be build(deps): bump markdown-it-py from 4.0.0 to 4.2.0 (#3071) 
Bumps [markdown-it-py](https://github.com/executablebooks/markdown-it-py) from 4.0.0 to 4.2.0.
- [Release notes](https://github.com/executablebooks/markdown-it-py/releases)
- [Changelog](https://github.com/executablebooks/markdown-it-py/blob/master/CHANGELOG.md)
- [Commits](https://github.com/executablebooks/markdown-it-py/compare/v4.0.0...v4.2.0)

---
updated-dependencies:
- dependency-name: markdown-it-py
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 11:28:45 -06:00
dependabot[bot] dba405912d build(deps-dev): bump pytest from 9.0.2 to 9.0.3 (#3064) 
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.2 to 9.0.3.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>
 2026-05-13 11:26:51 -06:00
dependabot[bot] 237a9bd995 build(deps-dev): bump build from 1.4.0 to 1.5.0 (#3067) 
Bumps [build](https://github.com/pypa/build) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/pypa/build/releases)
- [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pypa/build/compare/1.4.0...1.5.0)

---
updated-dependencies:
- dependency-name: build
  dependency-version: 1.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 14:04:25 -06:00
dependabot[bot] 2f35d9cd2a build(deps-dev): bump mypy-protobuf from 5.0.0 to 5.1.0 (#3068) 
Bumps [mypy-protobuf](https://github.com/nipunn1313/mypy-protobuf) from 5.0.0 to 5.1.0.
- [Changelog](https://github.com/nipunn1313/mypy-protobuf/blob/main/CHANGELOG.md)
- [Commits](https://github.com/nipunn1313/mypy-protobuf/compare/v5.0.0...v5.1.0)

---
updated-dependencies:
- dependency-name: mypy-protobuf
  dependency-version: 5.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 14:02:59 -06:00
Willi Ballenthin 61adf156ee tests: xfail a few known Ghidra analysis failures 2026-05-11 11:14:28 +02:00
Willi Ballenthin a1ff01bc44 fix: Windows path reference in main 2026-05-11 11:14:28 +02:00
Willi Ballenthin 2cd07666bf changelog 2026-05-11 11:14:28 +02:00
Willi Ballenthin a82f4aea88 bump submodules 2026-05-11 11:14:28 +02:00
Willi Ballenthin 9ba497f6f7 idalib: remove custom idalib loading 2026-05-11 11:14:28 +02:00
Willi Ballenthin b5f81e30f0 tests: add negative substring feature test fixture 2026-05-11 11:14:28 +02:00
Willi Ballenthin eb258c719f tests: cleanup tests and fixtures 2026-05-11 11:14:28 +02:00
Willi Ballenthin 2604c91668 fix: lints 2026-05-11 11:14:28 +02:00
Willi Ballenthin 3e2c017dfd tests: ida: better handle stale databases and concurrent access 2026-05-11 11:14:28 +02:00
Willi Ballenthin 018e5b45e5 tests: cleanup tests and fixtures 2026-05-11 11:14:28 +02:00
Willi Ballenthin 745cb037d4 rules: parse operand features 2026-05-11 11:14:28 +02:00
Willi Ballenthin 251a4e285f tests: consolidate feature test fixtures and runners 2026-05-11 11:14:28 +02:00
Willi Ballenthin 9fd4f8dd74 tests: migrate to data-driven fixtures 2026-05-11 11:14:28 +02:00
Willi Ballenthin 65573944d7 rules: introduce helper to parse features from parts 2026-05-11 11:14:28 +02:00
Willi Ballenthin 5a60f3a0f8 fix: register all data-ref addresses for imports in Ghidra helpers 
The original code stored only one IAT address per import (addr=0 fallback
on master, addr=first with break in prior fix). When an import has multiple
data references, instruction-level lookups could miss the one actually
referenced, breaking API feature extraction and causing spurious
cross-section-flow characteristics.

Collect all data-ref addresses into a list and register the import under
each, matching how map_fake_import_addrs already stores all refs. Also
preserves ex_loc registration when no data refs exist.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 99b3cfe096 fix: use singular get_segment_at API in binja file string extractor 2026-05-08 17:58:07 +02:00
Willi Ballenthin a28fcce72b fix: linter tests needing placeholder rule sets to function 2026-05-08 17:58:07 +02:00
Willi Ballenthin 5ca6c3e35b gitignore: script test temp files 2026-05-08 17:58:07 +02:00
Willi Ballenthin b505ba7621 fix: remove unused imports and un-suppress F401 
closes #2996
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 309231f261 fix: ghidra and binja file strings yield FileOffsetAddress 
Both extractors were yielding AbsoluteVirtualAddress for file-scope strings,
inconsistent with all other backends (common, pefile, elffile, viv, ida)
which yield FileOffsetAddress. Convert VAs to file offsets using each
backend's respective API.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 57e730fad2 fix: binja embedded PE yields FileOffsetAddress via segment data_offset 
carve_pe returns offsets into a raw byte buffer read from the segment.
Convert to file offset using the segment's data_offset rather than
emitting a virtual address.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin c9cb43a839 fix: elffile imports use AbsoluteVirtualAddress for ELF r_offset 
ELF r_offset in executables/shared objects is a virtual address (GOT slot),
not a file offset. Only relocatable .o files use file offsets, which capa
does not analyze.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 9b93e90e63 fix: wrap binja function name addresses in AbsoluteVirtualAddress 2026-05-08 17:58:07 +02:00
Willi Ballenthin 4e80400711 fix: ghidra: don't emit VAs for embedded PEs 2026-05-08 17:58:07 +02:00
Willi Ballenthin 330b64137e fix: ida: correctly emit file offsets for embedded PEs 2026-05-08 17:58:07 +02:00
Willi Ballenthin 43d65361ce gitignore: CLAUDE.local.md 2026-05-08 17:58:07 +02:00
Willi Ballenthin 8fca21f808 linter: validate dynamic example offsets 
closes #3058
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 8e464e6041 fix: formatting 2026-05-08 17:58:07 +02:00
Willi Ballenthin 555bbdecda fix: guard getByteDef against None for unmapped addresses in viv insn extractor 2026-05-08 17:58:07 +02:00
Willi Ballenthin c8d47085ee fix: remove unused imports from cache-ruleset.py, detect-binexport2-capabilities.py, show-capabilities-by-function.py 
Removes capa.engine, capa.helpers, capa.features, and capa.features.insn
imports that were never referenced in each script. Adds missing capa.loader
import to show-capabilities-by-function.py which was already being used.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 7a8a0acaa9 fix: remove dead except ValueError clause in capa2sarif.py so JSONDecodeError is caught correctly 
json.JSONDecodeError is a subclass of ValueError, so the broader except ValueError
was shadowing the more specific handler, making it unreachable. Keep only the
specific except json.JSONDecodeError handler.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 7d8714098c fix: dedent bulk-process.py main() body so explicit argv is used 
The entire main() body was indented inside `if argv is None:`, causing
main() to silently return None when called with an explicit argv list.

Closes SURF-90.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin a938c87fa4 fix: guard statistics calls in compare-backends.py against empty duration lists 
When all runs for a backend fail, durations_by_backend[backend] is empty,
causing StatisticsError from statistics.quantiles (needs >= 2 points) and
statistics.mean (needs >= 1 point). Print placeholder messages instead.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 604fae3519 fix: replace zipfile with pyzipper in minimize_vmray_results.py so output archive is AES-encrypted 
zipfile.ZipFile.setpassword() only affects reads; writing encrypted entries requires pyzipper with WZ_AES encryption. Add pyzipper to scripts optional dependencies.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin e474e477f1 fix: assign yara_strings/yara_condition to empty string when Some has cmin=0 to prevent UnboundLocalError 2026-05-08 17:58:07 +02:00
Willi Ballenthin ae4c2ec82d fix: parenthesize s_type checks in capa2yara so kid.name guard applies to And/Or/Not uniformly 
Without parentheses, Python's operator precedence caused `kid.name != "Some"`
to only guard the `Not` branch; `And` and `Or` kids named `"Some"` would
bypass the Some-handling block and enter recursive convert_rule unguarded.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin fc7f0533d7 fix: correct operator precedence in FeatureRegexRegistryControlSetMatchIncomplete 
The `or "currentcontrolset" in pat` branch triggered the lint for any
regex containing "currentcontrolset", even unrelated paths like
HKLM\Software\CurrentControlSet that don't need the system\\ fix.

Fix by requiring "system\\\\" in both branches of the condition.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin 861f3b8619 fix: FeatureRegexRegistryControlSetMatchIncomplete checks all Regex features 
Dedent `return False` out of the `for` loop body so the method examines
every Regex feature instead of short-circuiting after the first one.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin bfa09f817b fix: guard MissingStaticScope and MissingDynamicScope against absent scopes dict 
When rule.meta lacks a "scopes" key, rule.meta.get("scopes") returns None
and "static"/"dynamic" not in None raises TypeError, crashing lint_rule.
Add isinstance(scopes, dict) guard so both checks return False (no violation)
when scopes is absent, letting MissingScopes report the real problem.
 2026-05-08 17:58:07 +02:00
Willi Ballenthin c5ae9be3e1 fix: MissingExampleOffset lint reads scopes.static instead of obsolete scope key 
The check was reading rule.meta.get("scope") which no longer exists in the
current schema (replaced by scopes.static/scopes.dynamic), causing the lint
to never fire for function/basic-block rules missing example offsets.
 2026-05-08 17:58:07 +02:00