Commit Graph

3050 Commits

Author SHA1 Message Date
Michael Hunhoff e5f9da1f2b adding submenus to rulegen editor; empty expressions auto pruned from rulegen editor 2021-01-14 16:22:56 -07:00
Michael Hunhoff ab33c46c87 init commit capa explorer rulegen 2021-01-14 15:46:24 -07:00
Capa Bot 48c045d381 Sync capa rules submodule 2021-01-12 18:30:44 +00:00
Capa Bot 2b385ead7f Sync capa rules submodule 2021-01-12 18:30:11 +00:00
Capa Bot 0fcc9f3df6 Sync capa-testfiles submodule 2021-01-12 18:27:32 +00:00
Capa Bot b251202804 Sync capa-testfiles submodule 2021-01-12 18:27:11 +00:00
Capa Bot 6967010281 Sync capa-testfiles submodule 2021-01-12 18:26:12 +00:00
Capa Bot 7e0846e66a Sync capa rules submodule 2021-01-12 17:55:13 +00:00
Moritz 4e3daad96d Merge pull request #391 from fireeye/fix/freeze-base-addr
add base address to freeze
2021-01-11 11:30:29 +01:00
Capa Bot 37fb3da5db Sync capa rules submodule 2021-01-08 16:36:36 +00:00
Capa Bot 762f48957c Sync capa rules submodule 2021-01-08 15:16:32 +00:00
Capa Bot c1af7b8783 Sync capa-testfiles submodule 2021-01-08 15:14:26 +00:00
Moritz Raabe f89084677d add base address to freeze 2021-01-08 14:48:26 +01:00
Capa Bot 0716084bbb Sync capa-testfiles submodule 2021-01-08 08:46:53 +00:00
Capa Bot a6c946e6c9 Sync capa rules submodule 2021-01-07 13:59:20 +00:00
Capa Bot 3f6e088faa Sync capa-testfiles submodule 2021-01-07 11:53:24 +00:00
Capa Bot 9abdd5813b Sync capa rules submodule 2021-01-07 07:47:28 +00:00
Capa Bot f33ea36e6f Sync capa rules submodule 2021-01-05 15:49:04 +00:00
Moritz 8788e0a9c9 Merge pull request #388 from fireeye/ci/linter-update
lint with tags
2021-01-05 16:37:21 +01:00
Moritz Raabe b1c1cb4b9b lint with --tag 2021-01-05 16:16:35 +01:00
Capa Bot 982d4ac472 Sync capa-testfiles submodule 2021-01-04 14:42:43 +00:00
Capa Bot b7a8d667b9 Sync capa rules submodule 2021-01-04 12:51:43 +00:00
Capa Bot 8f8729df05 Sync capa-testfiles submodule 2020-12-30 19:06:28 +00:00
Capa Bot e928d281dd Sync capa-testfiles submodule 2020-12-30 15:21:36 +00:00
Capa Bot 625583f5ab Sync capa rules submodule 2020-12-23 12:44:25 +00:00
Capa Bot ab54553dd2 Sync capa rules submodule 2020-12-22 17:16:54 +00:00
Moritz 47bf7b1325 Merge pull request #375 from doomedraven/return_dict
add render to dict, is the same as default but just in dictionary so …
2020-12-22 15:52:50 +01:00
Moritz 145d75f579 Merge pull request #381 from fireeye/fix/viv-set-logger-levels
set level of more viv loggers explicitly
2020-12-22 15:52:05 +01:00
Capa Bot 01d976d7f7 Sync capa rules submodule 2020-12-22 13:17:37 +00:00
Capa Bot 095e3720ab Sync capa-testfiles submodule 2020-12-22 12:00:35 +00:00
Capa Bot d62a37fe1f Sync capa-testfiles submodule 2020-12-21 16:17:33 +00:00
Capa Bot 5323f2fc31 Sync capa rules submodule 2020-12-17 17:14:43 +00:00
Capa Bot 5539cb0d08 Sync capa rules submodule 2020-12-17 17:12:21 +00:00
Capa Bot 76e80106d6 Sync capa-testfiles submodule 2020-12-17 09:29:56 +00:00
Capa Bot 9ab7b9a033 Sync capa rules submodule 2020-12-16 20:47:34 +00:00
Capa Bot fe97d6a349 Sync capa-testfiles submodule 2020-12-15 19:23:15 +00:00
Capa Bot 2242c2afe8 Sync capa-testfiles submodule 2020-12-15 19:19:09 +00:00
Willi Ballenthin ec25fb5c36 Merge pull request #384 from fireeye/dependabot/pip/smda-1.5.10
Bump smda from 1.5.9 to 1.5.10
2020-12-14 10:32:31 -07:00
dependabot[bot] ce25f5cadd Bump smda from 1.5.9 to 1.5.10
Bumps [smda](https://github.com/danielplohmann/smda) from 1.5.9 to 1.5.10.
- [Release notes](https://github.com/danielplohmann/smda/releases)
- [Commits](https://github.com/danielplohmann/smda/commits)

Signed-off-by: dependabot[bot] <support@github.com>
2020-12-14 07:15:58 +00:00
Capa Bot 1099f40f19 Sync capa rules submodule 2020-12-12 05:43:31 +00:00
Capa Bot 70368b3f1e Sync capa rules submodule 2020-12-11 10:42:16 +00:00
Capa Bot 0181ebad45 Sync capa-testfiles submodule 2020-12-10 17:38:00 +00:00
DoomedRaven e158e3f13c remove type hint to make CI happy 2020-12-08 21:46:39 +01:00
DoomedRaven b1bbded23c black -l 120 . 2020-12-08 21:39:50 +01:00
DoomedRaven b77d9d3738 isort --profile black --length-sort --line-width 120 capa_as_library.py 2020-12-08 21:34:42 +01:00
DoomedRaven d0b2421752 isort capa_as_library.py 2020-12-08 20:53:26 +01:00
DoomedRaven 96b65a7c60 add example how to render it as library
```
>>> from capa_as_library import capa_details
>>> details = capa_details("/opt/CAPEv2/storage/analyses/83/binary", "dictionary")
>>> from pprint import pprint as pp
>>> pp(details)
{'ATTCK': {'DEFENSE EVASION': ['Obfuscated Files or Information [T1027]',
                               'Virtualization/Sandbox Evasion::System Checks '
                               '[T1497.001]'],
           'EXECUTION': ['Shared Modules [T1129]']},
 'CAPABILITY': {'anti-analysis/anti-vm/vm-detection': ['execute anti-VM '
                                                       'instructions (3 '
                                                       'matches)'],
                'anti-analysis/obfuscation/string/stackstring': ['contain '
                                                                 'obfuscated '
                                                                 'stackstrings'],
                'data-manipulation/encryption/rc4': ['encrypt data using RC4 '
                                                     'PRGA'],
                'executable/pe/section/rsrc': ['contain a resource (.rsrc) '
                                               'section'],
                'host-interaction/cli': ['accept command line arguments'],
                'host-interaction/environment-variable': ['query environment '
                                                          'variable'],
                'host-interaction/file-system/read': ['read .ini file',
                                                      'read file'],
                'host-interaction/file-system/write': ['write file (3 '
                                                       'matches)'],
                'host-interaction/process': ['get thread local storage value '
                                             '(3 matches)',
                                             'set thread local storage value '
                                             '(2 matches)'],
                'host-interaction/process/terminate': ['terminate process (3 '
                                                       'matches)'],
                'host-interaction/thread/terminate': ['terminate thread'],
                'linking/runtime-linking': ['link function at runtime (7 '
                                            'matches)',
                                            'link many functions at runtime'],
                'load-code/pe': ['parse PE header (3 matches)']},
 'MBC': {'ANTI-BEHAVIORAL ANALYSIS': ['Virtual Machine Detection::Instruction '
                                      'Testing [B0009.029]'],
         'ANTI-STATIC ANALYSIS': ['Disassembler Evasion::Argument Obfuscation '
                                  '[B0012.001]'],
         'CRYPTOGRAPHY': ['Encrypt Data::RC4 [C0027.009]',
                          'Generate Pseudo-random Sequence::RC4 PRGA '
                          '[C0021.004]']},
 'md5': 'ad56c384476a81faef9aebd60b2f4623',
 'path': '/opt/CAPEv2/storage/analyses/83/binary',
 'sha1': 'aa027d89f5d3f991ad3e14ffb681616a77621836',
 'sha256': '16995e059eb47de0b58a95ce2c3d863d964a7a16064d4298cee9db1de266e68d'}
>>>
```
2020-12-08 20:00:24 +01:00
Willi Ballenthin 177c90093e Merge pull request #380 from doomedraven/patch-1
fix is_ordinal IndexError
2020-12-08 09:21:53 -07:00
Moritz Raabe 28ee091107 set level of more viv loggers explicitly 2020-12-08 16:30:23 +01:00
doomedraven 64c71d8e6d fix is_ordinal IndexError
```
 Traceback (most recent call last):
   File "/opt/CAPE/utils/../lib/cuckoo/common/cape_utils.py", line 223, in flare_capa_details
     capabilities, counts = capa.main.find_capabilities(rules, extractor, disable_progress=True)
   File "/usr/local/lib/python2.7/dist-packages/capa/main.py", line 116, in find_capabilities
     function_matches, bb_matches, feature_count = find_function_capabilities(ruleset, extractor, f)
   File "/usr/local/lib/python2.7/dist-packages/capa/main.py", line 68, in find_function_capabilities
     for feature, va in extractor.extract_insn_features(f, bb, insn):
   File "/usr/local/lib/python2.7/dist-packages/capa/features/extractors/viv/__init__.py", line 84, in extract_insn_features
     for feature, va in capa.features.extractors.viv.insn.extract_features(f, bb, insn):
   File "/usr/local/lib/python2.7/dist-packages/capa/features/extractors/viv/insn.py", line 599, in extract_features
     for feature, va in insn_handler(f, bb, insn):
   File "/usr/local/lib/python2.7/dist-packages/capa/features/extractors/viv/insn.py", line 93, in extract_insn_api_features
     for name in capa.features.extractors.helpers.generate_symbols(dll, symbol):
   File "/usr/local/lib/python2.7/dist-packages/capa/features/extractors/helpers.py", line 61, in generate_symbols
     if not is_ordinal(symbol):
   File "/usr/local/lib/python2.7/dist-packages/capa/features/extractors/helpers.py", line 45, in is_ordinal
     return symbol[0] == "#"
 IndexError: string index out of range
```
2020-12-08 09:50:00 +01:00