gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-01-06 17:53:59 -08:00
Code Issues Packages Projects Releases Wiki Activity
4,812 Commits 41 Branches 48 Tags
c3301d3b3fa6fba99d7f7abcb93c9d32ec1d63f6
Commit Graph

195 Commits

Author SHA1 Message Date
Willi Ballenthin
c3301d3b3f refactor main to for ease of integration (#1948) 
* main: split main into a bunch of "main routines"

[wip] since there are a few references to BinExport2
that are in progress elsewhre. Next commit will remove them.

* main: remove references to wip BinExport2 code

* changelog

* main: rename first position argument "input_file"

closes #1946

* main: linters

* main: move rule-related routines to capa.rules

ref #1821

* main: extract routines to capa.loader module

closes #1821

* add loader module

* loader: learn to load freeze format

* freeze: use new cli arg handling

* Update capa/loader.py

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>

* main: remove duplicate documentation

* main: add doc about where some functions live

* scripts: migrate to new main wrapper helper functions

* scripts: port to main routines

* main: better handle auto-detection of backend

* scripts: migrate bulk-process to main wrappers

* scripts: migrate scripts to main wrappers

* main: rename *_from_args to *_from_cli

* changelog

* cache-ruleset: remove duplication

* main: fix tag handling

* cache-ruleset: fix cli args

* cache-ruleset: fix special rule cli handling

* scripts: fix type bytes

* main: remove old TODO message

* loader: fix references to binja extractor

---------

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
 2024-01-29 13:59:05 +01:00
Blas
7584e4a5e6 dotnet: emit enclosing class information for nested classes (#1913) 
* Update helpers.py

* Update helpers.py

* TypeRef correction in helpers.py

* Fixed TypeRef to proper functionality

* Accounts for TypeRef updated tuple

* Corrected TypeDef tuple creation in helpers.py

* Update types.py

* Update types.py

* Create helpers_draft.py

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update helper functions, variables, and draft further implementations

* Update helpers.py

* Update types.py

* Directly access TypeDef and TypeRef tables

* Update helpers.py

* Update helpers.py

* Delete capa/features/extractors/dnfile/helpers_draft.py

* Update types.py

* Update dotnetfile.py

* Update types.py comment

* Clean extract_file_class_features in dotnetfile.py

* Cleaned up callers, var names, and other small items

* Update dotnetfile.py

* Clean up caller logic in dotnetfile.py

* Clean up callers and update helper logic in helpers.py

* Linter corrections for types.py

* Linter corrections for dotnetfile.py

* Linter corrections and caller functions cleanup for helpers.py

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update capa/features/extractors/dnfile/helpers.py

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

* Update helpers.py

* Update dotnetfile.py

* Update tuple type in types.py

* Update dotnetfile.py

* Update return value annotations in helpers.py

* Linting update types.py

* Linting update dotnetfile.py

* Added unit tests to fixtures.py

* Update types.py

* Linting fix for types.py

* Update CHANGELOG.md

* Small changes to return types in helpers.py

---------

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>
 2024-01-05 10:09:38 -07:00
Mike Hunhoff
d6f7d2180f dotnet: combine dnfile_.py and dotnetfile.py (#1895) 2023-12-07 14:06:54 -07:00
Moritz
c9df78252a Ignore DLL names for API features (#1824) 
* ignore DLL name for api features

* keep DLL name for import features

* fix tests
 2023-10-20 13:39:15 +02:00
Willi Ballenthin
7bc3fba7b0 Merge branch 'dynamic-feature-extraction' into fix/dynamic-proto 2023-10-19 09:20:15 +00:00
Willi Ballenthin
d5e187bc70 Merge branch 'master' into dynamic-feature-extraction 2023-10-19 09:15:57 +00:00
Willi Ballenthin
182a9868ca merge master 2023-10-17 10:32:25 +00:00
Moritz
a9daa92c9a Merge branch 'master' into Aayush-Goel-04/Issue#322 2023-10-09 18:22:46 +02:00
Xusheng
bc71c94171 binja: use binaryninja.load to open a binary 2023-09-21 09:51:01 +08:00
Aayush Goel
8331ed6ea0 Merge branch 'mandiant:master' into Aayush-Goel-04/Issue#322 2023-09-06 16:35:29 +05:30
Willi Ballenthin
72e836166f proto: better convert to/from proto 2023-09-05 10:24:53 +00:00
Willi Ballenthin
d64ab41dfd tests: proto: add more dynamic proto tests 2023-09-05 10:23:55 +00:00
Aayush Goel
90df85b332 test for com_feature 
matching a file as expected
generating the bytes/strings
if an unknown COM class/interface is provided?
 2023-08-25 20:59:58 +05:30
Colton Gabertan
19b8000c00 Ghidra: Fixes & Enhancements (#1733) 
* restore from corrupted .git

* lint repo

* temp: remove lint failing rule

* implement dereferencing, clean up extractors

* implement proper dereferencing routines as applicable

* fix nzxor implementation, remediate ghidra analysis issues

* lint repo

* Assert typing, lint repo

* avoid extracting pointers in bytes extraction

* attempt to recover submodule

* implement GhidraFeatureExtractor & ghidra_main()

* lint repo

* document examples, clean-up & testing

* lint repo

* properly map import dict

* properly map fake addresses

* fix fake addr mapping

* properly map externs

* re-align consistency with other backends

* lint repo

* fix dereferencing routine

* clean up helpers

* fix format string

* disable progress bar to exit gracefully

* enable pbar in headless runtime mode

* implement fixture test script

* implement ghidra unit test script

* refactor repo for breaking Ghidrathon change

* bump ghidrathon CI version, run unit test in CI

* change CI config

* fix wget line for ghidrathon

* fix unzip paths

* fix ghidra import issue

* disable pytest faulthandler module

* fix dereference function

* fix ghidra state variables

* implement dereferencing for string extraction

* use toAddr

* restructure for consistency

* Bump Ghidrathon version for CI, fix pytest ghidra runtime detection

* fix number & offset extractors

* yield both signed & unsgned values for offset extraction

* add LEA insn handling to number & offset extraction

* fix indirect call extraction

* implement thunk function checking for dereferences

* revise ghidra feature count tests, pass unit testing

* fix feature test format

* implement additional support for dereferencing thunked functions

* integrate external locations into find_file_imports

* change api yield string for .elf samples to match other extractors

* fix potential NoneType errors during dereferencing

* user helper in global_

* fix GHIDRAIO class, implement in global_

* comment on getOriginalByte

* simplify get_file_imports

* implement explicit thunk chain handling

* simplify LEA number extraction

* simplify thunk handling

* temp: demonstrate CI failure & output

* fix log path

* run new test against mimikatz
 2023-08-23 14:35:18 -06:00
Colton Gabertan
058c1fefd2 ghidra: unit tests (#1727) 
* restore from corrupted .git

* lint repo

* temp: remove lint failing rule

* implement dereferencing, clean up extractors

* implement proper dereferencing routines as applicable

* fix nzxor implementation, remediate ghidra analysis issues

* lint repo

* Assert typing, lint repo

* avoid extracting pointers in bytes extraction

* attempt to recover submodule

* implement GhidraFeatureExtractor & ghidra_main()

* lint repo

* document examples, clean-up & testing

* lint repo

* properly map import dict

* properly map fake addresses

* fix fake addr mapping

* properly map externs

* re-align consistency with other backends

* lint repo

* fix dereferencing routine

* clean up helpers

* fix format string

* disable progress bar to exit gracefully

* enable pbar in headless runtime mode

* implement fixture test script

* implement ghidra unit test script

* refactor repo for breaking Ghidrathon change

* bump ghidrathon CI version, run unit test in CI

* change CI config

* fix wget line for ghidrathon

* fix unzip paths

* fix ghidra import issue

* disable pytest faulthandler module

* fix ghidra state variables

* use toAddr

* restructure for consistency

* Bump Ghidrathon version for CI, fix pytest ghidra runtime detection
 2023-08-21 12:16:13 -06:00
Willi Ballenthin
bb2b1824a9 Merge branch 'master' into dynamic-feature-extraction 2023-08-15 14:01:30 +02:00
Willi Ballenthin
2a31b16567 merge 2023-08-15 08:56:41 +00:00
Willi Ballenthin
e6d64ef561 pydantic: remove use of deprecated routines 
closes #1718
 2023-08-15 08:41:56 +00:00
Willi Ballenthin
e6cb3d3b3b os: detect Android via dependencies, too 2023-08-14 10:27:19 +00:00
Willi Ballenthin
6de23a9748 tests: main: demonstrate CAPE analysis (and bug #1702) 2023-08-11 08:56:06 +00:00
Willi Ballenthin
1cf33e4343 tests: create workspaces only during tests, not import 
closes #1707
 2023-08-11 08:38:06 +00:00
Yacine Elhamer
ca2760fb46 Initial commit 2023-08-02 22:46:54 +01:00
Yacine Elhamer
b1e468dae4 add tests for the get_sample_hashes() method 2023-07-21 11:04:21 +01:00
Yacine Elhamer
16eab6b5e5 remove unused commit 2023-07-20 11:24:07 +01:00
Yacine Elhamer
d520bfc753 fix bugs and add copyrights 2023-07-20 11:19:54 +01:00
Yacine Elhamer
301b10d261 fix style issues 2023-07-20 10:52:43 +01:00
Yacine Elhamer
e38e56ccf6 Merge remote-tracking branch 'parentrepo/dynamic-feature-extraction' into sync-1657 2023-07-20 09:33:48 +01:00
Willi Ballenthin
21b2aac8b5 fixtures: add test cases for forwarded exports 2023-07-13 10:31:52 +02:00
Willi Ballenthin
c86ab51210 fix copyright headers everywhere 2023-07-13 05:03:33 +02:00
Yacine Elhamer
42baa10bcb Merge branch 'process-thread-addresses' of https://github.com/yelhamer/capa into yelhamer-process-thread-addresses 2023-07-11 12:07:20 +01:00
Aayush Goel
ef39bc3c3a Merged Changes from PR #1591 2023-07-11 01:14:38 +05:30
Aayush Goel
8e346cb411 Merge branch 'Aayush-Goel-04/Issue#1534' of https://github.com/Aayush-Goel-04/capa into Aayush-Goel-04/Issue#1534 2023-07-11 00:59:21 +05:30
Aayush Goel
d1a1c6875b extractors accept Path instance 2023-07-11 00:41:36 +05:30
Yacine Elhamer
e2e367f091 update tests 2023-07-10 12:15:06 +01:00
Willi Ballenthin
72e123e319 sync master 2023-07-10 02:50:18 +02:00
Willi Ballenthin
ae10a2ea34 introduce flake8-todos linter 2023-07-09 23:35:52 +02:00
Aayush Goel
a949698b86 Update fixtures.py 
Dealt with encoding methods for how "ping_täst" file name is read.
 2023-07-09 17:47:09 +05:30
Aayush Goel
673af45c55 Update args.sample type to Path and str vs as_posix comparisons 2023-07-09 16:02:28 +05:30
Aayush Goel
e0ed8c6e04 Resolved the suggestions. 2023-07-08 13:51:41 +05:30
Moritz
e140fba5df enhance various dynamic-related functions (#1590) 
* enhance various dynamic-related functions

* test_cape_features(): update API(NtQueryValueKey) feature count to 7

---------

Co-authored-by: Yacine Elhamer <elhamer.yacine@gmail.com>
Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>
 2023-07-07 13:59:12 +02:00
Aayush Goel
14924174c5 convert str(path) usage to path.as_posix() to get str format of Path 
Update fixtures.py
 2023-07-07 12:03:05 +05:30
Willi Ballenthin
90e607fe9a flake8 2023-07-06 18:11:48 +02:00
Willi Ballenthin
47074fd129 fix ruff issues 2023-07-06 17:49:40 +02:00
Aayush Goel
c0d712acea Changes os.path to pathlib.Path usage 
changed args.rules , args.signatures types in handle_common_args.
 2023-07-06 05:12:50 +05:30
Yacine Elhamer
6712801b01 tests/fixtures.py: update path forming for the cape sample 
Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>
 2023-06-20 20:30:06 +01:00
Yacine Elhamer
0502bfd95d remove cape report from get_md5_hash() function 2023-06-20 20:24:38 +01:00
Yacine Elhamer
0a4e3008af fixtures.py: update CAPE's feature count and presence tests 2023-06-20 13:51:16 +01:00
Yacine Elhamer
1532ce1bab add tests for extracting argument values 2023-06-20 13:20:33 +01:00
Yacine Elhamer
374fb033c1 add support for gzip compressed cape samples, and fix QakBot sample path 2023-06-20 10:29:52 +01:00
Yacine Elhamer
4db80e75a4 add mode and encoding parameters to open() 2023-06-20 10:13:06 +01:00