move sigs to capa directory

2025-12-05 20:40:05 -08:00 · 2024-01-18 12:31:55 +01:00
8 changed files with 7 additions and 13 deletions
--- a/.github/pyinstaller/pyinstaller.spec
+++ b/.github/pyinstaller/pyinstaller.spec
@@ -18,7 +18,7 @@ a = Analysis(
        # this gets invoked from the directory of the spec file,
        # i.e. ./.github/pyinstaller
        ("../../rules", "rules"),
-        ("../../sigs", "sigs"),
+        ("../../capa/sigs", "sigs"),
        ("../../cache", "cache"),
        # capa.render.default uses tabulate that depends on wcwidth.
        # it seems wcwidth uses a json file `version.json`
--- a/capa/main.py
+++ b/capa/main.py
@@ -214,7 +214,7 @@ def get_default_signatures() -> List[Path]:
    """
    compute a list of file system paths to the default FLIRT signatures.
    """
-    sigs_path = get_default_root() / "sigs"
+    sigs_path = get_default_root() / "capa" / "sigs"
    logger.debug("signatures path: %s", sigs_path)

    ret = []
@@ -962,7 +962,7 @@ def handle_common_args(args):
            )
            logger.debug("-" * 80)

-            sigs_path = get_default_root() / "sigs"
+            sigs_path = get_default_root() / "capa" / "sigs"

            if not sigs_path.exists():
                logger.error(
--- a/capa/sigs/1_flare_msvc_rtf_32_64.sig
+++ b/capa/sigs/1_flare_msvc_rtf_32_64.sig
--- a/capa/sigs/2_flare_msvc_atlmfc_32_64.sig
+++ b/capa/sigs/2_flare_msvc_atlmfc_32_64.sig
--- a/capa/sigs/3_flare_common_libs.sig
+++ b/capa/sigs/3_flare_common_libs.sig
--- a/capa/sigs/README.md
+++ b/capa/sigs/README.md
@@ -1,4 +1,4 @@
-# capa/sigs
+# capa FLIRT signatures

 This directory contains FLIRT signatures that capa uses to identify library functions.
 Typically, capa will ignore library functions, which reduces false positives and improves runtime.
--- a/doc/installation.md
+++ b/doc/installation.md
@@ -35,12 +35,6 @@ $ unzip v4.0.0.zip
 $ capa -r /path/to/capa-rules suspicious.exe
 ```

-This technique also doesn't set up the default library identification [signatures](https://github.com/mandiant/capa/tree/master/sigs). You can pass the signature directory using the `-s` argument.
-For example, to run capa with both a rule path and a signature path:
-```console
-$ capa -s /path/to/capa-sigs suspicious.exe
-```
-
 Alternatively, see Method 3 below.

 ### 2. Use capa
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -100,9 +100,9 @@ def get_viv_extractor(path: Path):
    sigpaths = [
        CD / "data" / "sigs" / "test_aulldiv.pat",
        CD / "data" / "sigs" / "test_aullrem.pat.gz",
-        CD.parent / "sigs" / "1_flare_msvc_rtf_32_64.sig",
-        CD.parent / "sigs" / "2_flare_msvc_atlmfc_32_64.sig",
-        CD.parent / "sigs" / "3_flare_common_libs.sig",
+        CD.parent / "capa" / "sigs" / "1_flare_msvc_rtf_32_64.sig",
+        CD.parent / "capa" / "sigs" / "2_flare_msvc_atlmfc_32_64.sig",
+        CD.parent / "capa" / "sigs" / "3_flare_common_libs.sig",
    ]

    if "raw32" in path.name: