ida: use ida-domain api

Bumps [build](https://github.com/pypa/build) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/pypa/build/releases)
- [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pypa/build/compare/1.3.0...1.4.0)

---
updated-dependencies:
- dependency-name: build
  dependency-version: 1.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.bumpversion.toml

@@ -0,0 +1,27 @@
+[tool.bumpversion]
+current_version = "9.3.1"
+
+[[tool.bumpversion.files]]
+filename = "capa/version.py"
+search = '__version__ = "{current_version}"'
+replace = '__version__ = "{new_version}"'
+
+[[tool.bumpversion.files]]
+filename = "capa/ida/plugin/ida-plugin.json"
+search = '"version": "{current_version}"'
+replace = '"version": "{new_version}"'
+
+[[tool.bumpversion.files]]
+filename = "capa/ida/plugin/ida-plugin.json"
+search = '"flare-capa=={current_version}"'
+replace = '"flare-capa=={new_version}"'
+
+[[tool.bumpversion.files]]
+filename = "CHANGELOG.md"
+search = "v{current_version}...master"
+replace = "v{current_version}...{new_version}"
+
+[[tool.bumpversion.files]]
+filename = "CHANGELOG.md"
+search = "master (unreleased)"
+replace = "v{new_version}"

.github/pyinstaller/pyinstaller.spec

@@ -74,6 +74,10 @@ a = Analysis(
         # only be installed locally.
         "binaryninja",
         "ida",
+        "ghidra",
+        # remove once https://github.com/mandiant/capa/issues/2681 has
+        # been addressed by PyInstaller
+        "pkg_resources",
     ],
 )
 

.github/workflows/build.yml

@@ -9,6 +9,7 @@ on:
       - '**.md'
   release:
     types: [edited, published]
+  workflow_dispatch: # manual trigger for testing
 
 permissions:
   contents: write
@@ -22,24 +23,43 @@ jobs:
       fail-fast: true
       matrix:
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             # use old linux so that the shared library versioning is more portable
             artifact_name: capa
             asset_name: linux
             python_version: '3.10'
-          - os: ubuntu-20.04
+            # for Ghidra
+            java-version: '21'
+            ghidra-version: '12.0'
+            public-version: 'PUBLIC_20251205'
+            ghidra-sha256: 'af43e8cfb2fa4490cf6020c3a2bde25c159d83f45236a0542688a024e8fc1941'
+          - os: ubuntu-22.04-arm
+            artifact_name: capa
+            asset_name: linux-arm64
+            python_version: '3.10'
+          - os: ubuntu-22.04
             artifact_name: capa
             asset_name: linux-py312
             python_version: '3.12'
-          - os: windows-2019
+          - os: windows-2022
             artifact_name: capa.exe
             asset_name: windows
             python_version: '3.10'
-          - os: macos-13
-            # use older macOS for assumed better portability
+          # Windows 11 ARM64 complains of conflicting package version
+          # Additionally, there is no ARM64 build of Python for Python 3.10 on Windows 11 ARM: https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json
+          #- os: windows-11-arm
+          #  artifact_name: capa.exe
+          #  asset_name: windows-arm64
+          #  python_version: '3.12'
+          - os: macos-15-intel
+            # macos-15-intel is the lowest native intel build
             artifact_name: capa
             asset_name: macos
             python_version: '3.10'
+          - os: macos-14
+            artifact_name: capa
+            asset_name: macos-arm64
+            python_version: '3.10'
     steps:
       - name: Checkout capa
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -49,7 +69,7 @@ jobs:
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ matrix.python_version }}
-      - if: matrix.os == 'ubuntu-20.04'
+      - if: matrix.os == 'ubuntu-22.04' || matrix.os == 'ubuntu-22.04-arm'
         run: sudo apt-get install -y libyaml-dev
       - name: Upgrade pip, setuptools
         run: python -m pip install --upgrade pip setuptools
@@ -59,6 +79,28 @@ jobs:
           pip install -e .[build]
       - name: Build standalone executable
         run: pyinstaller --log-level DEBUG .github/pyinstaller/pyinstaller.spec
+      - name: Does it run without warnings or errors?
+        shell: bash
+        run: |
+          if [[ "${{ matrix.os }}" == "windows-2022" ]] || [[ "${{ matrix.os }}" == "windows-11-arm" ]]; then
+            EXECUTABLE=".\\dist\\capa"
+          else
+            EXECUTABLE="./dist/capa"
+          fi
+
+          output=$(${EXECUTABLE} --version 2>&1)
+          exit_code=$?
+
+          echo "${output}"
+          echo "${exit_code}"
+
+          if echo "${output}" | grep -iE 'error|warning'; then
+            exit 1
+          fi
+
+          if [[ "${exit_code}" -ne 0 ]]; then
+            exit 1
+          fi
       - name: Does it run (PE)?
         run: dist/capa -d "tests/data/Practical Malware Analysis Lab 01-01.dll_"
       - name: Does it run (Shellcode)?
@@ -69,39 +111,29 @@ jobs:
         run: |
           7z e "tests/data/dynamic/cape/v2.2/d46900384c78863420fb3e297d0a2f743cd2b6b3f7f82bf64059a168e07aceb7.json.gz"
           dist/capa -d "d46900384c78863420fb3e297d0a2f743cd2b6b3f7f82bf64059a168e07aceb7.json"
+      - name: Set up Java ${{ matrix.java-version }}
+        if: matrix.os == 'ubuntu-22.04' && matrix.python_version == '3.10'
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          distribution: 'temurin'
+          java-version: ${{ matrix.java-version }}
+      - name: Install Ghidra ${{ matrix.ghidra-version }}
+        if: matrix.os == 'ubuntu-22.04' && matrix.python_version == '3.10'
+        run: |
+          mkdir ./.github/ghidra
+          wget "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_${{ matrix.ghidra-version }}_build/ghidra_${{ matrix.ghidra-version }}_${{ matrix.public-version }}.zip" -O ./.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC.zip
+          echo "${{ matrix.ghidra-sha256 }} ./.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC.zip" | sha256sum -c -
+          unzip .github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC.zip -d .github/ghidra/
+      - name: Does it run (Ghidra)?
+        if: matrix.os == 'ubuntu-22.04' && matrix.python_version == '3.10'
+        env:
+          GHIDRA_INSTALL_DIR: ${{ github.workspace }}/.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC
+        run: dist/capa -b ghidra -d "tests/data/Practical Malware Analysis Lab 01-01.dll_"
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: ${{ matrix.asset_name }}
           path: dist/${{ matrix.artifact_name }}
 
-  test_run:
-    name: Test run on ${{ matrix.os }} / ${{ matrix.asset_name }}
-    runs-on: ${{ matrix.os }}
-    needs: [build]
-    strategy:
-      matrix:
-        include:
-          # OSs not already tested above
-          - os: ubuntu-22.04
-            artifact_name: capa
-            asset_name: linux
-          - os: ubuntu-22.04
-            artifact_name: capa
-            asset_name: linux-py312
-          - os: windows-2022
-            artifact_name: capa.exe
-            asset_name: windows
-    steps:
-      - name: Download ${{ matrix.asset_name }}
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
-        with:
-          name: ${{ matrix.asset_name }}
-      - name: Set executable flag
-        if: matrix.os != 'windows-2022'
-        run: chmod +x ${{ matrix.artifact_name }}
-      - name: Run capa
-        run: ./${{ matrix.artifact_name }} -h
-
   zip_and_upload:
     # upload zipped binaries to Release page
     if: github.event_name == 'release'
@@ -113,12 +145,18 @@ jobs:
         include:
           - asset_name: linux
             artifact_name: capa
+          - asset_name: linux-arm64
+            artifact_name: capa
           - asset_name: linux-py312
             artifact_name: capa
           - asset_name: windows
             artifact_name: capa.exe
+          #- asset_name: windows-arm64
+          #  artifact_name: capa.exe
           - asset_name: macos
             artifact_name: capa
+          - asset_name: macos-arm64
+            artifact_name: capa
     steps:
       - name: Download ${{ matrix.asset_name }}
         uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2

.github/workflows/publish.yml

@@ -35,7 +35,7 @@ jobs:
         with:
           path: dist/*
       - name: publish package
-        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # release/v1.12.4
         with:
           skip-existing: true
           verbose: true

.github/workflows/tests.yml

@@ -42,10 +42,10 @@ jobs:
     - name: Checkout capa
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     # use latest available python to take advantage of best performance
-    - name: Set up Python 3.12
+    - name: Set up Python 3.13
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
-        python-version: "3.12"
+        python-version: "3.13"
     - name: Install dependencies
       run: |
         pip install -r requirements.txt
@@ -70,10 +70,10 @@ jobs:
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         submodules: recursive
-    - name: Set up Python 3.12
+    - name: Set up Python 3.13
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
-        python-version: "3.12"
+        python-version: "3.13"
     - name: Install capa
       run: |
         pip install -r requirements.txt
@@ -88,16 +88,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, windows-2019, macos-13]
+        os: [ubuntu-22.04, ubuntu-22.04-arm, windows-2022, macos-15-intel, macos-14]
         # across all operating systems
-        python-version: ["3.10", "3.11"]
+        python-version: ["3.10", "3.13"]
         include:
           # on Ubuntu run these as well
-          - os: ubuntu-20.04
-            python-version: "3.10"
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             python-version: "3.11"
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             python-version: "3.12"
     steps:
     - name: Checkout capa with submodules
@@ -109,7 +107,7 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install pyyaml
-      if: matrix.os == 'ubuntu-20.04'
+      if: matrix.os == 'ubuntu-22.04'
       run: sudo apt-get install -y libyaml-dev
     - name: Install capa
       run: |
@@ -131,7 +129,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10", "3.11"]
+        python-version: ["3.10", "3.13"]
     steps:
     - name: Checkout capa with submodules
       # do only run if BN_SERIAL is available, have to do this in every step, see https://github.com/orgs/community/discussions/26726#discussioncomment-3253118
@@ -168,16 +166,16 @@ jobs:
 
   ghidra-tests:
     name: Ghidra tests for ${{ matrix.python-version }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     needs: [tests]
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10", "3.11"]
-        java-version: ["17"]
-        ghidra-version: ["11.0.1"]
-        public-version: ["PUBLIC_20240130"] # for ghidra releases
-        ghidrathon-version: ["4.0.0"] 
+        python-version: ["3.10", "3.13"]
+        java-version: ["21"]
+        ghidra-version: ["12.0"]
+        public-version: ["PUBLIC_20251205"] # for ghidra releases
+        ghidra-sha256: ['af43e8cfb2fa4490cf6020c3a2bde25c159d83f45236a0542688a024e8fc1941']
     steps:
     - name: Checkout capa with submodules
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -196,26 +194,66 @@ jobs:
       run: |
         mkdir ./.github/ghidra
         wget "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_${{ matrix.ghidra-version }}_build/ghidra_${{ matrix.ghidra-version }}_${{ matrix.public-version }}.zip" -O ./.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC.zip
+        echo "${{ matrix.ghidra-sha256 }} ./.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC.zip" | sha256sum -c -
         unzip .github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC.zip -d .github/ghidra/
-    - name: Install Ghidrathon
-      run : |
-        mkdir ./.github/ghidrathon
-        wget "https://github.com/mandiant/Ghidrathon/releases/download/v${{ matrix.ghidrathon-version }}/Ghidrathon-v${{ matrix.ghidrathon-version}}.zip" -O ./.github/ghidrathon/ghidrathon-v${{ matrix.ghidrathon-version }}.zip
-        unzip .github/ghidrathon/ghidrathon-v${{ matrix.ghidrathon-version }}.zip -d .github/ghidrathon/
-        python -m pip install -r .github/ghidrathon/requirements.txt
-        python .github/ghidrathon/ghidrathon_configure.py $(pwd)/.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC
-        unzip .github/ghidrathon/Ghidrathon-v${{ matrix.ghidrathon-version }}.zip -d .github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC/Ghidra/Extensions
     - name: Install pyyaml
       run: sudo apt-get install -y libyaml-dev
+    - name: Install capa with Ghidra extra
+      run: |
+        pip install -e .[dev,ghidra]
+    - name: Run tests
+      env:
+        GHIDRA_INSTALL_DIR: ${{ github.workspace }}/.github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC
+      run: pytest -v tests/test_ghidra_features.py
+ 
+  idalib-tests:
+    name: IDA ${{ matrix.ida.version }} tests for ${{ matrix.python-version }}
+    runs-on: ubuntu-22.04
+    needs: [tests]
+    env:
+      IDA_LICENSE_ID: ${{ secrets.IDA_LICENSE_ID }}
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.13"]
+        ida:
+          - version: 9.0
+            slug: "release/9.0/ida-essential/ida-essential_90_x64linux.run"
+          - version: 9.1
+            slug: "release/9.1/ida-essential/ida-essential_91_x64linux.run"
+          - version: 9.2
+            slug: "release/9.2/ida-essential/ida-essential_92_x64linux.run"
+    steps:
+    - name: Checkout capa with submodules
+      # do only run if IDA_LICENSE_ID is available, have to do this in every step, see https://github.com/orgs/community/discussions/26726#discussioncomment-3253118
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        submodules: recursive
+    - name: Set up Python ${{ matrix.python-version }}
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Setup uv
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
+      uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
+    - name: Install dependencies
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
+      run: sudo apt-get install -y libyaml-dev
     - name: Install capa
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
       run: |
         pip install -r requirements.txt
         pip install -e .[dev,scripts]
+        pip install idapro
+    - name: Install IDA ${{ matrix.ida.version }}
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
+      run: |
+        uv run hcli --disable-updates ida install --download-id ${{ matrix.ida.slug }} --license-id ${{ secrets.IDA_LICENSE_ID }} --set-default --yes
+      env:
+        HCLI_API_KEY: ${{ secrets.HCLI_API_KEY }}
+        IDA_LICENSE_ID: ${{ secrets.IDA_LICENSE_ID }}
     - name: Run tests
-      run: | 
-        mkdir ./.github/ghidra/project
-        .github/ghidra/ghidra_${{ matrix.ghidra-version }}_PUBLIC/support/analyzeHeadless .github/ghidra/project ghidra_test -Import ./tests/data/mimikatz.exe_ -ScriptPath ./tests/ -PostScript test_ghidra_features.py > ../output.log
-        cat ../output.log
-        exit_code=$(cat ../output.log | grep exit | awk '{print $NF}')
-        exit $exit_code
- 
+      if: ${{ env.IDA_LICENSE_ID != 0 }}
+      run: pytest -v tests/test_idalib_features.py  # explicitly refer to the idalib tests for performance. other tests run above.

.gitignore

@@ -122,6 +122,7 @@ scripts/perf/*.zip
 */.DS_Store
 Pipfile
 Pipfile.lock
+uv.lock
 /cache/
 .github/binja/binaryninja
 .github/binja/download_headless.py

.pre-commit-config.yaml

@@ -138,6 +138,7 @@ repos:
         -   "--ignore=tests/test_ghidra_features.py"
         -   "--ignore=tests/test_ida_features.py"
         -   "--ignore=tests/test_viv_features.py"
+        -   "--ignore=tests/test_idalib_features.py"
         -   "--ignore=tests/test_main.py"
         -   "--ignore=tests/test_scripts.py"
         always_run: true

CHANGELOG.md

@@ -4,9 +4,140 @@
 
 ### New Features
 
+- ghidra: support PyGhidra @mike-hunhoff #2788
+
 ### Breaking Changes
 
-### New Rules (15)
+### New Rules (5)
+
+- nursery/run-as-nodejs-native-module mehunhoff@google.com
+- nursery/inject-shellcode-using-thread-pool-work-insertion-with-tp_io still@teamt5.org
+- nursery/inject-shellcode-using-thread-pool-work-insertion-with-tp_timer still@teamt5.org
+- nursery/inject-shellcode-using-thread-pool-work-insertion-with-tp_work still@teamt5.org
+- data-manipulation/encryption/hc-256/encrypt-data-using-hc-256 wballenthin@hex-rays.com
+-
+
+### Bug Fixes
+- Fixed insecure deserialization vulnerability in YAML loading @0x1622 (#2770)
+- loader: gracefully handle ELF files with unsupported architectures kamranulhaq2002@gmail.com #2800
+
+### capa Explorer Web
+
+### capa Explorer IDA Pro plugin
+
+### Development
+
+- ci: deprecate macos-13 runner and use Python v3.13 for testing @mike-hunhoff #2777
+
+### Raw diffs
+- [capa v9.3.1...master](https://github.com/mandiant/capa/compare/v9.3.1...master)
+- [capa-rules v9.3.1...master](https://github.com/mandiant/capa-rules/compare/v9.3.1...master)
+
+## v9.3.1
+
+This patch release fixes a missing import for the capa explorer plugin for IDA Pro.
+
+### Bug Fixes
+
+- add missing ida-netnode dependency to project.toml @mike-hunhoff #2765
+
+### Development
+
+- ci: bump binja min version @mike-hunhoff #2763
+
+### Raw diffs
+- [capa v9.3.0...master](https://github.com/mandiant/capa/compare/v9.3.0...master)
+- [capa-rules v9.3.0...master](https://github.com/mandiant/capa-rules/compare/v9.3.0...master)
+
+## v9.3.0
+
+capa v9.3.0 comes with over 20 new and/or impoved rules.
+For IDA users the capa explorer plugin is now available via the IDA Pro plugin repository and contains Qt compatibility layer for PyQt5 and PySide6 support.
+Additionally a Binary Ninja bug has been fixed. Released binaries now include ARM64 binaries (Linux and macOS).
+
+### New Features
+
+- ci: add support for arm64 binary releases
+- tests: run tests against IDA via idalib @williballenthin #2742
+
+### Breaking Changes
+
+### New Rules (24)
+
+- anti-analysis/anti-vm/vm-detection/detect-mouse-movement-via-activity-checks-on-windows tevajdr@gmail.com
+- nursery/create-executable-heap moritz.raabe@mandiant.com
+- anti-analysis/packer/dxpack/packed-with-dxpack jakubjozwiak@google.com
+- anti-analysis/anti-av/patch-bitdefender-hooking-dll-function jakubjozwiak@google.com
+- nursery/acquire-load-driver-privileges mehunhoff@google.com
+- nursery/communicate-using-ftp mehunhoff@google.com
+- linking/static/eclipse-paho-mqtt-c/linked-against-eclipse-paho-mqtt-c jakubjozwiak@google.com
+- linking/static/qmqtt/linked-against-qmqtt jakubjozwiak@google.com
+- anti-analysis/anti-forensic/disable-powershell-transcription jakubjozwiak@google.com
+- host-interaction/powershell/bypass-powershell-constrained-language-mode-via-getsystemlockdownpolicy-patch jakubjozwiak@google.com
+- linking/static/grpc/linked-against-grpc jakubjozwiak@google.com
+- linking/static/hp-socket/linked-against-hp-socket jakubjozwiak@google.com
+- load-code/execute-jscript-via-vsaengine-in-dotnet jakubjozwiak@google.com
+- linking/static/funchook/linked-against-funchook jakubjozwiak@google.com
+- linking/static/plthook/linked-against-plthook jakubjozwiak@google.com
+- host-interaction/network/enumerate-tcp-connections-via-wmi-com-api jakubjozwiak@google.com
+- host-interaction/network/routing-table/create-routing-table-entry jakubjozwiak@google.com
+- host-interaction/network/routing-table/get-routing-table michael.hunhoff@mandiant.com
+- host-interaction/file-system/use-io_uring-io-interface-on-linux jakubjozwiak@google.com
+- collection/keylog/log-keystrokes-via-direct-input zeze-zeze
+- nursery/compiled-from-fsharp mehunhoff@google.com
+- nursery/decrypt-data-using-aes-via-dotnet mehunhoff@google.com
+- nursery/get-dotnet-assembly-entry-point mehunhoff@google.com
+
+### Bug Fixes
+
+- binja: fix a crash during feature extraction when the MLIL is unavailable @xusheng6 #2714 
+
+### capa Explorer Web
+
+### capa Explorer IDA Pro plugin
+
+- add `ida-plugin.json` for inclusion in the IDA Pro plugin repository @williballenthin
+- ida plugin: add Qt compatibility layer for PyQt5 and PySide6 support @williballenthin #2707
+- delay import to not load Qt* when running under idalib @mr-tz #2752
+
+### Development
+
+- ci: remove redundant "test_run" action from build workflow @mike-hunhoff #2692
+- dev: add bumpmyversion to bump and sync versions across the project @mr-tz
+
+### Raw diffs
+- [capa v9.2.1...9.3.0](https://github.com/mandiant/capa/compare/v9.2.1...9.3.0)
+- [capa-rules v9.2.1...9.3.0](https://github.com/mandiant/capa-rules/compare/v9.2.1...9.3.0)
+
+## v9.2.1
+
+This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
+
+### Bug Fixes
+
+- ci: exclude pkg_resources from PyInstaller build @mike-hunhoff #2684
+- ci: downgrade Ubuntu version to accommodate older glibc versions @mike-hunhoff #2684
+
+### Development
+
+- ci: upgrade Windows version to avoid deprecation @mike-hunhoff #2684
+- ci: check if build runs without warnings or errors @mike-hunhoff #2684
+
+### Raw diffs
+- [capa v9.2.0...v9.2.1](https://github.com/mandiant/capa/compare/v9.2.0...v9.2.1)
+- [capa-rules v9.2.0...v9.2.1](https://github.com/mandiant/capa-rules/compare/v9.2.0...v9.2.1)
+
+## v9.2.0
+
+This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
+It also includes an updated rule pack containing new rules and rule fixes.
+
+### New Features
+- vmray: do not restrict analysis to PE and ELF files, e.g. docx @mike-hunhoff #2672
+
+### Breaking Changes
+
+### New Rules (22)
 
 - communication/socket/connect-socket moritz.raabe@mandiant.com joakim@intezer.com mrhafizfarhad@gmail.com
 - communication/socket/udp/connect-udp-socket mrhafizfarhad@gmail.com
@@ -22,22 +153,23 @@
 - nursery/disable-firewall-features-via-registry-on-windows mehunhoff@google.com
 - nursery/disable-system-restore-features-via-registry-on-windows mehunhoff@google.com
 - nursery/disable-windows-defender-features-via-registry-on-windows mehunhoff@google.com
--
+- host-interaction/file-system/write/clear-file-content jakeperalta7
+- host-interaction/filter/unload-minifilter-driver JakePeralta7
+- exploitation/enumeration/make-suspicious-ntquerysysteminformation-call zdw@google.com
+- exploitation/gadgets/load-ntoskrnl zdw@google.com
+- exploitation/gadgets/resolve-ntoskrnl-gadgets zdw@google.com
+- exploitation/spraying/make-suspicious-ntfscontrolfile-call zdw@google.com
+- anti-analysis/anti-forensic/unload-sysmon JakePeralta7
 
 ### Bug Fixes
 - cape: make some fields optional @williballenthin #2631 #2632
 - lint: add WARN for regex features that contain unescaped dot #2635
 - lint: add ERROR for incomplete registry control set regex #2643
-
-### capa Explorer Web
-
-### capa Explorer IDA Pro plugin
-
-### Development
+- binja: update unit test core version #2670
 
 ### Raw diffs
-- [capa v9.1.0...master](https://github.com/mandiant/capa/compare/v9.1.0...master)
-- [capa-rules v9.1.0...master](https://github.com/mandiant/capa-rules/compare/v9.1.0...master)
+- [capa v9.1.0...v9.2.0](https://github.com/mandiant/capa/compare/v9.1.0...v9.2.0)
+- [capa-rules v9.1.0...v9.2.0](https://github.com/mandiant/capa-rules/compare/v9.1.0...v9.2.0)
 
 ## v9.1.0
 

README.md

@@ -291,11 +291,17 @@ It also uses your local changes to the .idb to extract better features, such as
 ![capa + IDA Pro integration](https://github.com/mandiant/capa/blob/master/doc/img/explorer_expanded.png)
 
 # Ghidra integration
-If you use Ghidra, then you can use the [capa + Ghidra integration](/capa/ghidra/) to run capa's analysis directly on your Ghidra database and render the results in Ghidra's user interface.
+
+capa supports using Ghidra (via [PyGhidra](https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Features/PyGhidra)) as a feature extraction backend. This allows you to run capa against binaries using Ghidra's analysis engine.
+
+You can run and view capa results in the Ghidra UI using [capa explorer for Ghidra](https://github.com/mandiant/capa/tree/master/capa/ghidra/plugin).
 
 <img src="https://github.com/mandiant/capa/assets/66766340/eeae33f4-99d4-42dc-a5e8-4c1b8c661492" width=300>
 
+You can also run capa from the command line using the [Ghidra backend](https://github.com/mandiant/capa/tree/master/capa/ghidra).
+
 # blog posts
+- [Riding Dragons: capa Harnesses Ghidra](https://www.mandiant.com/resources/blog/capa-harnesses-ghidra)
 - [Dynamic capa: Exploring Executable Run-Time Behavior with the CAPE Sandbox](https://www.mandiant.com/resources/blog/dynamic-capa-executable-behavior-cape-sandbox)
 - [capa v4: casting a wider .NET](https://www.mandiant.com/resources/blog/capa-v4-casting-wider-net) (.NET support)
 - [ELFant in the Room – capa v3](https://www.mandiant.com/resources/elfant-in-the-room-capa-v3) (ELF support)
@@ -315,3 +321,6 @@ If you use Ghidra, then you can use the [capa + Ghidra integration](/capa/ghidra
 
 ## capa testfiles
 The [capa-testfiles repository](https://github.com/mandiant/capa-testfiles) contains the data we use to test capa's code and rules
+
+## mailing list
+Subscribe to the FLARE mailing list for community announcements! Email "subscribe" to [flare-external@google.com](mailto:flare-external@google.com?subject=subscribe).

capa/features/extractors/binja/function.py

@@ -19,7 +19,6 @@ from binaryninja import (
     Function,
     BinaryView,
     SymbolType,
-    ILException,
     RegisterValueType,
     VariableSourceType,
     LowLevelILOperation,
@@ -192,9 +191,8 @@ def extract_stackstring(fh: FunctionHandle):
     if bv is None:
         return
 
-    try:
-        mlil = func.mlil
-    except ILException:
+    mlil = func.mlil
+    if mlil is None:
         return
 
     for block in mlil.basic_blocks:

capa/features/extractors/ghidra/basicblock.py

@@ -83,7 +83,7 @@ def bb_contains_stackstring(bb: ghidra.program.model.block.CodeBlock) -> bool:
     true if basic block contains enough moves of constant bytes to the stack
     """
     count = 0
-    for insn in currentProgram().getListing().getInstructions(bb, True):  # type: ignore [name-defined] # noqa: F821
+    for insn in capa.features.extractors.ghidra.helpers.get_current_program().getListing().getInstructions(bb, True):
         if is_mov_imm_to_stack(insn):
             count += get_printable_len(insn.getScalar(1))
         if count > MIN_STACKSTRING_LEN:
@@ -96,7 +96,9 @@ def _bb_has_tight_loop(bb: ghidra.program.model.block.CodeBlock):
     parse tight loops, true if last instruction in basic block branches to bb start
     """
     # Reverse Ordered, first InstructionDB
-    last_insn = currentProgram().getListing().getInstructions(bb, False).next()  # type: ignore [name-defined] # noqa: F821
+    last_insn = (
+        capa.features.extractors.ghidra.helpers.get_current_program().getListing().getInstructions(bb, False).next()
+    )
 
     if last_insn.getFlowType().isJump():
         return last_insn.getAddress(0) == bb.getMinAddress()
@@ -140,20 +142,3 @@ def extract_features(fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Featur
     for bb_handler in BASIC_BLOCK_HANDLERS:
         for feature, addr in bb_handler(fh, bbh):
             yield feature, addr
-
-
-def main():
-    features = []
-    from capa.features.extractors.ghidra.extractor import GhidraFeatureExtractor
-
-    for fh in GhidraFeatureExtractor().get_functions():
-        for bbh in capa.features.extractors.ghidra.helpers.get_function_blocks(fh):
-            features.extend(list(extract_features(fh, bbh)))
-
-    import pprint
-
-    pprint.pprint(features)  # noqa: T203
-
-
-if __name__ == "__main__":
-    main()

capa/features/extractors/ghidra/context.py

@@ -0,0 +1,44 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import Optional
+
+
+class GhidraContext:
+    """
+    State holder for the Ghidra backend to avoid passing state to every function.
+
+    PyGhidra uses a context manager to set up the Ghidra environment (program, transaction, etc.).
+    We store the relevant objects here to allow easy access throughout the extractor
+    without needing to pass them as arguments to every feature extraction method.
+    """
+
+    def __init__(self, program, flat_api, monitor):
+        self.program = program
+        self.flat_api = flat_api
+        self.monitor = monitor
+
+
+_context: Optional[GhidraContext] = None
+
+
+def set_context(program, flat_api, monitor):
+    global _context
+    _context = GhidraContext(program, flat_api, monitor)
+
+
+def get_context() -> GhidraContext:
+    if _context is None:
+        raise RuntimeError("GhidraContext not initialized")
+    return _context

capa/features/extractors/ghidra/extractor.py

@@ -12,11 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import weakref
+import contextlib
 from typing import Iterator
 
 import capa.features.extractors.ghidra.file
 import capa.features.extractors.ghidra.insn
 import capa.features.extractors.ghidra.global_
+import capa.features.extractors.ghidra.helpers as ghidra_helpers
 import capa.features.extractors.ghidra.function
 import capa.features.extractors.ghidra.basicblock
 from capa.features.common import Feature
@@ -31,19 +34,20 @@ from capa.features.extractors.base_extractor import (
 
 
 class GhidraFeatureExtractor(StaticFeatureExtractor):
-    def __init__(self):
-        import capa.features.extractors.ghidra.helpers as ghidra_helpers
+    def __init__(self, ctx_manager=None, tmpdir=None):
+        self.ctx_manager = ctx_manager
+        self.tmpdir = tmpdir
 
         super().__init__(
             SampleHashes(
-                md5=capa.ghidra.helpers.get_file_md5(),
+                md5=ghidra_helpers.get_current_program().getExecutableMD5(),
                 # ghidra doesn't expose this hash.
                 # https://ghidra.re/ghidra_docs/api/ghidra/program/model/listing/Program.html
                 #
                 # the hashes are stored in the database, not computed on the fly,
                 # so it's probably not trivial to add SHA1.
                 sha1="",
-                sha256=capa.ghidra.helpers.get_file_sha256(),
+                sha256=ghidra_helpers.get_current_program().getExecutableSHA256(),
             )
         )
 
@@ -55,8 +59,14 @@ class GhidraFeatureExtractor(StaticFeatureExtractor):
         self.externs = ghidra_helpers.get_file_externs()
         self.fakes = ghidra_helpers.map_fake_import_addrs()
 
+        # Register cleanup to run when the extractor is garbage collected or when the program exits.
+        # We use weakref.finalize instead of __del__ to avoid issues with reference cycles and
+        # to ensure deterministic cleanup on interpreter shutdown.
+        if self.ctx_manager or self.tmpdir:
+            weakref.finalize(self, cleanup, self.ctx_manager, self.tmpdir)
+
     def get_base_address(self):
-        return AbsoluteVirtualAddress(currentProgram().getImageBase().getOffset())  # type: ignore [name-defined] # noqa: F821
+        return AbsoluteVirtualAddress(ghidra_helpers.get_current_program().getImageBase().getOffset())
 
     def extract_global_features(self):
         yield from self.global_features
@@ -65,7 +75,6 @@ class GhidraFeatureExtractor(StaticFeatureExtractor):
         yield from capa.features.extractors.ghidra.file.extract_features()
 
     def get_functions(self) -> Iterator[FunctionHandle]:
-        import capa.features.extractors.ghidra.helpers as ghidra_helpers
 
         for fhandle in ghidra_helpers.get_function_symbols():
             fh: FunctionHandle = FunctionHandle(
@@ -77,14 +86,14 @@ class GhidraFeatureExtractor(StaticFeatureExtractor):
 
     @staticmethod
     def get_function(addr: int) -> FunctionHandle:
-        func = getFunctionContaining(toAddr(addr))  # type: ignore [name-defined] # noqa: F821
+
+        func = ghidra_helpers.get_flat_api().getFunctionContaining(ghidra_helpers.get_flat_api().toAddr(addr))
         return FunctionHandle(address=AbsoluteVirtualAddress(func.getEntryPoint().getOffset()), inner=func)
 
     def extract_function_features(self, fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
         yield from capa.features.extractors.ghidra.function.extract_features(fh)
 
     def get_basic_blocks(self, fh: FunctionHandle) -> Iterator[BBHandle]:
-        import capa.features.extractors.ghidra.helpers as ghidra_helpers
 
         yield from ghidra_helpers.get_function_blocks(fh)
 
@@ -92,9 +101,17 @@ class GhidraFeatureExtractor(StaticFeatureExtractor):
         yield from capa.features.extractors.ghidra.basicblock.extract_features(fh, bbh)
 
     def get_instructions(self, fh: FunctionHandle, bbh: BBHandle) -> Iterator[InsnHandle]:
-        import capa.features.extractors.ghidra.helpers as ghidra_helpers
 
         yield from ghidra_helpers.get_insn_in_range(bbh)
 
     def extract_insn_features(self, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle):
         yield from capa.features.extractors.ghidra.insn.extract_features(fh, bbh, ih)
+
+
+def cleanup(ctx_manager, tmpdir):
+    if ctx_manager:
+        with contextlib.suppress(Exception):
+            ctx_manager.__exit__(None, None, None)
+    if tmpdir:
+        with contextlib.suppress(Exception):
+            tmpdir.cleanup()

capa/features/extractors/ghidra/file.py

@@ -80,22 +80,54 @@ def extract_file_embedded_pe() -> Iterator[tuple[Feature, Address]]:
         for i in range(256)
     ]
 
-    for block in currentProgram().getMemory().getBlocks():  # type: ignore [name-defined] # noqa: F821
+    for block in capa.features.extractors.ghidra.helpers.get_current_program().getMemory().getBlocks():
         if not all((block.isLoaded(), block.isInitialized(), "Headers" not in block.getName())):
             continue
 
         for off, _ in find_embedded_pe(capa.features.extractors.ghidra.helpers.get_block_bytes(block), mz_xor):
             # add offset back to block start
-            ea: int = block.getStart().add(off).getOffset()
+            ea_addr = block.getStart().add(off)
+            ea = ea_addr.getOffset()
+            f_offset = capa.features.extractors.ghidra.helpers.get_file_offset(ea_addr)
+            if f_offset != -1:
+                ea = f_offset
 
             yield Characteristic("embedded pe"), FileOffsetAddress(ea)
 
 
 def extract_file_export_names() -> Iterator[tuple[Feature, Address]]:
     """extract function exports"""
-    st = currentProgram().getSymbolTable()  # type: ignore [name-defined] # noqa: F821
+    program = capa.features.extractors.ghidra.helpers.get_current_program()
+    st = program.getSymbolTable()
+
     for addr in st.getExternalEntryPointIterator():
-        yield Export(st.getPrimarySymbol(addr).getName()), AbsoluteVirtualAddress(addr.getOffset())
+        sym = st.getPrimarySymbol(addr)
+        name = sym.getName()
+
+        # Check for forwarded export
+        is_forwarded = False
+        refs = program.getReferenceManager().getReferencesFrom(addr)
+        for ref in refs:
+            if ref.getToAddress().isExternalAddress():
+                ext_sym = st.getPrimarySymbol(ref.getToAddress())
+                if ext_sym:
+                    ext_loc = program.getExternalManager().getExternalLocation(ext_sym)
+                    if ext_loc:
+                        # It is a forwarded export
+                        libname = ext_loc.getLibraryName()
+                        if libname.lower().endswith(".dll"):
+                            libname = libname[:-4]
+
+                        forwarded_name = f"{libname}.{ext_loc.getLabel()}"
+                        forwarded_name = capa.features.extractors.helpers.reformat_forwarded_export_name(forwarded_name)
+
+                        yield Export(forwarded_name), AbsoluteVirtualAddress(addr.getOffset())
+                        yield Characteristic("forwarded export"), AbsoluteVirtualAddress(addr.getOffset())
+                        is_forwarded = True
+                        break
+
+        if not is_forwarded:
+            yield Export(name), AbsoluteVirtualAddress(addr.getOffset())
 
 
 def extract_file_import_names() -> Iterator[tuple[Feature, Address]]:
@@ -110,7 +142,7 @@ def extract_file_import_names() -> Iterator[tuple[Feature, Address]]:
      - importname
     """
 
-    for f in currentProgram().getFunctionManager().getExternalFunctions():  # type: ignore [name-defined] # noqa: F821
+    for f in capa.features.extractors.ghidra.helpers.get_current_program().getFunctionManager().getExternalFunctions():
         for r in f.getSymbol().getReferences():
             if r.getReferenceType().isData():
                 addr = r.getFromAddress().getOffset()  # gets pointer to fake external addr
@@ -126,14 +158,14 @@ def extract_file_import_names() -> Iterator[tuple[Feature, Address]]:
 def extract_file_section_names() -> Iterator[tuple[Feature, Address]]:
     """extract section names"""
 
-    for block in currentProgram().getMemory().getBlocks():  # type: ignore [name-defined] # noqa: F821
+    for block in capa.features.extractors.ghidra.helpers.get_current_program().getMemory().getBlocks():
         yield Section(block.getName()), AbsoluteVirtualAddress(block.getStart().getOffset())
 
 
 def extract_file_strings() -> Iterator[tuple[Feature, Address]]:
     """extract ASCII and UTF-16 LE strings"""
 
-    for block in currentProgram().getMemory().getBlocks():  # type: ignore [name-defined] # noqa: F821
+    for block in capa.features.extractors.ghidra.helpers.get_current_program().getMemory().getBlocks():
         if not block.isInitialized():
             continue
 
@@ -153,7 +185,8 @@ def extract_file_function_names() -> Iterator[tuple[Feature, Address]]:
     extract the names of statically-linked library functions.
     """
 
-    for sym in currentProgram().getSymbolTable().getAllSymbols(True):  # type: ignore [name-defined] # noqa: F821
+    for sym in capa.features.extractors.ghidra.helpers.get_current_program().getSymbolTable().getAllSymbols(True):
+
         # .isExternal() misses more than this config for the function symbols
         if sym.getSymbolType() == SymbolType.FUNCTION and sym.getSource() == SourceType.ANALYSIS and sym.isGlobal():
             name = sym.getName()  # starts to resolve names based on Ghidra's FidDB
@@ -170,7 +203,7 @@ def extract_file_function_names() -> Iterator[tuple[Feature, Address]]:
 
 
 def extract_file_format() -> Iterator[tuple[Feature, Address]]:
-    ef = currentProgram().getExecutableFormat()  # type: ignore [name-defined] # noqa: F821
+    ef = capa.features.extractors.ghidra.helpers.get_current_program().getExecutableFormat()
     if "PE" in ef:
         yield Format(FORMAT_PE), NO_ADDRESS
     elif "ELF" in ef:
@@ -198,14 +231,3 @@ FILE_HANDLERS = (
     extract_file_function_names,
     extract_file_format,
 )
-
-
-def main():
-    """ """
-    import pprint
-
-    pprint.pprint(list(extract_features()))  # noqa: T203
-
-
-if __name__ == "__main__":
-    main()

capa/features/extractors/ghidra/function.py

@@ -26,21 +26,25 @@ from capa.features.extractors.base_extractor import FunctionHandle
 
 def extract_function_calls_to(fh: FunctionHandle):
     """extract callers to a function"""
-    f: ghidra.program.database.function.FunctionDB = fh.inner
+    f: "ghidra.program.database.function.FunctionDB" = fh.inner
     for ref in f.getSymbol().getReferences():
         if ref.getReferenceType().isCall():
             yield Characteristic("calls to"), AbsoluteVirtualAddress(ref.getFromAddress().getOffset())
 
 
 def extract_function_loop(fh: FunctionHandle):
-    f: ghidra.program.database.function.FunctionDB = fh.inner
+    f: "ghidra.program.database.function.FunctionDB" = fh.inner
 
     edges = []
-    for block in SimpleBlockIterator(BasicBlockModel(currentProgram()), f.getBody(), monitor()):  # type: ignore [name-defined] # noqa: F821
-        dests = block.getDestinations(monitor())  # type: ignore [name-defined] # noqa: F821
+    for block in SimpleBlockIterator(
+        BasicBlockModel(capa.features.extractors.ghidra.helpers.get_current_program()),
+        f.getBody(),
+        capa.features.extractors.ghidra.helpers.get_monitor(),
+    ):
+        dests = block.getDestinations(capa.features.extractors.ghidra.helpers.get_monitor())
         s_addrs = block.getStartAddresses()
 
-        while dests.hasNext():  # For loop throws Python TypeError
+        while dests.hasNext():
             for addr in s_addrs:
                 edges.append((addr.getOffset(), dests.next().getDestinationAddress().getOffset()))
 
@@ -49,32 +53,17 @@ def extract_function_loop(fh: FunctionHandle):
 
 
 def extract_recursive_call(fh: FunctionHandle):
-    f: ghidra.program.database.function.FunctionDB = fh.inner
+    f: "ghidra.program.database.function.FunctionDB" = fh.inner
 
-    for func in f.getCalledFunctions(monitor()):  # type: ignore [name-defined] # noqa: F821
+    for func in f.getCalledFunctions(capa.features.extractors.ghidra.helpers.get_monitor()):
         if func.getEntryPoint().getOffset() == f.getEntryPoint().getOffset():
             yield Characteristic("recursive call"), AbsoluteVirtualAddress(f.getEntryPoint().getOffset())
 
 
 def extract_features(fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
-    for func_handler in FUNCTION_HANDLERS:
-        for feature, addr in func_handler(fh):
+    for function_handler in FUNCTION_HANDLERS:
+        for feature, addr in function_handler(fh):
             yield feature, addr
 
 
 FUNCTION_HANDLERS = (extract_function_calls_to, extract_function_loop, extract_recursive_call)
-
-
-def main():
-    """ """
-    features = []
-    for fhandle in capa.features.extractors.ghidra.helpers.get_function_symbols():
-        features.extend(list(extract_features(fhandle)))
-
-    import pprint
-
-    pprint.pprint(features)  # noqa: T203
-
-
-if __name__ == "__main__":
-    main()

capa/features/extractors/ghidra/global_.py

@@ -26,7 +26,7 @@ logger = logging.getLogger(__name__)
 
 
 def extract_os() -> Iterator[tuple[Feature, Address]]:
-    format_name: str = currentProgram().getExecutableFormat()  # type: ignore [name-defined] # noqa: F821
+    format_name: str = capa.features.extractors.ghidra.helpers.get_current_program().getExecutableFormat()
 
     if "PE" in format_name:
         yield OS(OS_WINDOWS), NO_ADDRESS
@@ -53,7 +53,7 @@ def extract_os() -> Iterator[tuple[Feature, Address]]:
 
 
 def extract_arch() -> Iterator[tuple[Feature, Address]]:
-    lang_id = currentProgram().getMetadata().get("Language ID")  # type: ignore [name-defined] # noqa: F821
+    lang_id = capa.features.extractors.ghidra.helpers.get_current_program().getMetadata().get("Language ID")
 
     if "x86" in lang_id and "64" in lang_id:
         yield Arch(ARCH_AMD64), NO_ADDRESS

capa/features/extractors/ghidra/helpers.py

@@ -22,9 +22,22 @@ from ghidra.program.model.symbol import SourceType, SymbolType
 from ghidra.program.model.address import AddressSpace
 
 import capa.features.extractors.helpers
+import capa.features.extractors.ghidra.context as ghidra_context
 from capa.features.common import THUNK_CHAIN_DEPTH_DELTA
 from capa.features.address import AbsoluteVirtualAddress
-from capa.features.extractors.base_extractor import BBHandle, InsnHandle, FunctionHandle
+from capa.features.extractors.base_extractor import BBHandle, InsnHandle
+
+
+def get_current_program():
+    return ghidra_context.get_context().program
+
+
+def get_monitor():
+    return ghidra_context.get_context().monitor
+
+
+def get_flat_api():
+    return ghidra_context.get_context().flat_api
 
 
 def ints_to_bytes(bytez: list[int]) -> bytes:
@@ -36,7 +49,7 @@ def ints_to_bytes(bytez: list[int]) -> bytes:
     return bytes([b & 0xFF for b in bytez])
 
 
-def find_byte_sequence(addr: ghidra.program.model.address.Address, seq: bytes) -> Iterator[int]:
+def find_byte_sequence(addr: "ghidra.program.model.address.Address", seq: bytes) -> Iterator[int]:
     """yield all ea of a given byte sequence
 
     args:
@@ -44,12 +57,25 @@ def find_byte_sequence(addr: ghidra.program.model.address.Address, seq: bytes) -
         seq: bytes to search e.g. b"\x01\x03"
     """
     seqstr = "".join([f"\\x{b:02x}" for b in seq])
-    eas = findBytes(addr, seqstr, java.lang.Integer.MAX_VALUE, 1)  # type: ignore [name-defined] # noqa: F821
+    eas = get_flat_api().findBytes(addr, seqstr, java.lang.Integer.MAX_VALUE, 1)
 
     yield from eas
 
 
-def get_bytes(addr: ghidra.program.model.address.Address, length: int) -> bytes:
+def get_file_offset(addr: "ghidra.program.model.address.Address") -> int:
+    """get file offset for an address"""
+    block = get_current_program().getMemory().getBlock(addr)
+    if not block:
+        return -1
+
+    for info in block.getSourceInfos():
+        if info.contains(addr):
+            return info.getFileBytesOffset(addr)
+
+    return -1
+
+
+def get_bytes(addr: "ghidra.program.model.address.Address", length: int) -> bytes:
     """yield length bytes at addr
 
     args:
@@ -57,12 +83,12 @@ def get_bytes(addr: ghidra.program.model.address.Address, length: int) -> bytes:
         length: length of bytes to pull
     """
     try:
-        return ints_to_bytes(getBytes(addr, length))  # type: ignore [name-defined] # noqa: F821
-    except RuntimeError:
+        return ints_to_bytes(get_flat_api().getBytes(addr, int(length)))
+    except Exception:
         return b""
 
 
-def get_block_bytes(block: ghidra.program.model.mem.MemoryBlock) -> bytes:
+def get_block_bytes(block: "ghidra.program.model.mem.MemoryBlock") -> bytes:
     """yield all bytes in a given block
 
     args:
@@ -73,20 +99,21 @@ def get_block_bytes(block: ghidra.program.model.mem.MemoryBlock) -> bytes:
 
 def get_function_symbols():
     """yield all non-external function symbols"""
-    yield from currentProgram().getFunctionManager().getFunctionsNoStubs(True)  # type: ignore [name-defined] # noqa: F821
+    yield from get_current_program().getFunctionManager().getFunctionsNoStubs(True)
 
 
-def get_function_blocks(fh: FunctionHandle) -> Iterator[BBHandle]:
-    """yield BBHandle for each bb in a given function"""
+def get_function_blocks(fh: "capa.features.extractors.base_extractor.FunctionHandle") -> Iterator[BBHandle]:
+    """
+    yield the basic blocks of the function
+    """
 
-    func: ghidra.program.database.function.FunctionDB = fh.inner
-    for bb in SimpleBlockIterator(BasicBlockModel(currentProgram()), func.getBody(), monitor()):  # type: ignore [name-defined] # noqa: F821
-        yield BBHandle(address=AbsoluteVirtualAddress(bb.getMinAddress().getOffset()), inner=bb)
+    for block in SimpleBlockIterator(BasicBlockModel(get_current_program()), fh.inner.getBody(), get_monitor()):
+        yield BBHandle(address=AbsoluteVirtualAddress(block.getMinAddress().getOffset()), inner=block)
 
 
 def get_insn_in_range(bbh: BBHandle) -> Iterator[InsnHandle]:
     """yield InshHandle for each insn in a given basicblock"""
-    for insn in currentProgram().getListing().getInstructions(bbh.inner, True):  # type: ignore [name-defined] # noqa: F821
+    for insn in get_current_program().getListing().getInstructions(bbh.inner, True):
         yield InsnHandle(address=AbsoluteVirtualAddress(insn.getAddress().getOffset()), inner=insn)
 
 
@@ -95,7 +122,7 @@ def get_file_imports() -> dict[int, list[str]]:
 
     import_dict: dict[int, list[str]] = {}
 
-    for f in currentProgram().getFunctionManager().getExternalFunctions():  # type: ignore [name-defined] # noqa: F821
+    for f in get_current_program().getFunctionManager().getExternalFunctions():
         for r in f.getSymbol().getReferences():
             if r.getReferenceType().isData():
                 addr = r.getFromAddress().getOffset()  # gets pointer to fake external addr
@@ -133,7 +160,7 @@ def get_file_externs() -> dict[int, list[str]]:
 
     extern_dict: dict[int, list[str]] = {}
 
-    for sym in currentProgram().getSymbolTable().getAllSymbols(True):  # type: ignore [name-defined] # noqa: F821
+    for sym in get_current_program().getSymbolTable().getAllSymbols(True):
         # .isExternal() misses more than this config for the function symbols
         if sym.getSymbolType() == SymbolType.FUNCTION and sym.getSource() == SourceType.ANALYSIS and sym.isGlobal():
             name = sym.getName()  # starts to resolve names based on Ghidra's FidDB
@@ -171,7 +198,7 @@ def map_fake_import_addrs() -> dict[int, list[int]]:
     """
     fake_dict: dict[int, list[int]] = {}
 
-    for f in currentProgram().getFunctionManager().getExternalFunctions():  # type: ignore [name-defined] # noqa: F821
+    for f in get_current_program().getFunctionManager().getExternalFunctions():
         for r in f.getSymbol().getReferences():
             if r.getReferenceType().isData():
                 fake_dict.setdefault(f.getEntryPoint().getOffset(), []).append(r.getFromAddress().getOffset())
@@ -180,7 +207,7 @@ def map_fake_import_addrs() -> dict[int, list[int]]:
 
 
 def check_addr_for_api(
-    addr: ghidra.program.model.address.Address,
+    addr: "ghidra.program.model.address.Address",
     fakes: dict[int, list[int]],
     imports: dict[int, list[str]],
     externs: dict[int, list[str]],
@@ -202,18 +229,18 @@ def check_addr_for_api(
     return False
 
 
-def is_call_or_jmp(insn: ghidra.program.database.code.InstructionDB) -> bool:
+def is_call_or_jmp(insn: "ghidra.program.database.code.InstructionDB") -> bool:
     return any(mnem in insn.getMnemonicString() for mnem in ["CALL", "J"])  # JMP, JNE, JNZ, etc
 
 
-def is_sp_modified(insn: ghidra.program.database.code.InstructionDB) -> bool:
+def is_sp_modified(insn: "ghidra.program.database.code.InstructionDB") -> bool:
     for i in range(insn.getNumOperands()):
         if insn.getOperandType(i) == OperandType.REGISTER:
             return "SP" in insn.getRegister(i).getName() and insn.getOperandRefType(i).isWrite()
     return False
 
 
-def is_stack_referenced(insn: ghidra.program.database.code.InstructionDB) -> bool:
+def is_stack_referenced(insn: "ghidra.program.database.code.InstructionDB") -> bool:
     """generic catch-all for stack references"""
     for i in range(insn.getNumOperands()):
         if insn.getOperandType(i) == OperandType.REGISTER:
@@ -225,7 +252,7 @@ def is_stack_referenced(insn: ghidra.program.database.code.InstructionDB) -> boo
     return any(ref.isStackReference() for ref in insn.getReferencesFrom())
 
 
-def is_zxor(insn: ghidra.program.database.code.InstructionDB) -> bool:
+def is_zxor(insn: "ghidra.program.database.code.InstructionDB") -> bool:
     # assume XOR insn
     # XOR's against the same operand zero out
     ops = []
@@ -241,29 +268,29 @@ def is_zxor(insn: ghidra.program.database.code.InstructionDB) -> bool:
     return all(n == operands[0] for n in operands)
 
 
-def handle_thunk(addr: ghidra.program.model.address.Address):
+def handle_thunk(addr: "ghidra.program.model.address.Address"):
     """Follow thunk chains down to a reasonable depth"""
     ref = addr
     for _ in range(THUNK_CHAIN_DEPTH_DELTA):
-        thunk_jmp = getInstructionAt(ref)  # type: ignore [name-defined] # noqa: F821
+        thunk_jmp = get_flat_api().getInstructionAt(ref)
         if thunk_jmp and is_call_or_jmp(thunk_jmp):
             if OperandType.isAddress(thunk_jmp.getOperandType(0)):
                 ref = thunk_jmp.getAddress(0)
         else:
-            thunk_dat = getDataContaining(ref)  # type: ignore [name-defined] # noqa: F821
+            thunk_dat = get_flat_api().getDataContaining(ref)
             if thunk_dat and thunk_dat.isDefined() and thunk_dat.isPointer():
                 ref = thunk_dat.getValue()
                 break  # end of thunk chain reached
     return ref
 
 
-def dereference_ptr(insn: ghidra.program.database.code.InstructionDB):
+def dereference_ptr(insn: "ghidra.program.database.code.InstructionDB"):
     addr_code = OperandType.ADDRESS | OperandType.CODE
     to_deref = insn.getAddress(0)
-    dat = getDataContaining(to_deref)  # type: ignore [name-defined] # noqa: F821
+    dat = get_flat_api().getDataContaining(to_deref)
 
     if insn.getOperandType(0) == addr_code:
-        thfunc = getFunctionContaining(to_deref)  # type: ignore [name-defined] # noqa: F821
+        thfunc = get_flat_api().getFunctionContaining(to_deref)
         if thfunc and thfunc.isThunk():
             return handle_thunk(to_deref)
         else:
@@ -294,7 +321,7 @@ def find_data_references_from_insn(insn, max_depth: int = 10):
         to_addr = reference.getToAddress()
 
         for _ in range(max_depth - 1):
-            data = getDataAt(to_addr)  # type: ignore [name-defined] # noqa: F821
+            data = get_flat_api().getDataAt(to_addr)
             if data and data.isPointer():
                 ptr_value = data.getValue()
 

capa/features/extractors/ghidra/insn.py

@@ -234,7 +234,7 @@ def extract_insn_bytes_features(fh: FunctionHandle, bb: BBHandle, ih: InsnHandle
         push    offset iid_004118d4_IShellLinkA ; riid
     """
     for addr in capa.features.extractors.ghidra.helpers.find_data_references_from_insn(ih.inner):
-        data = getDataAt(addr)  # type: ignore [name-defined] # noqa: F821
+        data = capa.features.extractors.ghidra.helpers.get_flat_api().getDataAt(addr)
         if data and not data.hasStringValue():
             extracted_bytes = capa.features.extractors.ghidra.helpers.get_bytes(addr, MAX_BYTES_FEATURE_SIZE)
             if extracted_bytes and not capa.features.extractors.helpers.all_zeros(extracted_bytes):
@@ -249,9 +249,9 @@ def extract_insn_string_features(fh: FunctionHandle, bb: BBHandle, ih: InsnHandl
         push offset aAcr     ; "ACR  > "
     """
     for addr in capa.features.extractors.ghidra.helpers.find_data_references_from_insn(ih.inner):
-        data = getDataAt(addr)  # type: ignore [name-defined] # noqa: F821
+        data = capa.features.extractors.ghidra.helpers.get_flat_api().getDataAt(addr)
         if data and data.hasStringValue():
-            yield String(data.getValue()), ih.address
+            yield String(str(data.getValue())), ih.address
 
 
 def extract_insn_mnemonic_features(
@@ -361,8 +361,8 @@ def extract_insn_cross_section_cflow(
         if capa.features.extractors.ghidra.helpers.check_addr_for_api(ref, fakes, imports, externs):
             return
 
-    this_mem_block = getMemoryBlock(insn.getAddress())  # type: ignore [name-defined] # noqa: F821
-    ref_block = getMemoryBlock(ref)  # type: ignore [name-defined] # noqa: F821
+    this_mem_block = capa.features.extractors.ghidra.helpers.get_flat_api().getMemoryBlock(insn.getAddress())
+    ref_block = capa.features.extractors.ghidra.helpers.get_flat_api().getMemoryBlock(ref)
     if ref_block != this_mem_block:
         yield Characteristic("cross section flow"), ih.address
 
@@ -425,19 +425,19 @@ def check_nzxor_security_cookie_delta(
     Check if insn within last addr of last bb - delta
     """
 
-    model = SimpleBlockModel(currentProgram())  # type: ignore [name-defined] # noqa: F821
+    model = SimpleBlockModel(capa.features.extractors.ghidra.helpers.get_current_program())
     insn_addr = insn.getAddress()
     func_asv = fh.getBody()
 
     first_addr = func_asv.getMinAddress()
     if insn_addr < first_addr.add(SECURITY_COOKIE_BYTES_DELTA):
-        first_bb = model.getFirstCodeBlockContaining(first_addr, monitor())  # type: ignore [name-defined] # noqa: F821
+        first_bb = model.getFirstCodeBlockContaining(first_addr, capa.features.extractors.ghidra.helpers.get_monitor())
         if first_bb.contains(insn_addr):
             return True
 
     last_addr = func_asv.getMaxAddress()
     if insn_addr > last_addr.add(SECURITY_COOKIE_BYTES_DELTA * -1):
-        last_bb = model.getFirstCodeBlockContaining(last_addr, monitor())  # type: ignore [name-defined] # noqa: F821
+        last_bb = model.getFirstCodeBlockContaining(last_addr, capa.features.extractors.ghidra.helpers.get_monitor())
         if last_bb.contains(insn_addr):
             return True
 
@@ -488,22 +488,3 @@ INSTRUCTION_HANDLERS = (
     extract_function_calls_from,
     extract_function_indirect_call_characteristic_features,
 )
-
-
-def main():
-    """ """
-    features = []
-    from capa.features.extractors.ghidra.extractor import GhidraFeatureExtractor
-
-    for fh in GhidraFeatureExtractor().get_functions():
-        for bb in capa.features.extractors.ghidra.helpers.get_function_blocks(fh):
-            for insn in capa.features.extractors.ghidra.helpers.get_insn_in_range(bb):
-                features.extend(list(extract_features(fh, bb, insn)))
-
-    import pprint
-
-    pprint.pprint(features)  # noqa: T203
-
-
-if __name__ == "__main__":
-    main()

capa/features/extractors/ida/basicblock.py

@@ -18,6 +18,7 @@ import struct
 from typing import Iterator
 
 import idaapi
+from ida_domain import Database
 
 import capa.features.extractors.ida.helpers
 from capa.features.common import Feature, Characteristic
@@ -59,7 +60,7 @@ def get_printable_len(op: idaapi.op_t) -> int:
     return 0
 
 
-def is_mov_imm_to_stack(insn: idaapi.insn_t) -> bool:
+def is_mov_imm_to_stack(db: Database, insn: idaapi.insn_t) -> bool:
     """verify instruction moves immediate onto stack"""
     if insn.Op2.type != idaapi.o_imm:
         return False
@@ -67,42 +68,43 @@ def is_mov_imm_to_stack(insn: idaapi.insn_t) -> bool:
     if not helpers.is_op_stack_var(insn.ea, 0):
         return False
 
-    if not insn.get_canon_mnem().startswith("mov"):
+    mnem = db.instructions.get_mnemonic(insn)
+    if not mnem.startswith("mov"):
         return False
 
     return True
 
 
-def bb_contains_stackstring(f: idaapi.func_t, bb: idaapi.BasicBlock) -> bool:
+def bb_contains_stackstring(db: Database, f: idaapi.func_t, bb: idaapi.BasicBlock) -> bool:
     """check basic block for stackstring indicators
 
     true if basic block contains enough moves of constant bytes to the stack
     """
     count = 0
-    for insn in capa.features.extractors.ida.helpers.get_instructions_in_range(bb.start_ea, bb.end_ea):
-        if is_mov_imm_to_stack(insn):
+    for insn in capa.features.extractors.ida.helpers.get_instructions_in_range(db, bb.start_ea, bb.end_ea):
+        if is_mov_imm_to_stack(db, insn):
             count += get_printable_len(insn.Op2)
         if count > MIN_STACKSTRING_LEN:
             return True
     return False
 
 
-def extract_bb_stackstring(fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_bb_stackstring(db: Database, fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
     """extract stackstring indicators from basic block"""
-    if bb_contains_stackstring(fh.inner, bbh.inner):
+    if bb_contains_stackstring(db, fh.inner, bbh.inner):
         yield Characteristic("stack string"), bbh.address
 
 
-def extract_bb_tight_loop(fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_bb_tight_loop(db: Database, fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
     """extract tight loop indicators from a basic block"""
-    if capa.features.extractors.ida.helpers.is_basic_block_tight_loop(bbh.inner):
+    if capa.features.extractors.ida.helpers.is_basic_block_tight_loop(db, bbh.inner):
         yield Characteristic("tight loop"), bbh.address
 
 
-def extract_features(fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_features(db: Database, fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
     """extract basic block features"""
     for bb_handler in BASIC_BLOCK_HANDLERS:
-        for feature, addr in bb_handler(fh, bbh):
+        for feature, addr in bb_handler(db, fh, bbh):
             yield feature, addr
     yield BasicBlock(), bbh.address
 

capa/features/extractors/ida/extractor.py

@@ -13,8 +13,9 @@
 # limitations under the License.
 
 from typing import Iterator
+from pathlib import Path
 
-import idaapi
+from ida_domain import Database
 
 import capa.ida.helpers
 import capa.features.extractors.elf
@@ -35,56 +36,68 @@ from capa.features.extractors.base_extractor import (
 
 
 class IdaFeatureExtractor(StaticFeatureExtractor):
-    def __init__(self):
+    def __init__(self, db: Database):
+        self.db = db
         super().__init__(
             hashes=SampleHashes(
-                md5=capa.ida.helpers.retrieve_input_file_md5(),
+                md5=db.md5,
                 sha1="(unknown)",
-                sha256=capa.ida.helpers.retrieve_input_file_sha256(),
+                sha256=db.sha256,
             )
         )
         self.global_features: list[tuple[Feature, Address]] = []
-        self.global_features.extend(capa.features.extractors.ida.file.extract_file_format())
-        self.global_features.extend(capa.features.extractors.ida.global_.extract_os())
-        self.global_features.extend(capa.features.extractors.ida.global_.extract_arch())
+        self.global_features.extend(capa.features.extractors.ida.file.extract_file_format(self.db))
+        self.global_features.extend(capa.features.extractors.ida.global_.extract_os(self.db))
+        self.global_features.extend(capa.features.extractors.ida.global_.extract_arch(self.db))
+
+    @classmethod
+    def from_current_database(cls) -> "IdaFeatureExtractor":
+        """Create extractor for interactive IDA GUI use."""
+        db = Database.open()
+        return cls(db)
+
+    @classmethod
+    def from_file(cls, path: Path) -> "IdaFeatureExtractor":
+        """Create extractor for idalib/headless use."""
+        db = Database.open(str(path))
+        return cls(db)
 
     def get_base_address(self):
-        return AbsoluteVirtualAddress(idaapi.get_imagebase())
+        return AbsoluteVirtualAddress(self.db.base_address)
 
     def extract_global_features(self):
         yield from self.global_features
 
     def extract_file_features(self):
-        yield from capa.features.extractors.ida.file.extract_features()
+        yield from capa.features.extractors.ida.file.extract_features(self.db)
 
     def get_functions(self) -> Iterator[FunctionHandle]:
         import capa.features.extractors.ida.helpers as ida_helpers
 
         # ignore library functions and thunk functions as identified by IDA
-        yield from ida_helpers.get_functions(skip_thunks=True, skip_libs=True)
+        yield from ida_helpers.get_functions(self.db, skip_thunks=True, skip_libs=True)
 
-    @staticmethod
-    def get_function(ea: int) -> FunctionHandle:
-        f = idaapi.get_func(ea)
+    def get_function(self, ea: int) -> FunctionHandle:
+        f = self.db.functions.get_at(ea)
         return FunctionHandle(address=AbsoluteVirtualAddress(f.start_ea), inner=f)
 
     def extract_function_features(self, fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
-        yield from capa.features.extractors.ida.function.extract_features(fh)
+        yield from capa.features.extractors.ida.function.extract_features(self.db, fh)
 
     def get_basic_blocks(self, fh: FunctionHandle) -> Iterator[BBHandle]:
         import capa.features.extractors.ida.helpers as ida_helpers
 
-        for bb in ida_helpers.get_function_blocks(fh.inner):
+        for bb in ida_helpers.get_function_blocks(self.db, fh.inner):
             yield BBHandle(address=AbsoluteVirtualAddress(bb.start_ea), inner=bb)
 
     def extract_basic_block_features(self, fh: FunctionHandle, bbh: BBHandle) -> Iterator[tuple[Feature, Address]]:
-        yield from capa.features.extractors.ida.basicblock.extract_features(fh, bbh)
+        yield from capa.features.extractors.ida.basicblock.extract_features(self.db, fh, bbh)
 
     def get_instructions(self, fh: FunctionHandle, bbh: BBHandle) -> Iterator[InsnHandle]:
         import capa.features.extractors.ida.helpers as ida_helpers
 
-        for insn in ida_helpers.get_instructions_in_range(bbh.inner.start_ea, bbh.inner.end_ea):
+        for insn in ida_helpers.get_instructions_in_range(self.db, bbh.inner.start_ea, bbh.inner.end_ea):
             yield InsnHandle(address=AbsoluteVirtualAddress(insn.ea), inner=insn)
 
     def extract_insn_features(self, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle):
-        yield from capa.features.extractors.ida.insn.extract_features(fh, bbh, ih)
+        yield from capa.features.extractors.ida.insn.extract_features(self.db, fh, bbh, ih)

capa/features/extractors/ida/file.py

@@ -16,10 +16,9 @@
 import struct
 from typing import Iterator
 
-import idc
 import idaapi
-import idautils
-import ida_entry
+from ida_domain import Database
+from ida_domain.functions import FunctionFlags
 
 import capa.ida.helpers
 import capa.features.extractors.common
@@ -33,7 +32,7 @@ from capa.features.address import NO_ADDRESS, Address, FileOffsetAddress, Absolu
 MAX_OFFSET_PE_AFTER_MZ = 0x200
 
 
-def check_segment_for_pe(seg: idaapi.segment_t) -> Iterator[tuple[int, int]]:
+def check_segment_for_pe(db: Database, seg) -> Iterator[tuple[int, int]]:
     """check segment for embedded PE
 
     adapted for IDA from:
@@ -51,8 +50,7 @@ def check_segment_for_pe(seg: idaapi.segment_t) -> Iterator[tuple[int, int]]:
 
     todo = []
     for mzx, pex, i in mz_xor:
-        # find all segment offsets containing XOR'd "MZ" bytes
-        for off in capa.features.extractors.ida.helpers.find_byte_sequence(seg.start_ea, seg.end_ea, mzx):
+        for off in capa.features.extractors.ida.helpers.find_byte_sequence(db, seg.start_ea, seg.end_ea, mzx):
             todo.append((off, mzx, pex, i))
 
     while len(todo):
@@ -64,9 +62,11 @@ def check_segment_for_pe(seg: idaapi.segment_t) -> Iterator[tuple[int, int]]:
         if seg_max < (e_lfanew + 4):
             continue
 
-        newoff = struct.unpack("<I", capa.features.extractors.helpers.xor_static(idc.get_bytes(e_lfanew, 4), i))[0]
+        raw_bytes = db.bytes.get_bytes_at(e_lfanew, 4)
+        if not raw_bytes:
+            continue
+        newoff = struct.unpack("<I", capa.features.extractors.helpers.xor_static(raw_bytes, i))[0]
 
-        # assume XOR'd "PE" bytes exist within threshold
         if newoff > MAX_OFFSET_PE_AFTER_MZ:
             continue
 
@@ -74,35 +74,35 @@ def check_segment_for_pe(seg: idaapi.segment_t) -> Iterator[tuple[int, int]]:
         if seg_max < (peoff + 2):
             continue
 
-        if idc.get_bytes(peoff, 2) == pex:
+        pe_bytes = db.bytes.get_bytes_at(peoff, 2)
+        if pe_bytes == pex:
             yield off, i
 
 
-def extract_file_embedded_pe() -> Iterator[tuple[Feature, Address]]:
+def extract_file_embedded_pe(db: Database) -> Iterator[tuple[Feature, Address]]:
     """extract embedded PE features
 
     IDA must load resource sections for this to be complete
         - '-R' from console
         - Check 'Load resource sections' when opening binary in IDA manually
     """
-    for seg in capa.features.extractors.ida.helpers.get_segments(skip_header_segments=True):
-        for ea, _ in check_segment_for_pe(seg):
+    for seg in capa.features.extractors.ida.helpers.get_segments(db, skip_header_segments=True):
+        for ea, _ in check_segment_for_pe(db, seg):
             yield Characteristic("embedded pe"), FileOffsetAddress(ea)
 
 
-def extract_file_export_names() -> Iterator[tuple[Feature, Address]]:
+def extract_file_export_names(db: Database) -> Iterator[tuple[Feature, Address]]:
     """extract function exports"""
-    for _, ordinal, ea, name in idautils.Entries():
-        forwarded_name = ida_entry.get_entry_forwarder(ordinal)
-        if forwarded_name is None:
-            yield Export(name), AbsoluteVirtualAddress(ea)
+    for entry in db.entries.get_all():
+        if entry.has_forwarder():
+            forwarded_name = capa.features.extractors.helpers.reformat_forwarded_export_name(entry.forwarder_name)
+            yield Export(forwarded_name), AbsoluteVirtualAddress(entry.address)
+            yield Characteristic("forwarded export"), AbsoluteVirtualAddress(entry.address)
         else:
-            forwarded_name = capa.features.extractors.helpers.reformat_forwarded_export_name(forwarded_name)
-            yield Export(forwarded_name), AbsoluteVirtualAddress(ea)
-            yield Characteristic("forwarded export"), AbsoluteVirtualAddress(ea)
+            yield Export(entry.name), AbsoluteVirtualAddress(entry.address)
 
 
-def extract_file_import_names() -> Iterator[tuple[Feature, Address]]:
+def extract_file_import_names(db: Database) -> Iterator[tuple[Feature, Address]]:
     """extract function imports
 
     1. imports by ordinal:
@@ -113,7 +113,7 @@ def extract_file_import_names() -> Iterator[tuple[Feature, Address]]:
      - modulename.importname
      - importname
     """
-    for ea, info in capa.features.extractors.ida.helpers.get_file_imports().items():
+    for ea, info in capa.features.extractors.ida.helpers.get_file_imports(db).items():
         addr = AbsoluteVirtualAddress(ea)
         if info[1] and info[2]:
             # e.g. in mimikatz: ('cabinet', 'FCIAddFile', 11L)
@@ -134,30 +134,31 @@ def extract_file_import_names() -> Iterator[tuple[Feature, Address]]:
         for name in capa.features.extractors.helpers.generate_symbols(dll, symbol, include_dll=True):
             yield Import(name), addr
 
-    for ea, info in capa.features.extractors.ida.helpers.get_file_externs().items():
+    for ea, info in capa.features.extractors.ida.helpers.get_file_externs(db).items():
         yield Import(info[1]), AbsoluteVirtualAddress(ea)
 
 
-def extract_file_section_names() -> Iterator[tuple[Feature, Address]]:
+def extract_file_section_names(db: Database) -> Iterator[tuple[Feature, Address]]:
     """extract section names
 
     IDA must load resource sections for this to be complete
         - '-R' from console
         - Check 'Load resource sections' when opening binary in IDA manually
     """
-    for seg in capa.features.extractors.ida.helpers.get_segments(skip_header_segments=True):
-        yield Section(idaapi.get_segm_name(seg)), AbsoluteVirtualAddress(seg.start_ea)
+    for seg in capa.features.extractors.ida.helpers.get_segments(db, skip_header_segments=True):
+        name = db.segments.get_name(seg)
+        yield Section(name), AbsoluteVirtualAddress(seg.start_ea)
 
 
-def extract_file_strings() -> Iterator[tuple[Feature, Address]]:
+def extract_file_strings(db: Database) -> Iterator[tuple[Feature, Address]]:
     """extract ASCII and UTF-16 LE strings
 
     IDA must load resource sections for this to be complete
         - '-R' from console
         - Check 'Load resource sections' when opening binary in IDA manually
     """
-    for seg in capa.features.extractors.ida.helpers.get_segments():
-        seg_buff = capa.features.extractors.ida.helpers.get_segment_buffer(seg)
+    for seg in capa.features.extractors.ida.helpers.get_segments(db):
+        seg_buff = capa.features.extractors.ida.helpers.get_segment_buffer(db, seg)
 
         # differing to common string extractor factor in segment offset here
         for s in capa.features.extractors.strings.extract_ascii_strings(seg_buff):
@@ -167,41 +168,40 @@ def extract_file_strings() -> Iterator[tuple[Feature, Address]]:
             yield String(s.s), FileOffsetAddress(seg.start_ea + s.offset)
 
 
-def extract_file_function_names() -> Iterator[tuple[Feature, Address]]:
-    """
-    extract the names of statically-linked library functions.
-    """
-    for ea in idautils.Functions():
-        addr = AbsoluteVirtualAddress(ea)
-        if idaapi.get_func(ea).flags & idaapi.FUNC_LIB:
-            name = idaapi.get_name(ea)
-            yield FunctionName(name), addr
-            if name.startswith("_"):
-                # some linkers may prefix linked routines with a `_` to avoid name collisions.
-                # extract features for both the mangled and un-mangled representations.
-                # e.g. `_fwrite` -> `fwrite`
-                # see: https://stackoverflow.com/a/2628384/87207
-                yield FunctionName(name[1:]), addr
+def extract_file_function_names(db: Database) -> Iterator[tuple[Feature, Address]]:
+    """extract the names of statically-linked library functions."""
+    for f in db.functions.get_all():
+        flags = db.functions.get_flags(f)
+        if flags & FunctionFlags.LIB:
+            addr = AbsoluteVirtualAddress(f.start_ea)
+            name = db.names.get_at(f.start_ea)
+            if name:
+                yield FunctionName(name), addr
+                if name.startswith("_"):
+                    # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                    # extract features for both the mangled and un-mangled representations.
+                    # e.g. `_fwrite` -> `fwrite`
+                    # see: https://stackoverflow.com/a/2628384/87207
+                    yield FunctionName(name[1:]), addr
 
 
-def extract_file_format() -> Iterator[tuple[Feature, Address]]:
-    filetype = capa.ida.helpers.get_filetype()
+def extract_file_format(db: Database) -> Iterator[tuple[Feature, Address]]:
+    format_name = db.format
 
-    if filetype in (idaapi.f_PE, idaapi.f_COFF):
+    if "PE" in format_name or "COFF" in format_name:
         yield Format(FORMAT_PE), NO_ADDRESS
-    elif filetype == idaapi.f_ELF:
+    elif "ELF" in format_name:
         yield Format(FORMAT_ELF), NO_ADDRESS
-    elif filetype == idaapi.f_BIN:
-        # no file type to return when processing a binary file, but we want to continue processing
+    elif "Binary" in format_name:
         return
     else:
-        raise NotImplementedError(f"unexpected file format: {filetype}")
+        raise NotImplementedError(f"unexpected file format: {format_name}")
 
 
-def extract_features() -> Iterator[tuple[Feature, Address]]:
+def extract_features(db: Database) -> Iterator[tuple[Feature, Address]]:
     """extract file features"""
     for file_handler in FILE_HANDLERS:
-        for feature, addr in file_handler():
+        for feature, addr in file_handler(db):
             yield feature, addr
 
 

capa/features/extractors/ida/function.py

@@ -15,28 +15,30 @@
 from typing import Iterator
 
 import idaapi
-import idautils
+from ida_domain import Database
 
 import capa.features.extractors.ida.helpers
+from capa.features.file import FunctionName
 from capa.features.common import Feature, Characteristic
 from capa.features.address import Address, AbsoluteVirtualAddress
 from capa.features.extractors import loops
 from capa.features.extractors.base_extractor import FunctionHandle
 
 
-def extract_function_calls_to(fh: FunctionHandle):
+def extract_function_calls_to(db: Database, fh: FunctionHandle):
     """extract callers to a function"""
-    for ea in idautils.CodeRefsTo(fh.inner.start_ea, True):
+    for ea in db.xrefs.code_refs_to_ea(fh.inner.start_ea):
         yield Characteristic("calls to"), AbsoluteVirtualAddress(ea)
 
 
-def extract_function_loop(fh: FunctionHandle):
+def extract_function_loop(db: Database, fh: FunctionHandle):
     """extract loop indicators from a function"""
     f: idaapi.func_t = fh.inner
     edges = []
 
     # construct control flow graph
-    for bb in idaapi.FlowChart(f):
+    flowchart = db.functions.get_flowchart(f)
+    for bb in flowchart:
         for succ in bb.succs():
             edges.append((bb.start_ea, succ.start_ea))
 
@@ -44,16 +46,44 @@ def extract_function_loop(fh: FunctionHandle):
         yield Characteristic("loop"), fh.address
 
 
-def extract_recursive_call(fh: FunctionHandle):
+def extract_recursive_call(db: Database, fh: FunctionHandle):
     """extract recursive function call"""
-    if capa.features.extractors.ida.helpers.is_function_recursive(fh.inner):
+    if capa.features.extractors.ida.helpers.is_function_recursive(db, fh.inner):
         yield Characteristic("recursive call"), fh.address
 
 
-def extract_features(fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_function_name(db: Database, fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
+    ea = fh.inner.start_ea
+    name = db.names.get_at(ea)
+    if not name or name.startswith("sub_"):
+        # skip default names, like "sub_401000"
+        return
+
+    yield FunctionName(name), fh.address
+    if name.startswith("_"):
+        # some linkers may prefix linked routines with a `_` to avoid name collisions.
+        # extract features for both the mangled and un-mangled representations.
+        # e.g. `_fwrite` -> `fwrite`
+        # see: https://stackoverflow.com/a/2628384/87207
+        yield FunctionName(name[1:]), fh.address
+
+
+def extract_function_alternative_names(db: Database, fh: FunctionHandle):
+    """Get all alternative names for an address."""
+    for aname in capa.features.extractors.ida.helpers.get_function_alternative_names(db, fh.inner.start_ea):
+        yield FunctionName(aname), fh.address
+
+
+def extract_features(db: Database, fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
     for func_handler in FUNCTION_HANDLERS:
-        for feature, addr in func_handler(fh):
+        for feature, addr in func_handler(db, fh):
             yield feature, addr
 
 
-FUNCTION_HANDLERS = (extract_function_calls_to, extract_function_loop, extract_recursive_call)
+FUNCTION_HANDLERS = (
+    extract_function_calls_to,
+    extract_function_loop,
+    extract_recursive_call,
+    extract_function_name,
+    extract_function_alternative_names,
+)

capa/features/extractors/ida/global_.py

@@ -16,7 +16,7 @@ import logging
 import contextlib
 from typing import Iterator
 
-import ida_loader
+from ida_domain import Database
 
 import capa.ida.helpers
 import capa.features.extractors.elf
@@ -26,8 +26,8 @@ from capa.features.address import NO_ADDRESS, Address
 logger = logging.getLogger(__name__)
 
 
-def extract_os() -> Iterator[tuple[Feature, Address]]:
-    format_name: str = ida_loader.get_file_type_name()
+def extract_os(db: Database) -> Iterator[tuple[Feature, Address]]:
+    format_name: str = db.format
 
     if "PE" in format_name:
         yield OS(OS_WINDOWS), NO_ADDRESS
@@ -53,13 +53,14 @@ def extract_os() -> Iterator[tuple[Feature, Address]]:
         return
 
 
-def extract_arch() -> Iterator[tuple[Feature, Address]]:
-    procname = capa.ida.helpers.get_processor_name()
-    if procname == "metapc" and capa.ida.helpers.is_64bit():
+def extract_arch(db: Database) -> Iterator[tuple[Feature, Address]]:
+    bitness = db.bitness
+    arch = db.architecture
+    if arch == "metapc" and bitness == 64:
         yield Arch(ARCH_AMD64), NO_ADDRESS
-    elif procname == "metapc" and capa.ida.helpers.is_32bit():
+    elif arch == "metapc" and bitness == 32:
         yield Arch(ARCH_I386), NO_ADDRESS
-    elif procname == "metapc":
+    elif arch == "metapc":
         logger.debug("unsupported architecture: non-32-bit nor non-64-bit intel")
         return
     else:
@@ -67,5 +68,5 @@ def extract_arch() -> Iterator[tuple[Feature, Address]]:
         #  1. handling a new architecture (e.g. aarch64)
         #
         # for (1), this logic will need to be updated as the format is implemented.
-        logger.debug("unsupported architecture: %s", procname)
+        logger.debug("unsupported architecture: %s", arch)
         return

capa/features/extractors/ida/helpers.py

@@ -20,110 +20,88 @@ import idaapi
 import ida_nalt
 import idautils
 import ida_bytes
+import ida_funcs
 import ida_segment
+from ida_domain import Database
+from ida_domain.functions import FunctionFlags
 
 from capa.features.address import AbsoluteVirtualAddress
 from capa.features.extractors.base_extractor import FunctionHandle
 
-IDA_NALT_ENCODING = ida_nalt.get_default_encoding_idx(ida_nalt.BPU_1B)  # use one byte-per-character encoding
 
+def find_byte_sequence(db: Database, start: int, end: int, seq: bytes) -> Iterator[int]:
+    """yield all ea of a given byte sequence
 
-if hasattr(ida_bytes, "parse_binpat_str"):
-    # TODO (mr): use find_bytes
-    # https://github.com/mandiant/capa/issues/2339
-    def find_byte_sequence(start: int, end: int, seq: bytes) -> Iterator[int]:
-        """yield all ea of a given byte sequence
-
-        args:
-            start: min virtual address
-            end: max virtual address
-            seq: bytes to search e.g. b"\x01\x03"
-        """
-        patterns = ida_bytes.compiled_binpat_vec_t()
-
-        seqstr = " ".join([f"{b:02x}" for b in seq])
-        err = ida_bytes.parse_binpat_str(patterns, 0, seqstr, 16, IDA_NALT_ENCODING)
-
-        if err:
-            return
-
-        while True:
-            ea = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
-            if isinstance(ea, int):
-                # "ea_t" in IDA 8.4, 8.3
-                pass
-            elif isinstance(ea, tuple):
-                # "drc_t" in IDA 9
-                ea = ea[0]
-            else:
-                raise NotImplementedError(f"bin_search returned unhandled type: {type(ea)}")
-            if ea == idaapi.BADADDR:
-                break
-            start = ea + 1
-            yield ea
-
-else:
-    # for IDA 7.5 and older; using deprecated find_binary instead of bin_search
-    def find_byte_sequence(start: int, end: int, seq: bytes) -> Iterator[int]:
-        """yield all ea of a given byte sequence
-
-        args:
-            start: min virtual address
-            end: max virtual address
-            seq: bytes to search e.g. b"\x01\x03"
-        """
-        seqstr = " ".join([f"{b:02x}" for b in seq])
-        while True:
-            ea = idaapi.find_binary(start, end, seqstr, 0, idaapi.SEARCH_DOWN)
-            if ea == idaapi.BADADDR:
-                break
-            start = ea + 1
-            yield ea
+    args:
+        db: IDA Domain Database handle
+        start: min virtual address
+        end: max virtual address
+        seq: bytes to search e.g. b"\x01\x03"
+    """
+    for match in db.bytes.find_binary_sequence(seq, start, end):
+        yield match
 
 
 def get_functions(
-    start: Optional[int] = None, end: Optional[int] = None, skip_thunks: bool = False, skip_libs: bool = False
+    db: Database,
+    start: Optional[int] = None,
+    end: Optional[int] = None,
+    skip_thunks: bool = False,
+    skip_libs: bool = False,
 ) -> Iterator[FunctionHandle]:
     """get functions, range optional
 
     args:
+        db: IDA Domain Database handle
         start: min virtual address
         end: max virtual address
+        skip_thunks: skip thunk functions
+        skip_libs: skip library functions
     """
-    for ea in idautils.Functions(start=start, end=end):
-        f = idaapi.get_func(ea)
-        if not (skip_thunks and (f.flags & idaapi.FUNC_THUNK) or skip_libs and (f.flags & idaapi.FUNC_LIB)):
-            yield FunctionHandle(address=AbsoluteVirtualAddress(ea), inner=f)
+    if start is not None and end is not None:
+        funcs = db.functions.get_between(start, end)
+    else:
+        funcs = db.functions.get_all()
+
+    for f in funcs:
+        flags = db.functions.get_flags(f)
+        if skip_thunks and (flags & FunctionFlags.THUNK):
+            continue
+        if skip_libs and (flags & FunctionFlags.LIB):
+            continue
+        yield FunctionHandle(address=AbsoluteVirtualAddress(f.start_ea), inner=f)
 
 
-def get_segments(skip_header_segments=False) -> Iterator[idaapi.segment_t]:
+def get_segments(db: Database, skip_header_segments: bool = False):
     """get list of segments (sections) in the binary image
 
     args:
+        db: IDA Domain Database handle
         skip_header_segments: IDA may load header segments - skip if set
     """
-    for n in range(idaapi.get_segm_qty()):
-        seg = idaapi.getnseg(n)
-        if seg and not (skip_header_segments and seg.is_header_segm()):
-            yield seg
+    for seg in db.segments.get_all():
+        if skip_header_segments and seg.is_header_segm():
+            continue
+        yield seg
 
 
-def get_segment_buffer(seg: idaapi.segment_t) -> bytes:
+def get_segment_buffer(db: Database, seg) -> bytes:
     """return bytes stored in a given segment
 
-    decrease buffer size until IDA is able to read bytes from the segment
+    args:
+        db: IDA Domain Database handle
+        seg: segment object
     """
-    buff = b""
     sz = seg.end_ea - seg.start_ea
 
+    # decrease buffer size until IDA is able to read bytes from the segment
     while sz > 0:
-        buff = idaapi.get_bytes(seg.start_ea, sz)
+        buff = db.bytes.get_bytes_at(seg.start_ea, sz)
         if buff:
-            break
+            return buff
         sz -= 0x1000
 
-    # IDA returns None if get_bytes fails, so convert for consistent return type
-    return buff if buff else b""
+    return b""
 
 
 def inspect_import(imports, library, ea, function, ordinal):
@@ -139,8 +117,14 @@ def inspect_import(imports, library, ea, function, ordinal):
     return True
 
 
-def get_file_imports() -> dict[int, tuple[str, str, int]]:
-    """get file imports"""
+def get_file_imports(db: Database) -> dict[int, tuple[str, str, int]]:
+    """get file imports
+
+    Note: import enumeration has no Domain API equivalent, using SDK fallback.
+
+    args:
+        db: IDA Domain Database handle (unused, kept for API consistency)
+    """
     imports: dict[int, tuple[str, str, int]] = {}
 
     for idx in range(idaapi.get_import_module_qty()):
@@ -162,28 +146,35 @@ def get_file_imports() -> dict[int, tuple[str, str, int]]:
     return imports
 
 
-def get_file_externs() -> dict[int, tuple[str, str, int]]:
+def get_file_externs(db: Database) -> dict[int, tuple[str, str, int]]:
+    """get extern functions
+
+    args:
+        db: IDA Domain Database handle
+    """
     externs = {}
 
-    for seg in get_segments(skip_header_segments=True):
+    for seg in get_segments(db, skip_header_segments=True):
         if seg.type != ida_segment.SEG_XTRN:
             continue
 
-        for ea in idautils.Functions(seg.start_ea, seg.end_ea):
-            externs[ea] = ("", idaapi.get_func_name(ea), -1)
+        for f in db.functions.get_between(seg.start_ea, seg.end_ea):
+            name = db.functions.get_name(f)
+            externs[f.start_ea] = ("", name, -1)
 
     return externs
 
 
-def get_instructions_in_range(start: int, end: int) -> Iterator[idaapi.insn_t]:
+def get_instructions_in_range(db: Database, start: int, end: int) -> Iterator[idaapi.insn_t]:
     """yield instructions in range
 
     args:
+        db: IDA Domain Database handle
         start: virtual address (inclusive)
         end: virtual address (exclusive)
     """
-    for head in idautils.Heads(start, end):
-        insn = idautils.DecodeInstruction(head)
+    for head in db.heads.get_between(start, end):
+        insn = db.instructions.get_at(head)
         if insn:
             yield insn
 
@@ -233,21 +224,38 @@ def basic_block_size(bb: idaapi.BasicBlock) -> int:
     return bb.end_ea - bb.start_ea
 
 
-def read_bytes_at(ea: int, count: int) -> bytes:
-    """ """
-    # check if byte has a value, see get_wide_byte doc
-    if not idc.is_loaded(ea):
+def read_bytes_at(db: Database, ea: int, count: int) -> bytes:
+    """read bytes at address
+
+    args:
+        db: IDA Domain Database handle
+        ea: effective address
+        count: number of bytes to read
+    """
+    if not db.bytes.is_value_initialized_at(ea):
         return b""
 
-    segm_end = idc.get_segm_end(ea)
-    if ea + count > segm_end:
-        return idc.get_bytes(ea, segm_end - ea)
+    seg = db.segments.get_at(ea)
+    if seg is None:
+        return b""
+
+    if ea + count > seg.end_ea:
+        return db.bytes.get_bytes_at(ea, seg.end_ea - ea) or b""
     else:
-        return idc.get_bytes(ea, count)
+        return db.bytes.get_bytes_at(ea, count) or b""
 
 
-def find_string_at(ea: int, min_: int = 4) -> str:
-    """check if ASCII string exists at a given virtual address"""
+def find_string_at(db: Database, ea: int, min_: int = 4) -> str:
+    """check if string exists at a given virtual address
+
+    Note: Uses SDK fallback as Domain API get_string_at only works for
+    addresses where IDA has already identified a string.
+
+    args:
+        db: IDA Domain Database handle (unused, kept for API consistency)
+        ea: effective address
+        min_: minimum string length
+    """
     found = idaapi.get_strlit_contents(ea, -1, idaapi.STRTYPE_C)
     if found and len(found) >= min_:
         try:
@@ -374,31 +382,51 @@ def mask_op_val(op: idaapi.op_t) -> int:
     return masks.get(op.dtype, op.value) & op.value
 
 
-def is_function_recursive(f: idaapi.func_t) -> bool:
-    """check if function is recursive"""
-    return any(f.contains(ref) for ref in idautils.CodeRefsTo(f.start_ea, True))
+def is_function_recursive(db: Database, f: idaapi.func_t) -> bool:
+    """check if function is recursive
+
+    args:
+        db: IDA Domain Database handle
+        f: function object
+    """
+    for ref in db.xrefs.code_refs_to_ea(f.start_ea):
+        if f.contains(ref):
+            return True
+    return False
 
 
-def is_basic_block_tight_loop(bb: idaapi.BasicBlock) -> bool:
+def is_basic_block_tight_loop(db: Database, bb: idaapi.BasicBlock) -> bool:
     """check basic block loops to self
 
+    args:
+        db: IDA Domain Database handle
+        bb: basic block object
+
     true if last instruction in basic block branches to basic block start
     """
-    bb_end = idc.prev_head(bb.end_ea)
+    bb_end = db.heads.get_previous(bb.end_ea)
+    if bb_end is None:
+        return False
     if bb.start_ea < bb_end:
-        for ref in idautils.CodeRefsFrom(bb_end, True):
+        for ref in db.xrefs.code_refs_from_ea(bb_end):
             if ref == bb.start_ea:
                 return True
     return False
 
 
-def find_data_reference_from_insn(insn: idaapi.insn_t, max_depth: int = 10) -> int:
-    """search for data reference from instruction, return address of instruction if no reference exists"""
+def find_data_reference_from_insn(db: Database, insn: idaapi.insn_t, max_depth: int = 10) -> int:
+    """search for data reference from instruction, return address of instruction if no reference exists
+
+    args:
+        db: IDA Domain Database handle
+        insn: instruction object
+        max_depth: maximum depth to follow references
+    """
     depth = 0
     ea = insn.ea
 
     while True:
-        data_refs = list(idautils.DataRefsFrom(ea))
+        data_refs = list(db.xrefs.data_refs_from_ea(ea))
 
         if len(data_refs) != 1:
             # break if no refs or more than one ref (assume nested pointers only have one data reference)
@@ -408,7 +436,7 @@ def find_data_reference_from_insn(insn: idaapi.insn_t, max_depth: int = 10) -> i
             # break if circular reference
             break
 
-        if not idaapi.is_mapped(data_refs[0]):
+        if not db.is_valid_ea(data_refs[0]):
             # break if address is not mapped
             break
 
@@ -422,10 +450,16 @@ def find_data_reference_from_insn(insn: idaapi.insn_t, max_depth: int = 10) -> i
     return ea
 
 
-def get_function_blocks(f: idaapi.func_t) -> Iterator[idaapi.BasicBlock]:
-    """yield basic blocks contained in specified function"""
+def get_function_blocks(db: Database, f: idaapi.func_t) -> Iterator[idaapi.BasicBlock]:
+    """yield basic blocks contained in specified function
+
+    args:
+        db: IDA Domain Database handle
+        f: function object
+    """
     # leverage idaapi.FC_NOEXT flag to ignore useless external blocks referenced by the function
-    yield from idaapi.FlowChart(f, flags=(idaapi.FC_PREDS | idaapi.FC_NOEXT))
+    flowchart = db.functions.get_flowchart(f, flags=(idaapi.FC_PREDS | idaapi.FC_NOEXT))
+    yield from flowchart
 
 
 def is_basic_block_return(bb: idaapi.BasicBlock) -> bool:
@@ -436,3 +470,26 @@ def is_basic_block_return(bb: idaapi.BasicBlock) -> bool:
 def has_sib(oper: idaapi.op_t) -> bool:
     # via: https://reverseengineering.stackexchange.com/a/14300
     return oper.specflag1 == 1
+
+
+def find_alternative_names(cmt: str):
+    for line in cmt.split("\n"):
+        if line.startswith("Alternative name is '") and line.endswith("'"):
+            name = line[len("Alternative name is '") : -1]  # Extract name between quotes
+            yield name
+
+
+def get_function_alternative_names(db: Database, fva: int):
+    """Get all alternative names for an address.
+
+    args:
+        db: IDA Domain Database handle
+        fva: function virtual address
+    """
+    cmt_info = db.comments.get_at(fva)
+    cmt = cmt_info.comment if cmt_info else ""
+    yield from find_alternative_names(cmt)
+    f = db.functions.get_at(fva)
+    if f:
+        func_cmt = db.functions.get_comment(f, False)
+        yield from find_alternative_names(func_cmt or "")

capa/features/extractors/ida/insn.py

@@ -18,10 +18,12 @@ from typing import Any, Iterator, Optional
 import idc
 import ida_ua
 import idaapi
-import idautils
+from ida_domain import Database
+from ida_domain.functions import FunctionFlags
 
 import capa.features.extractors.helpers
 import capa.features.extractors.ida.helpers
+from capa.features.file import FunctionName
 from capa.features.insn import API, MAX_STRUCTURE_SIZE, Number, Offset, Mnemonic, OperandNumber, OperandOffset
 from capa.features.common import MAX_BYTES_FEATURE_SIZE, THUNK_CHAIN_DEPTH_DELTA, Bytes, String, Feature, Characteristic
 from capa.features.address import Address, AbsoluteVirtualAddress
@@ -32,19 +34,19 @@ from capa.features.extractors.base_extractor import BBHandle, InsnHandle, Functi
 SECURITY_COOKIE_BYTES_DELTA = 0x40
 
 
-def get_imports(ctx: dict[str, Any]) -> dict[int, Any]:
+def get_imports(db: Database, ctx: dict[str, Any]) -> dict[int, Any]:
     if "imports_cache" not in ctx:
-        ctx["imports_cache"] = capa.features.extractors.ida.helpers.get_file_imports()
+        ctx["imports_cache"] = capa.features.extractors.ida.helpers.get_file_imports(db)
     return ctx["imports_cache"]
 
 
-def get_externs(ctx: dict[str, Any]) -> dict[int, Any]:
+def get_externs(db: Database, ctx: dict[str, Any]) -> dict[int, Any]:
     if "externs_cache" not in ctx:
-        ctx["externs_cache"] = capa.features.extractors.ida.helpers.get_file_externs()
+        ctx["externs_cache"] = capa.features.extractors.ida.helpers.get_file_externs(db)
     return ctx["externs_cache"]
 
 
-def check_for_api_call(insn: idaapi.insn_t, funcs: dict[int, Any]) -> Optional[tuple[str, str]]:
+def check_for_api_call(db: Database, insn: idaapi.insn_t, funcs: dict[int, Any]) -> Optional[tuple[str, str]]:
     """check instruction for API call"""
     info = None
     ref = insn.ea
@@ -52,27 +54,32 @@ def check_for_api_call(insn: idaapi.insn_t, funcs: dict[int, Any]) -> Optional[t
     # attempt to resolve API calls by following chained thunks to a reasonable depth
     for _ in range(THUNK_CHAIN_DEPTH_DELTA):
         # assume only one code/data ref when resolving "call" or "jmp"
-        try:
-            ref = tuple(idautils.CodeRefsFrom(ref, False))[0]
-        except IndexError:
-            try:
-                # thunks may be marked as data refs
-                ref = tuple(idautils.DataRefsFrom(ref))[0]
-            except IndexError:
+        code_refs = list(db.xrefs.code_refs_from_ea(ref, flow=False))
+        if code_refs:
+            ref = code_refs[0]
+        else:
+            # thunks may be marked as data refs
+            data_refs = list(db.xrefs.data_refs_from_ea(ref))
+            if data_refs:
+                ref = data_refs[0]
+            else:
                 break
 
         info = funcs.get(ref)
         if info:
             break
 
-        f = idaapi.get_func(ref)
-        if not f or not (f.flags & idaapi.FUNC_THUNK):
+        f = db.functions.get_at(ref)
+        if f is None:
+            break
+        flags = db.functions.get_flags(f)
+        if not (flags & FunctionFlags.THUNK):
             break
 
     return info
 
 
-def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_insn_api_features(db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
     """
     parse instruction API features
 
@@ -81,35 +88,30 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
     """
     insn: idaapi.insn_t = ih.inner
 
-    if insn.get_canon_mnem() not in ("call", "jmp"):
+    mnem = db.instructions.get_mnemonic(insn)
+    if mnem not in ("call", "jmp"):
         return
 
-    # check call to imported functions
-    api = check_for_api_call(insn, get_imports(fh.ctx))
+    api = check_for_api_call(db, insn, get_imports(db, fh.ctx))
     if api:
-        # tuple (<module>, <function>, <ordinal>)
         for name in capa.features.extractors.helpers.generate_symbols(api[0], api[1]):
             yield API(name), ih.address
-        # a call instruction should only call one function, stop if a call to an import is extracted
         return
 
-    # check call to extern functions
-    api = check_for_api_call(insn, get_externs(fh.ctx))
+    api = check_for_api_call(db, insn, get_externs(db, fh.ctx))
     if api:
-        # tuple (<module>, <function>, <ordinal>)
         yield API(api[1]), ih.address
-        # a call instruction should only call one function, stop if a call to an extern is extracted
         return
 
     # extract dynamically resolved APIs stored in renamed globals (renamed for example using `renimp.idc`)
     # examples: `CreateProcessA`, `HttpSendRequestA`
     if insn.Op1.type == ida_ua.o_mem:
         op_addr = insn.Op1.addr
-        op_name = idaapi.get_name(op_addr)
+        op_name = db.names.get_at(op_addr)
         # when renaming a global using an API name, IDA assigns it the function type
         # ensure we do not extract something wrong by checking that the address has a name and a type
         # we could check that the type is a function definition, but that complicates the code
-        if (not op_name.startswith("off_")) and idc.get_type(op_addr):
+        if op_name and (not op_name.startswith("off_")) and idc.get_type(op_addr):
             # Remove suffix used in repeated names, for example _0 in VirtualFree_0
             match = re.match(r"(.+)_\d+", op_name)
             if match:
@@ -118,19 +120,21 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
             for name in capa.features.extractors.helpers.generate_symbols("", op_name):
                 yield API(name), ih.address
 
-    # extract IDA/FLIRT recognized API functions
-    targets = tuple(idautils.CodeRefsFrom(insn.ea, False))
+    targets = list(db.xrefs.code_refs_from_ea(insn.ea, flow=False))
     if not targets:
         return
 
     target = targets[0]
-    target_func = idaapi.get_func(target)
+    target_func = db.functions.get_at(target)
     if not target_func or target_func.start_ea != target:
         # not a function (start)
         return
 
-    if target_func.flags & idaapi.FUNC_LIB:
-        name = idaapi.get_name(target_func.start_ea)
+    name = db.names.get_at(target_func.start_ea)
+    if not name:
+        return
+    flags = db.functions.get_flags(target_func)
+    if flags & FunctionFlags.LIB or not name.startswith("sub_"):
         yield API(name), ih.address
         if name.startswith("_"):
             # some linkers may prefix linked routines with a `_` to avoid name collisions.
@@ -139,9 +143,13 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
             # see: https://stackoverflow.com/a/2628384/87207
             yield API(name[1:]), ih.address
 
+        for altname in capa.features.extractors.ida.helpers.get_function_alternative_names(db, target_func.start_ea):
+            yield FunctionName(altname), ih.address
+            yield API(altname), ih.address
+
 
 def extract_insn_number_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """
     parse instruction number features
@@ -150,7 +158,7 @@ def extract_insn_number_features(
     """
     insn: idaapi.insn_t = ih.inner
 
-    if idaapi.is_ret_insn(insn):
+    if db.instructions.breaks_sequential_flow(insn):
         # skip things like:
         #   .text:0042250E retn 8
         return
@@ -178,7 +186,8 @@ def extract_insn_number_features(
         yield Number(const), ih.address
         yield OperandNumber(i, const), ih.address
 
-        if insn.itype == idaapi.NN_add and 0 < const < MAX_STRUCTURE_SIZE and op.type == idaapi.o_imm:
+        mnem = db.instructions.get_mnemonic(insn)
+        if mnem == "add" and 0 < const < MAX_STRUCTURE_SIZE and op.type == idaapi.o_imm:
             # for pattern like:
             #
             #     add eax, 0x10
@@ -188,7 +197,7 @@ def extract_insn_number_features(
             yield OperandOffset(i, const), ih.address
 
 
-def extract_insn_bytes_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_insn_bytes_features(db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
     """
     parse referenced byte sequences
     example:
@@ -196,20 +205,20 @@ def extract_insn_bytes_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandl
     """
     insn: idaapi.insn_t = ih.inner
 
-    if idaapi.is_call_insn(insn):
+    if db.instructions.is_call_instruction(insn):
         return
 
-    ref = capa.features.extractors.ida.helpers.find_data_reference_from_insn(insn)
+    ref = capa.features.extractors.ida.helpers.find_data_reference_from_insn(db, insn)
     if ref != insn.ea:
-        extracted_bytes = capa.features.extractors.ida.helpers.read_bytes_at(ref, MAX_BYTES_FEATURE_SIZE)
+        extracted_bytes = capa.features.extractors.ida.helpers.read_bytes_at(db, ref, MAX_BYTES_FEATURE_SIZE)
         if extracted_bytes and not capa.features.extractors.helpers.all_zeros(extracted_bytes):
-            if not capa.features.extractors.ida.helpers.find_string_at(ref):
+            if not capa.features.extractors.ida.helpers.find_string_at(db, ref):
                 # don't extract byte features for obvious strings
                 yield Bytes(extracted_bytes), ih.address
 
 
 def extract_insn_string_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """
     parse instruction string features
@@ -219,15 +228,15 @@ def extract_insn_string_features(
     """
     insn: idaapi.insn_t = ih.inner
 
-    ref = capa.features.extractors.ida.helpers.find_data_reference_from_insn(insn)
+    ref = capa.features.extractors.ida.helpers.find_data_reference_from_insn(db, insn)
     if ref != insn.ea:
-        found = capa.features.extractors.ida.helpers.find_string_at(ref)
+        found = capa.features.extractors.ida.helpers.find_string_at(db, ref)
         if found:
             yield String(found), ih.address
 
 
 def extract_insn_offset_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """
     parse instruction structure offset features
@@ -251,7 +260,7 @@ def extract_insn_offset_features(
         if op_off is None:
             continue
 
-        if idaapi.is_mapped(op_off):
+        if db.is_valid_ea(op_off):
             # Ignore:
             #   mov esi, dword_1005B148[esi]
             continue
@@ -264,8 +273,9 @@ def extract_insn_offset_features(
         yield Offset(op_off), ih.address
         yield OperandOffset(i, op_off), ih.address
 
+        mnem = db.instructions.get_mnemonic(insn)
         if (
-            insn.itype == idaapi.NN_lea
+            mnem == "lea"
             and i == 1
             # o_displ is used for both:
             #   [eax+1]
@@ -300,7 +310,7 @@ def contains_stack_cookie_keywords(s: str) -> bool:
     return any(keyword in s for keyword in ("stack", "security"))
 
 
-def bb_stack_cookie_registers(bb: idaapi.BasicBlock) -> Iterator[int]:
+def bb_stack_cookie_registers(db: Database, bb: idaapi.BasicBlock) -> Iterator[int]:
     """scan basic block for stack cookie operations
 
     yield registers ids that may have been used for stack cookie operations
@@ -326,21 +336,22 @@ def bb_stack_cookie_registers(bb: idaapi.BasicBlock) -> Iterator[int]:
 
     TODO: this is expensive, but necessary?...
     """
-    for insn in capa.features.extractors.ida.helpers.get_instructions_in_range(bb.start_ea, bb.end_ea):
-        if contains_stack_cookie_keywords(idc.GetDisasm(insn.ea)):
+    for insn in capa.features.extractors.ida.helpers.get_instructions_in_range(db, bb.start_ea, bb.end_ea):
+        disasm = db.instructions.get_disassembly(insn)
+        if contains_stack_cookie_keywords(disasm):
             for op in capa.features.extractors.ida.helpers.get_insn_ops(insn, target_ops=(idaapi.o_reg,)):
                 if capa.features.extractors.ida.helpers.is_op_write(insn, op):
                     # only include modified registers
                     yield op.reg
 
 
-def is_nzxor_stack_cookie_delta(f: idaapi.func_t, bb: idaapi.BasicBlock, insn: idaapi.insn_t) -> bool:
+def is_nzxor_stack_cookie_delta(db: Database, f: idaapi.func_t, bb: idaapi.BasicBlock, insn: idaapi.insn_t) -> bool:
     """check if nzxor exists within stack cookie delta"""
     # security cookie check should use SP or BP
     if not capa.features.extractors.ida.helpers.is_frame_register(insn.Op2.reg):
         return False
 
-    f_bbs = tuple(capa.features.extractors.ida.helpers.get_function_blocks(f))
+    f_bbs = tuple(capa.features.extractors.ida.helpers.get_function_blocks(db, f))
 
     # expect security cookie init in first basic block within first bytes (instructions)
     if capa.features.extractors.ida.helpers.is_basic_block_equal(bb, f_bbs[0]) and insn.ea < (
@@ -357,15 +368,17 @@ def is_nzxor_stack_cookie_delta(f: idaapi.func_t, bb: idaapi.BasicBlock, insn: i
     return False
 
 
-def is_nzxor_stack_cookie(f: idaapi.func_t, bb: idaapi.BasicBlock, insn: idaapi.insn_t) -> bool:
+def is_nzxor_stack_cookie(db: Database, f: idaapi.func_t, bb: idaapi.BasicBlock, insn: idaapi.insn_t) -> bool:
     """check if nzxor is related to stack cookie"""
-    if contains_stack_cookie_keywords(idaapi.get_cmt(insn.ea, False)):
+    cmt_info = db.comments.get_at(insn.ea)
+    cmt = cmt_info.comment if cmt_info else ""
+    if contains_stack_cookie_keywords(cmt):
         # Example:
         #   xor     ecx, ebp        ; StackCookie
         return True
-    if is_nzxor_stack_cookie_delta(f, bb, insn):
+    if is_nzxor_stack_cookie_delta(db, f, bb, insn):
         return True
-    stack_cookie_regs = tuple(bb_stack_cookie_registers(bb))
+    stack_cookie_regs = tuple(bb_stack_cookie_registers(db, bb))
     if any(op_reg in stack_cookie_regs for op_reg in (insn.Op1.reg, insn.Op2.reg)):
         # Example:
         #   mov     eax, ___security_cookie
@@ -375,7 +388,7 @@ def is_nzxor_stack_cookie(f: idaapi.func_t, bb: idaapi.BasicBlock, insn: idaapi.
 
 
 def extract_insn_nzxor_characteristic_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """
     parse instruction non-zeroing XOR instruction
@@ -383,31 +396,33 @@ def extract_insn_nzxor_characteristic_features(
     """
     insn: idaapi.insn_t = ih.inner
 
-    if insn.itype not in (idaapi.NN_xor, idaapi.NN_xorpd, idaapi.NN_xorps, idaapi.NN_pxor):
+    mnem = db.instructions.get_mnemonic(insn)
+    if mnem not in ("xor", "xorpd", "xorps", "pxor"):
         return
     if capa.features.extractors.ida.helpers.is_operand_equal(insn.Op1, insn.Op2):
         return
-    if is_nzxor_stack_cookie(fh.inner, bbh.inner, insn):
+    if is_nzxor_stack_cookie(db, fh.inner, bbh.inner, insn):
         return
     yield Characteristic("nzxor"), ih.address
 
 
 def extract_insn_mnemonic_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """parse instruction mnemonic features"""
-    yield Mnemonic(idc.print_insn_mnem(ih.inner.ea)), ih.address
+    mnem = db.instructions.get_mnemonic(ih.inner)
+    yield Mnemonic(mnem), ih.address
 
 
 def extract_insn_obfs_call_plus_5_characteristic_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """
     parse call $+5 instruction from the given instruction.
     """
     insn: idaapi.insn_t = ih.inner
 
-    if not idaapi.is_call_insn(insn):
+    if not db.instructions.is_call_instruction(insn):
         return
 
     if insn.ea + 5 == idc.get_operand_value(insn.ea, 0):
@@ -415,7 +430,7 @@ def extract_insn_obfs_call_plus_5_characteristic_features(
 
 
 def extract_insn_peb_access_characteristic_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """parse instruction peb access
 
@@ -426,14 +441,15 @@ def extract_insn_peb_access_characteristic_features(
     """
     insn: idaapi.insn_t = ih.inner
 
-    if insn.itype not in (idaapi.NN_push, idaapi.NN_mov):
+    mnem = db.instructions.get_mnemonic(insn)
+    if mnem not in ("push", "mov"):
         return
 
     if all(op.type != idaapi.o_mem for op in insn.ops):
         # try to optimize for only memory references
         return
 
-    disasm = idc.GetDisasm(insn.ea)
+    disasm = db.instructions.get_disassembly(insn)
 
     if " fs:30h" in disasm or " gs:60h" in disasm:
         # TODO(mike-hunhoff): use proper IDA API for fetching segment access
@@ -443,7 +459,7 @@ def extract_insn_peb_access_characteristic_features(
 
 
 def extract_insn_segment_access_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """parse instruction fs or gs access
 
@@ -456,7 +472,7 @@ def extract_insn_segment_access_features(
         # try to optimize for only memory references
         return
 
-    disasm = idc.GetDisasm(insn.ea)
+    disasm = db.instructions.get_disassembly(insn)
 
     if " fs:" in disasm:
         # TODO(mike-hunhoff): use proper IDA API for fetching segment access
@@ -472,37 +488,39 @@ def extract_insn_segment_access_features(
 
 
 def extract_insn_cross_section_cflow(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """inspect the instruction for a CALL or JMP that crosses section boundaries"""
     insn: idaapi.insn_t = ih.inner
 
-    for ref in idautils.CodeRefsFrom(insn.ea, False):
-        if ref in get_imports(fh.ctx):
+    for ref in db.xrefs.code_refs_from_ea(insn.ea, flow=False):
+        if ref in get_imports(db, fh.ctx):
             # ignore API calls
             continue
-        if not idaapi.getseg(ref):
+        ref_seg = db.segments.get_at(ref)
+        if ref_seg is None:
             # handle IDA API bug
             continue
-        if idaapi.getseg(ref) == idaapi.getseg(insn.ea):
+        insn_seg = db.segments.get_at(insn.ea)
+        if ref_seg == insn_seg:
             continue
         yield Characteristic("cross section flow"), ih.address
 
 
-def extract_function_calls_from(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_function_calls_from(db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
     """extract functions calls from features
 
     most relevant at the function scope, however, its most efficient to extract at the instruction scope
     """
     insn: idaapi.insn_t = ih.inner
 
-    if idaapi.is_call_insn(insn):
-        for ref in idautils.CodeRefsFrom(insn.ea, False):
+    if db.instructions.is_call_instruction(insn):
+        for ref in db.xrefs.code_refs_from_ea(insn.ea, flow=False):
             yield Characteristic("calls from"), AbsoluteVirtualAddress(ref)
 
 
 def extract_function_indirect_call_characteristic_features(
-    fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
+    db: Database, fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[tuple[Feature, Address]]:
     """extract indirect function calls (e.g., call eax or call dword ptr [edx+4])
     does not include calls like => call ds:dword_ABD4974
@@ -512,14 +530,14 @@ def extract_function_indirect_call_characteristic_features(
     """
     insn: idaapi.insn_t = ih.inner
 
-    if idaapi.is_call_insn(insn) and idc.get_operand_type(insn.ea, 0) in (idc.o_reg, idc.o_phrase, idc.o_displ):
+    if db.instructions.is_call_instruction(insn) and idc.get_operand_type(insn.ea, 0) in (idc.o_reg, idc.o_phrase, idc.o_displ):
         yield Characteristic("indirect call"), ih.address
 
 
-def extract_features(f: FunctionHandle, bbh: BBHandle, insn: InsnHandle) -> Iterator[tuple[Feature, Address]]:
+def extract_features(db: Database, f: FunctionHandle, bbh: BBHandle, insn: InsnHandle) -> Iterator[tuple[Feature, Address]]:
     """extract instruction features"""
     for inst_handler in INSTRUCTION_HANDLERS:
-        for feature, ea in inst_handler(f, bbh, insn):
+        for feature, ea in inst_handler(db, f, bbh, insn):
             yield feature, ea
 
 

capa/features/extractors/vmray/__init__.py

@@ -96,14 +96,7 @@ class VMRayAnalysis:
                 % (self.submission_name, self.submission_type)
             )
 
-        if self.submission_static is not None:
-            if self.submission_static.pe is None and self.submission_static.elf is None:
-                # we only support static analysis for PE and ELF files for now
-                raise UnsupportedFormatError(
-                    "archive does not contain a supported file format (submission_name: %s, submission_type: %s)"
-                    % (self.submission_name, self.submission_type)
-                )
-        else:
+        if self.submission_static is None:
             # VMRay may not record static analysis for certain file types, e.g. MSI, but we'd still like to match dynamic
             # execution so we continue without and accept that the results may be incomplete
             logger.warning(

capa/ghidra/README.md

@@ -1,107 +1,75 @@
-<div align="center">
-    <img src="../../doc/img/ghidra_backend_logo.png" width=240 height=125>
-</div>
+# capa analysis using Ghidra
 
-# capa + Ghidra
+capa supports using Ghidra (via [PyGhidra](https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Features/PyGhidra)) as a feature extraction backend. This enables you to run capa against binaries using Ghidra's analysis engine.
 
-[capa](https://github.com/mandiant/capa) is the FLARE team’s open-source tool that detects capabilities in executable files. [Ghidra](https://github.com/NationalSecurityAgency/ghidra) is an open-source software reverse engineering framework created and maintained by the National Security Agency Research Directorate. capa + Ghidra brings capa’s detection capabilities directly to Ghidra’s user interface helping speed up your reverse engineering tasks by identifying what parts of a program suggest interesting behavior, such as setting a registry value. You can execute the included Python 3 scripts [capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py) or [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) to run capa’s analysis and view the results in Ghidra. You may be asking yourself, “Python 3 scripts in Ghidra?”. You read that correctly. This integration is written entirely in Python 3 and relies on [Ghidrathon]( https://github.com/mandiant/ghidrathon), an open source Ghidra extension that adds Python 3 scripting to Ghidra.
-
-Check out our capa + Ghidra blog posts:
-* [Riding Dragons: capa Harnesses Ghidra](https://www.mandiant.com/resources/blog/capa-harnesses-ghidra)
-
-## UI Integration
-[capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py) renders capa results in Ghidra's UI to help you quickly navigate them. This includes adding matched functions to Ghidra’s Symbol Tree and Bookmarks windows and adding comments to functions that indicate matched capabilities and features. You can execute this script using Ghidra’s Script Manager window.
-
-### Symbol Tree Window
-Matched functions are added to Ghidra's Symbol Tree window under a custom namespace that maps to the capabilities' [capa namespace](https://github.com/mandiant/capa-rules/blob/master/doc/format.md#rule-namespace).
-<div align="center">
-    <img src="https://github.com/mandiant/capa/assets/66766340/eeae33f4-99d4-42dc-a5e8-4c1b8c661492" width=300>
-</div>
-
-### Comments
-
-Comments are added at the beginning of matched functions indicating matched capabilities and inline comments are added to functions indicating matched features. You can view these comments in Ghidra’s Disassembly Listing and Decompile windows.
-<div align="center">
-    <img src="https://github.com/mandiant/capa/assets/66766340/bb2b4170-7fd4-45fc-8c7b-ff8f2e2f101b" width=1000>
-</div>
-
-### Bookmarks
-
-Bookmarks are added to functions that matched a capability that is mapped to a MITRE ATT&CK and/or Malware Behavior Catalog (MBC) technique. You can view these bookmarks in Ghidra's Bookmarks window.
-<div align="center">
-    <img src="https://github.com/mandiant/capa/assets/66766340/7f9a66a9-7be7-4223-91c6-4b8fc4651336" width=825>
-</div>
-
-## Text-based Integration
-
-[capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) outputs text-based capa results that mirror the output of capa’s standalone tool. You can execute this script using Ghidra’s Script Manager and view its output in Ghidra’s Console window.
-
-<div align="center">
-  <img src="../../doc/img/ghidra_script_mngr_output.png" width=700>
-</div>
-
-You can also execute [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) using Ghidra's Headless Analyzer to view its output in a terminal window.
-
-<div align="center">
-  <img src="../../doc/img/ghidra_headless_analyzer.png">
-</div>
-
-# Getting Started
-
-## Requirements
-
-| Tool | Version | Source |
-|------------|---------|--------|
-| capa | `>= 7.0.0` | https://github.com/mandiant/capa/releases |
-| Ghidrathon | `>= 3.0.0` | https://github.com/mandiant/Ghidrathon/releases |
-| Ghidra | `>= 10.3.2` | https://github.com/NationalSecurityAgency/ghidra/releases |
-| Python | `>= 3.10.0` | https://www.python.org/downloads |
-
-## Installation
-
-**Note**: capa + Ghidra relies on [Ghidrathon]( https://github.com/mandiant/ghidrathon) to execute Python 3 code in Ghidra. You must first install and configure Ghidrathon using the [steps outlined in its README]( https://github.com/mandiant/ghidrathon?tab=readme-ov-file#installing-ghidrathon). Then, you must use the Python 3 interpreter that you configured with Ghidrathon to complete the following steps:
-
-1. Install capa and its dependencies from PyPI using the following command:
 ```bash
-$ pip install flare-capa
+$ capa -b ghidra Practical\ Malware\ Analysis\ Lab\ 01-01.exe_
+┌──────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────┐
+│ md5      │ bb7425b82141a1c0f7d60e5106676bb1                                                                     │
+│ sha1     │                                                                                                      │
+│ sha256   │ 58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47                                     │
+│ analysis │ static                                                                                               │
+│ os       │ windows                                                                                              │
+│ format   │ pe                                                                                                   │
+│ arch     │ i386                                                                                                 │
+│ path     │ ~/Documents/capa/tests/data/Practical Malware Analysis Lab 01-01.exe_                                │
+└──────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────┘
+┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
+┃ ATT&CK Tactic                      ┃ ATT&CK Technique                                            ┃
+┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
+│ DISCOVERY                          │ File and Directory Discovery [T1083]                        │
+└────────────────────────────────────┴─────────────────────────────────────────────────────────────┘
+┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
+┃ MBC Objective                      ┃ MBC Behavior                                                ┃
+┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
+│ DISCOVERY                          │ File and Directory Discovery [E1083]                        │
+│ FILE SYSTEM                        │ Copy File [C0045]                                           │
+│                                    │ Read File [C0051]                                           │
+│ PROCESS                            │ Terminate Process [C0018]                                   │
+└────────────────────────────────────┴─────────────────────────────────────────────────────────────┘
+┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
+┃ Capability                                     ┃ Namespace                                       ┃
+┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
+│ copy file                                      │ host-interaction/file-system/copy               │
+│ enumerate files recursively                    │ host-interaction/file-system/files/list         │
+│ read file via mapping (2 matches)              │ host-interaction/file-system/read               │
+│ terminate process (2 matches)                  │ host-interaction/process/terminate              │
+│ resolve function by parsing PE exports         │ load-code/pe                                    │
+└────────────────────────────────────────────────┴─────────────────────────────────────────────────┘
 ```
 
-2. Download and extract the [official capa rules](https://github.com/mandiant/capa-rules/releases) that match the capa version you have installed. You can use the following command to view the version of capa you have installed:
+## getting started
+
+### requirements
+
+- [Ghidra](https://github.com/NationalSecurityAgency/ghidra) >= 12.0 must be installed and available via the `GHIDRA_INSTALL_DIR` environment variable.
+
+#### standalone binary (recommended)
+
+The capa [standalone binary](https://github.com/mandiant/capa/releases) is the preferred way to run capa with the Ghidra backend.
+Although the binary does not bundle the Java environment or Ghidra itself, it will dynamically load them at runtime.
+
+#### python package
+
+You can also use the Ghidra backend with the capa Python package by installing `flare-capa` with the `ghidra` extra.
+
 ```bash
-$ pip show flare-capa
-OR
-$ capa --version
+$ pip install "flare-capa[ghidra]"
 ```
 
-3. Copy [capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py) and [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) to your `ghidra_scripts` directory or manually add the parent directory of each script using Ghidra’s Script Manager.
+### usage
 
-## Usage
+To use the Ghidra backend, specify it with the `-b` or `--backend` flag:
 
-You can execute [capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py) and [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) using Ghidra’s Script Manager. [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) can also be executed using Ghidra's Headless Analyzer.
-
-### Execution using Ghidra’s Script Manager
-
-You can execute [capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py) and [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) using Ghidra's Script Manager as follows:
-1. Navigate to `Window > Script Manager`
-2. Expand the `Python 3 > capa` category
-3. Double-click a script to execute it
-
-Both scripts ask you to provide the path of your capa rules directory (see installation step 2). [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) also has you choose one of `default`, `verbose`, and `vverbose` output formats which mirror the output formats of capa’s standalone tool.
-
-### Execution using Ghidra’s Headless Analyzer
-
-You can execute [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) using Ghidra’s Headless Analyzer by invoking the `analyzeHeadless` script included with Ghidra in its `support` directory. The following arguments must be provided:
-
-| Argument | Description |
-|----|----|
-|`<project_path>`| Path to Ghidra project|
-| `<project_name>`| Name of Ghidra Project|
-| `-Process <sample_name>` OR `-Import <sample_path>`| Name of sample `<sample_name>` already imported into `<project_name>` OR absolute path of sample `<sample_path>` to import into `<project_name>`|
-| `-ScriptPath <script_path>`| OPTIONAL parent directory `<script_path>` of [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py)|
-| `-PostScript capa_ghidra.py`| Execute [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) after Ghidra analysis|
-| `"<script_args>"`| Quoted string `"<script_args>"` containing script arguments passed to [capa_ghidra.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_ghidra.py) that must specify a capa rules path and optionally the output format (`--verbose`, `--vverbose`, `--json`) – you can specify `”help”` to view the script’s help message |
-
-The following is an example of combining these arguments into a single `analyzeHeadless` script command:
 ```bash
-$ analyzeHeadless /home/wumbo/demo demo -Import /home/wumbo/capa/tests/data/Practical\ Malware\ Analysis\ Lab\ 01-01.dll_ -PostScript capa_ghidra.py "/home/wumbo/capa/rules --verbose"
+$ capa -b ghidra /path/to/sample
 ```
+
+capa will:
+1.  Initialize a headless Ghidra instance.
+2.  Create a temporary project.
+3.  Import and analyze the sample.
+4.  Extract features and match rules.
+5.  Clean up the temporary project.
+
+**Note:** The first time you run this, it may take a few moments to initialize the Ghidra environment.

capa/ghidra/capa_ghidra.py

@@ -1,174 +0,0 @@
-# Run capa against loaded Ghidra database and render results in Ghidra Console window
-# @author Mike Hunhoff (mehunhoff@google.com)
-# @category Python 3.capa
-
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import sys
-import logging
-import pathlib
-import argparse
-
-import capa
-import capa.main
-import capa.rules
-import capa.ghidra.helpers
-import capa.render.default
-import capa.capabilities.common
-import capa.features.extractors.ghidra.extractor
-
-logger = logging.getLogger("capa_ghidra")
-
-
-def run_headless():
-    parser = argparse.ArgumentParser(description="The FLARE team's open-source tool to integrate capa with Ghidra.")
-
-    parser.add_argument(
-        "rules",
-        type=str,
-        help="path to rule file or directory",
-    )
-    parser.add_argument(
-        "-v", "--verbose", action="store_true", help="enable verbose result document (no effect with --json)"
-    )
-    parser.add_argument(
-        "-vv", "--vverbose", action="store_true", help="enable very verbose result document (no effect with --json)"
-    )
-    parser.add_argument("-d", "--debug", action="store_true", help="enable debugging output on STDERR")
-    parser.add_argument("-q", "--quiet", action="store_true", help="disable all output but errors")
-    parser.add_argument("-j", "--json", action="store_true", help="emit JSON instead of text")
-
-    script_args = list(getScriptArgs())  # type: ignore [name-defined] # noqa: F821
-    if not script_args or len(script_args) > 1:
-        script_args = []
-    else:
-        script_args = script_args[0].split()
-        for idx, arg in enumerate(script_args):
-            if arg.lower() == "help":
-                script_args[idx] = "--help"
-
-    args = parser.parse_args(args=script_args)
-
-    if args.quiet:
-        logging.basicConfig(level=logging.WARNING)
-        logging.getLogger().setLevel(logging.WARNING)
-    elif args.debug:
-        logging.basicConfig(level=logging.DEBUG)
-        logging.getLogger().setLevel(logging.DEBUG)
-    else:
-        logging.basicConfig(level=logging.INFO)
-        logging.getLogger().setLevel(logging.INFO)
-
-    logger.debug("running in Ghidra headless mode")
-
-    rules_path = pathlib.Path(args.rules)
-
-    logger.debug("rule path: %s", rules_path)
-    rules = capa.rules.get_rules([rules_path])
-
-    meta = capa.ghidra.helpers.collect_metadata([rules_path])
-    extractor = capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor()
-
-    capabilities = capa.capabilities.common.find_capabilities(rules, extractor, False)
-
-    meta.analysis.feature_counts = capabilities.feature_counts
-    meta.analysis.library_functions = capabilities.library_functions
-    meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities.matches)
-
-    if capa.capabilities.common.has_static_limitation(rules, capabilities, is_standalone=True):
-        logger.info("capa encountered warnings during analysis")
-
-    if args.json:
-        print(capa.render.json.render(meta, rules, capabilities.matches))  # noqa: T201
-    elif args.vverbose:
-        print(capa.render.vverbose.render(meta, rules, capabilities.matches))  # noqa: T201
-    elif args.verbose:
-        print(capa.render.verbose.render(meta, rules, capabilities.matches))  # noqa: T201
-    else:
-        print(capa.render.default.render(meta, rules, capabilities.matches))  # noqa: T201
-
-    return 0
-
-
-def run_ui():
-    logging.basicConfig(level=logging.INFO)
-    logging.getLogger().setLevel(logging.INFO)
-
-    rules_dir: str = ""
-    try:
-        selected_dir = askDirectory("Choose capa rules directory", "Ok")  # type: ignore [name-defined] # noqa: F821
-        if selected_dir:
-            rules_dir = selected_dir.getPath()
-    except RuntimeError:
-        # RuntimeError thrown when user selects "Cancel"
-        pass
-
-    if not rules_dir:
-        logger.info("You must choose a capa rules directory before running capa.")
-        return capa.main.E_MISSING_RULES
-
-    verbose = askChoice(  # type: ignore [name-defined] # noqa: F821
-        "capa output verbosity", "Choose capa output verbosity", ["default", "verbose", "vverbose"], "default"
-    )
-
-    rules_path: pathlib.Path = pathlib.Path(rules_dir)
-    logger.info("running capa using rules from %s", str(rules_path))
-
-    rules = capa.rules.get_rules([rules_path])
-
-    meta = capa.ghidra.helpers.collect_metadata([rules_path])
-    extractor = capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor()
-
-    capabilities = capa.capabilities.common.find_capabilities(rules, extractor, True)
-
-    meta.analysis.feature_counts = capabilities.feature_counts
-    meta.analysis.library_functions = capabilities.library_functions
-    meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities.matches)
-
-    if capa.capabilities.common.has_static_limitation(rules, capabilities, is_standalone=False):
-        logger.info("capa encountered warnings during analysis")
-
-    if verbose == "vverbose":
-        print(capa.render.vverbose.render(meta, rules, capabilities.matches))  # noqa: T201
-    elif verbose == "verbose":
-        print(capa.render.verbose.render(meta, rules, capabilities.matches))  # noqa: T201
-    else:
-        print(capa.render.default.render(meta, rules, capabilities.matches))  # noqa: T201
-
-    return 0
-
-
-def main():
-    if not capa.ghidra.helpers.is_supported_ghidra_version():
-        return capa.main.E_UNSUPPORTED_GHIDRA_VERSION
-
-    if not capa.ghidra.helpers.is_supported_file_type():
-        return capa.main.E_INVALID_FILE_TYPE
-
-    if not capa.ghidra.helpers.is_supported_arch_type():
-        return capa.main.E_INVALID_FILE_ARCH
-
-    if isRunningHeadless():  # type: ignore [name-defined] # noqa: F821
-        return run_headless()
-    else:
-        return run_ui()
-
-
-if __name__ == "__main__":
-    if sys.version_info < (3, 10):
-        from capa.exceptions import UnsupportedRuntimeError
-
-        raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.10+")
-    sys.exit(main())

capa/ghidra/helpers.py

@@ -22,6 +22,7 @@ import capa.version
 import capa.features.common
 import capa.features.freeze
 import capa.render.result_document as rdoc
+import capa.features.extractors.ghidra.context as ghidra_context
 import capa.features.extractors.ghidra.helpers
 from capa.features.address import AbsoluteVirtualAddress
 
@@ -31,6 +32,18 @@ logger = logging.getLogger("capa")
 SUPPORTED_FILE_TYPES = ("Executable and Linking Format (ELF)", "Portable Executable (PE)", "Raw Binary")
 
 
+def get_current_program():
+    return ghidra_context.get_context().program
+
+
+def get_flat_api():
+    return ghidra_context.get_context().flat_api
+
+
+def get_monitor():
+    return ghidra_context.get_context().monitor
+
+
 class GHIDRAIO:
     """
     An object that acts as a file-like object,
@@ -48,7 +61,12 @@ class GHIDRAIO:
         self.offset = offset
 
     def read(self, size):
-        logger.debug("reading 0x%x bytes at 0x%x (ea: 0x%x)", size, self.offset, currentProgram().getImageBase().add(self.offset).getOffset())  # type: ignore [name-defined] # noqa: F821
+        logger.debug(
+            "reading 0x%x bytes at 0x%x (ea: 0x%x)",
+            size,
+            self.offset,
+            get_current_program().getImageBase().add(self.offset).getOffset(),
+        )
 
         if size > len(self.bytes_) - self.offset:
             logger.debug("cannot read 0x%x bytes at 0x%x (ea: BADADDR)", size, self.offset)
@@ -60,7 +78,7 @@ class GHIDRAIO:
         return
 
     def get_bytes(self):
-        file_bytes = currentProgram().getMemory().getAllFileBytes()[0]  # type: ignore [name-defined] # noqa: F821
+        file_bytes = get_current_program().getMemory().getAllFileBytes()[0]
 
         # getOriginalByte() allows for raw file parsing on the Ghidra side
         # other functions will fail as Ghidra will think that it's reading uninitialized memory
@@ -70,21 +88,32 @@ class GHIDRAIO:
 
 
 def is_supported_ghidra_version():
-    version = float(getGhidraVersion()[:4])  # type: ignore [name-defined] # noqa: F821
-    if version < 10.2:
-        warning_msg = "capa does not support this Ghidra version"
-        logger.warning(warning_msg)
-        logger.warning("Your Ghidra version is: %s. Supported versions are: Ghidra >= 10.2", version)
+    import ghidra.framework
+
+    version = ghidra.framework.Application.getApplicationVersion()
+    try:
+        # version format example: "11.1.2" or "11.4"
+        major, minor = map(int, version.split(".")[:2])
+        if major < 12:
+            logger.error("-" * 80)
+            logger.error(" Ghidra version %s is not supported.", version)
+            logger.error(" ")
+            logger.error(" capa requires Ghidra 12.0 or higher.")
+            logger.error("-" * 80)
+            return False
+    except ValueError:
+        logger.warning("could not parse Ghidra version: %s", version)
         return False
+
     return True
 
 
 def is_running_headless():
-    return isRunningHeadless()  # type: ignore [name-defined] # noqa: F821
+    return True  # PyGhidra is always headless in this context
 
 
 def is_supported_file_type():
-    file_info = currentProgram().getExecutableFormat()  # type: ignore [name-defined] # noqa: F821
+    file_info = get_current_program().getExecutableFormat()
     if file_info not in SUPPORTED_FILE_TYPES:
         logger.error("-" * 80)
         logger.error(" Input file does not appear to be a supported file type.")
@@ -99,7 +128,7 @@ def is_supported_file_type():
 
 
 def is_supported_arch_type():
-    lang_id = str(currentProgram().getLanguageID()).lower()  # type: ignore [name-defined] # noqa: F821
+    lang_id = str(get_current_program().getLanguageID()).lower()
 
     if not all((lang_id.startswith("x86"), any(arch in lang_id for arch in ("32", "64")))):
         logger.error("-" * 80)
@@ -112,18 +141,18 @@ def is_supported_arch_type():
 
 
 def get_file_md5():
-    return currentProgram().getExecutableMD5()  # type: ignore [name-defined] # noqa: F821
+    return get_current_program().getExecutableMD5()
 
 
 def get_file_sha256():
-    return currentProgram().getExecutableSHA256()  # type: ignore [name-defined] # noqa: F821
+    return get_current_program().getExecutableSHA256()
 
 
 def collect_metadata(rules: list[Path]):
     md5 = get_file_md5()
     sha256 = get_file_sha256()
 
-    info = currentProgram().getLanguageID().toString()  # type: ignore [name-defined] # noqa: F821
+    info = get_current_program().getLanguageID().toString()
     if "x86" in info and "64" in info:
         arch = "x86_64"
     elif "x86" in info and "32" in info:
@@ -131,11 +160,11 @@ def collect_metadata(rules: list[Path]):
     else:
         arch = "unknown arch"
 
-    format_name: str = currentProgram().getExecutableFormat()  # type: ignore [name-defined] # noqa: F821
+    format_name: str = get_current_program().getExecutableFormat()
     if "PE" in format_name:
         os = "windows"
     elif "ELF" in format_name:
-        with contextlib.closing(capa.ghidra.helpers.GHIDRAIO()) as f:
+        with contextlib.closing(GHIDRAIO()) as f:
             os = capa.features.extractors.elf.detect_elf_os(f)
     else:
         os = "unknown os"
@@ -148,16 +177,18 @@ def collect_metadata(rules: list[Path]):
             md5=md5,
             sha1="",
             sha256=sha256,
-            path=currentProgram().getExecutablePath(),  # type: ignore [name-defined] # noqa: F821
+            path=get_current_program().getExecutablePath(),
         ),
         flavor=rdoc.Flavor.STATIC,
         analysis=rdoc.StaticAnalysis(
-            format=currentProgram().getExecutableFormat(),  # type: ignore [name-defined] # noqa: F821
+            format=get_current_program().getExecutableFormat(),
             arch=arch,
             os=os,
             extractor="ghidra",
             rules=tuple(r.resolve().absolute().as_posix() for r in rules),
-            base_address=capa.features.freeze.Address.from_capa(AbsoluteVirtualAddress(currentProgram().getImageBase().getOffset())),  # type: ignore [name-defined] # noqa: F821
+            base_address=capa.features.freeze.Address.from_capa(
+                AbsoluteVirtualAddress(get_current_program().getImageBase().getOffset())
+            ),
             layout=rdoc.StaticLayout(
                 functions=(),
             ),

capa/ghidra/plugin/README.md

@@ -0,0 +1,54 @@
+<div align="center">
+    <img src="https://github.com/mandiant/capa/blob/master/doc/img/ghidra_backend_logo.png" width=240 height=125>
+</div>
+
+# capa explorer for Ghidra
+
+capa explorer for Ghidra brings capa’s detection capabilities directly to Ghidra’s user interface helping speed up your reverse engineering tasks by identifying what parts of a program suggest interesting behavior, such as setting a registry value. You can execute (via [PyGhidra](https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Features/PyGhidra)) the script [capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/plugin/capa_explorer.py) using Ghidra’s Script Manager window to run capa’s analysis and view the results in Ghidra.
+
+## ui integration
+[capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py) renders capa results in Ghidra's UI to help you quickly navigate them. This includes adding matched functions to Ghidra’s Symbol Tree and Bookmarks windows and adding comments to functions that indicate matched capabilities and features. You can execute this script using Ghidra’s Script Manager window.
+
+### symbol tree window
+Matched functions are added to Ghidra's Symbol Tree window under a custom namespace that maps to the capabilities' [capa namespace](https://github.com/mandiant/capa-rules/blob/master/doc/format.md#rule-namespace).
+<div align="center">
+    <img src="https://github.com/mandiant/capa/assets/66766340/eeae33f4-99d4-42dc-a5e8-4c1b8c661492" width=300>
+</div>
+
+### comments
+
+Comments are added at the beginning of matched functions indicating matched capabilities and inline comments are added to functions indicating matched features. You can view these comments in Ghidra’s Disassembly Listing and Decompile windows.
+<div align="center">
+    <img src="https://github.com/mandiant/capa/assets/66766340/bb2b4170-7fd4-45fc-8c7b-ff8f2e2f101b" width=1000>
+</div>
+
+### bookmarks
+
+Bookmarks are added to functions that matched a capability that is mapped to a MITRE ATT&CK and/or Malware Behavior Catalog (MBC) technique. You can view these bookmarks in Ghidra's Bookmarks window.
+<div align="center">
+    <img src="https://github.com/mandiant/capa/assets/66766340/7f9a66a9-7be7-4223-91c6-4b8fc4651336" width=825>
+</div>
+
+# getting started
+
+## requirements
+
+- [Ghidra](https://github.com/NationalSecurityAgency/ghidra) >= 12.0 must be installed.
+- [flare-capa](https://pypi.org/project/flare-capa/) >= 10.0 must be installed (virtual environment recommended) with the `ghidra` extra (e.g., `pip install "flare-capa[ghidra]"`).
+- [capa rules](https://github.com/mandiant/capa-rules) must be downloaded for the version of capa you are using.
+
+## execution
+
+### 1. run Ghidra with PyGhidra
+You must start Ghidra using the `pyghidraRun` script provided in the support directory of your Ghidra installation to ensure the Python environment is correctly loaded. You should execute `pyghidraRun` from within the Python environment that you used to install capa.
+
+```bash
+<ghidra_install>/support/pyghidraRun
+```
+
+### 2. run capa_explorer.py
+1. Open your Ghidra project and CodeBrowser.
+2. Open the Script Manager.
+3. Add [capa_explorer.py](https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/plugin/capa_explorer.py) to the script directories.
+4. Filter for capa and run the script.
+5. When prompted, select the directory containing the downloaded capa rules.

capa/ghidra/plugin/capa_explorer.py

@@ -1,7 +1,3 @@
-# Run capa against loaded Ghidra database and render results in Ghidra UI
-# @author Colton Gabertan (gabertan.colton@gmail.com)
-# @category Python 3.capa
-
 # Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,36 +12,63 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import sys
+# Run capa against loaded Ghidra database and render results in Ghidra UI
+
+# @author Colton Gabertan (gabertan.colton@gmail.com)
+# @category capa
+# @runtime PyGhidra
+
 import json
 import logging
 import pathlib
 from typing import Any
 
+from java.util import ArrayList
+from ghidra.util import Msg
 from ghidra.app.cmd.label import AddLabelCmd, CreateNamespacesCmd
+from ghidra.util.exception import CancelledException
+from ghidra.program.flatapi import FlatProgramAPI
 from ghidra.program.model.symbol import Namespace, SourceType, SymbolType
 
 import capa
 import capa.main
 import capa.rules
+import capa.version
 import capa.render.json
 import capa.ghidra.helpers
 import capa.capabilities.common
+import capa.features.extractors.ghidra.context
 import capa.features.extractors.ghidra.extractor
 
 logger = logging.getLogger("capa_explorer")
 
 
+def show_monitor_message(msg):
+    capa.ghidra.helpers.get_monitor().checkCanceled()
+    capa.ghidra.helpers.get_monitor().setMessage(msg)
+
+
+def show_error(msg):
+    Msg.showError(None, None, "capa explorer", msg)
+
+
+def show_warn(msg):
+    Msg.showWarn(None, None, "capa explorer", msg)
+
+
+def show_info(msg):
+    Msg.showInfo(None, None, "capa explorer", msg)
+
+
 def add_bookmark(addr, txt, category="CapaExplorer"):
     """create bookmark at addr"""
-    currentProgram().getBookmarkManager().setBookmark(addr, "Info", category, txt)  # type: ignore [name-defined] # noqa: F821
+    capa.ghidra.helpers.get_current_program().getBookmarkManager().setBookmark(addr, "Info", category, txt)
 
 
 def create_namespace(namespace_str):
     """create new Ghidra namespace for each capa namespace"""
-
     cmd = CreateNamespacesCmd(namespace_str, SourceType.USER_DEFINED)
-    cmd.applyTo(currentProgram())  # type: ignore [name-defined] # noqa: F821
+    cmd.applyTo(capa.ghidra.helpers.get_current_program())
     return cmd.getNamespace()
 
 
@@ -53,7 +76,7 @@ def create_label(ghidra_addr, name, capa_namespace):
     """custom label cmd to overlay symbols under capa-generated namespaces"""
 
     # prevent duplicate labels under the same capa-generated namespace
-    symbol_table = currentProgram().getSymbolTable()  # type: ignore [name-defined] # noqa: F821
+    symbol_table = capa.ghidra.helpers.get_current_program().getSymbolTable()
     for sym in symbol_table.getSymbols(ghidra_addr):
         if sym.getName(True) == capa_namespace.getName(True) + Namespace.DELIMITER + name:
             return
@@ -61,7 +84,7 @@ def create_label(ghidra_addr, name, capa_namespace):
     # create SymbolType.LABEL at addr
     # prioritize capa-generated namespace (duplicate match @ new addr), else put under global Ghidra one (new match)
     cmd = AddLabelCmd(ghidra_addr, name, True, SourceType.USER_DEFINED)
-    cmd.applyTo(currentProgram())  # type: ignore [name-defined] # noqa: F821
+    cmd.applyTo(capa.ghidra.helpers.get_current_program())
 
     # assign new match overlay label to capa-generated namespace
     cmd.getSymbol().setNamespace(capa_namespace)
@@ -92,8 +115,8 @@ class CapaMatchData:
             return
 
         for key in self.matches.keys():
-            addr = toAddr(hex(key))  # type: ignore [name-defined] # noqa: F821
-            func = getFunctionContaining(addr)  # type: ignore [name-defined] # noqa: F821
+            addr = capa.ghidra.helpers.get_flat_api().toAddr(hex(key))
+            func = capa.ghidra.helpers.get_flat_api().getFunctionContaining(addr)
 
             # bookmark & tag MITRE ATT&CK tactics & MBC @ function scope
             if func is not None:
@@ -117,140 +140,160 @@ class CapaMatchData:
 
     def set_plate_comment(self, ghidra_addr):
         """set plate comments at matched functions"""
-        comment = getPlateComment(ghidra_addr)  # type: ignore [name-defined] # noqa: F821
+        comment = capa.ghidra.helpers.get_flat_api().getPlateComment(ghidra_addr)
         rule_path = self.namespace.replace(Namespace.DELIMITER, "/")
         # 2 calls to avoid duplicate comments via subsequent script runs
         if comment is None:
             # first comment @ function
             comment = rule_path + "\n"
-            setPlateComment(ghidra_addr, comment)  # type: ignore [name-defined] # noqa: F821
+            capa.ghidra.helpers.get_flat_api().setPlateComment(ghidra_addr, comment)
         elif rule_path not in comment:
             comment = comment + rule_path + "\n"
-            setPlateComment(ghidra_addr, comment)  # type: ignore [name-defined] # noqa: F821
+            capa.ghidra.helpers.get_flat_api().setPlateComment(ghidra_addr, comment)
         else:
             return
 
     def set_pre_comment(self, ghidra_addr, sub_type, description):
         """set pre comments at subscoped matches of main rules"""
-        comment = getPreComment(ghidra_addr)  # type: ignore [name-defined] # noqa: F821
+        comment = capa.ghidra.helpers.get_flat_api().getPreComment(ghidra_addr)
         if comment is None:
             comment = "capa: " + sub_type + "(" + description + ")" + ' matched in "' + self.capability + '"\n'
-            setPreComment(ghidra_addr, comment)  # type: ignore [name-defined] # noqa: F821
+            capa.ghidra.helpers.get_flat_api().setPreComment(ghidra_addr, comment)
         elif self.capability not in comment:
             comment = (
                 comment + "capa: " + sub_type + "(" + description + ")" + ' matched in "' + self.capability + '"\n'
             )
-            setPreComment(ghidra_addr, comment)  # type: ignore [name-defined] # noqa: F821
+            capa.ghidra.helpers.get_flat_api().setPreComment(ghidra_addr, comment)
         else:
             return
 
-    def label_matches(self):
+    def label_matches(self, do_namespaces, do_comments):
         """label findings at function scopes and comment on subscope matches"""
-        capa_namespace = create_namespace(self.namespace)
-        symbol_table = currentProgram().getSymbolTable()  # type: ignore [name-defined] # noqa: F821
+        capa_namespace = None
+        if do_namespaces:
+            capa_namespace = create_namespace(self.namespace)
+
+        symbol_table = capa.ghidra.helpers.get_current_program().getSymbolTable()
 
         # handle function main scope of matched rule
         # these will typically contain further matches within
         if self.scope == "function":
             for addr in self.matches.keys():
-                ghidra_addr = toAddr(hex(addr))  # type: ignore [name-defined] # noqa: F821
+                ghidra_addr = capa.ghidra.helpers.get_flat_api().toAddr(hex(addr))
 
                 # classify new function label under capa-generated namespace
-                sym = symbol_table.getPrimarySymbol(ghidra_addr)
-                if sym is not None:
-                    if sym.getSymbolType() == SymbolType.FUNCTION:
-                        create_label(ghidra_addr, sym.getName(), capa_namespace)
-                        self.set_plate_comment(ghidra_addr)
+                if do_namespaces:
+                    sym = symbol_table.getPrimarySymbol(ghidra_addr)
+                    if sym is not None:
+                        if sym.getSymbolType() == SymbolType.FUNCTION:
+                            create_label(ghidra_addr, sym.getName(), capa_namespace)
 
-                    # parse the corresponding nodes, and pre-comment subscope matched features
-                    # under the encompassing function(s)
-                    for sub_match in self.matches.get(addr):
-                        for loc, node in sub_match.items():
-                            sub_ghidra_addr = toAddr(hex(loc))  # type: ignore [name-defined] # noqa: F821
-                            if sub_ghidra_addr == ghidra_addr:
-                                # skip duplicates
-                                continue
+                if do_comments:
+                    self.set_plate_comment(ghidra_addr)
 
-                            # precomment subscope matches under the function
-                            if node != {}:
-                                for sub_type, description in parse_node(node):
-                                    self.set_pre_comment(sub_ghidra_addr, sub_type, description)
+                # parse the corresponding nodes, and pre-comment subscope matched features
+                # under the encompassing function(s)
+                for sub_match in self.matches.get(addr):
+                    for loc, node in sub_match.items():
+                        sub_ghidra_addr = capa.ghidra.helpers.get_flat_api().toAddr(hex(loc))
+                        if sub_ghidra_addr == ghidra_addr:
+                            # skip duplicates
+                            continue
+
+                        # precomment subscope matches under the function
+                        if node != {} and do_comments:
+                            for sub_type, description in parse_node(node):
+                                self.set_pre_comment(sub_ghidra_addr, sub_type, description)
         else:
             # resolve the encompassing function for the capa namespace
             # of non-function scoped main matches
             for addr in self.matches.keys():
-                ghidra_addr = toAddr(hex(addr))  # type: ignore [name-defined] # noqa: F821
+                ghidra_addr = capa.ghidra.helpers.get_flat_api().toAddr(hex(addr))
 
                 # basic block / insn scoped main matches
                 # Ex. See "Create Process on Windows" Rule
-                func = getFunctionContaining(ghidra_addr)  # type: ignore [name-defined] # noqa: F821
+                func = capa.ghidra.helpers.get_flat_api().getFunctionContaining(ghidra_addr)
                 if func is not None:
                     func_addr = func.getEntryPoint()
-                    create_label(func_addr, func.getName(), capa_namespace)
-                    self.set_plate_comment(func_addr)
+                    if do_namespaces:
+                        create_label(func_addr, func.getName(), capa_namespace)
+                    if do_comments:
+                        self.set_plate_comment(func_addr)
 
                 # create subscope match precomments
                 for sub_match in self.matches.get(addr):
                     for loc, node in sub_match.items():
-                        sub_ghidra_addr = toAddr(hex(loc))  # type: ignore [name-defined] # noqa: F821
+                        sub_ghidra_addr = capa.ghidra.helpers.get_flat_api().toAddr(hex(loc))
 
                         if node != {}:
                             if func is not None:
                                 # basic block/ insn scope under resolved function
-                                for sub_type, description in parse_node(node):
-                                    self.set_pre_comment(sub_ghidra_addr, sub_type, description)
+                                if do_comments:
+                                    for sub_type, description in parse_node(node):
+                                        self.set_pre_comment(sub_ghidra_addr, sub_type, description)
                             else:
                                 # this would be a global/file scoped main match
                                 # try to resolve the encompassing function via the subscope match, instead
                                 # Ex. "run as service" rule
-                                sub_func = getFunctionContaining(sub_ghidra_addr)  # type: ignore [name-defined] # noqa: F821
+                                sub_func = capa.ghidra.helpers.get_flat_api().getFunctionContaining(sub_ghidra_addr)
                                 if sub_func is not None:
                                     sub_func_addr = sub_func.getEntryPoint()
                                     # place function in capa namespace & create the subscope match label in Ghidra's global namespace
-                                    create_label(sub_func_addr, sub_func.getName(), capa_namespace)
-                                    self.set_plate_comment(sub_func_addr)
-                                    for sub_type, description in parse_node(node):
-                                        self.set_pre_comment(sub_ghidra_addr, sub_type, description)
+                                    if do_namespaces:
+                                        create_label(sub_func_addr, sub_func.getName(), capa_namespace)
+                                    if do_comments:
+                                        self.set_plate_comment(sub_func_addr)
+
+                                    if do_comments:
+                                        for sub_type, description in parse_node(node):
+                                            self.set_pre_comment(sub_ghidra_addr, sub_type, description)
                                 else:
                                     # addr is in some other file section like .data
                                     # represent this location with a label symbol under the capa namespace
                                     # Ex. See "Reference Base64 String" rule
-                                    for sub_type, description in parse_node(node):
-                                        # in many cases, these will be ghidra-labeled data, so just add the existing
-                                        # label symbol to the capa namespace
-                                        for sym in symbol_table.getSymbols(sub_ghidra_addr):
-                                            if sym.getSymbolType() == SymbolType.LABEL:
-                                                sym.setNamespace(capa_namespace)
-                                        self.set_pre_comment(sub_ghidra_addr, sub_type, description)
+                                    if do_namespaces:
+                                        for _sub_type, _description in parse_node(node):
+                                            # in many cases, these will be ghidra-labeled data, so just add the existing
+                                            # label symbol to the capa namespace
+                                            for sym in symbol_table.getSymbols(sub_ghidra_addr):
+                                                if sym.getSymbolType() == SymbolType.LABEL:
+                                                    sym.setNamespace(capa_namespace)
+                                    if do_comments:
+                                        for sub_type, description in parse_node(node):
+                                            self.set_pre_comment(sub_ghidra_addr, sub_type, description)
 
 
 def get_capabilities():
-    rules_dir: str = ""
-    try:
-        selected_dir = askDirectory("Choose capa rules directory", "Ok")  # type: ignore [name-defined] # noqa: F821
-        if selected_dir:
-            rules_dir = selected_dir.getPath()
-    except RuntimeError:
-        # RuntimeError thrown when user selects "Cancel"
-        pass
+    rules_dir = ""
+
+    show_monitor_message(f"requesting capa {capa.version.__version__} rules directory")
+    selected_dir = askDirectory(f"choose capa {capa.version.__version__} rules directory", "Ok")  # type: ignore [name-defined] # noqa: F821
+
+    if selected_dir:
+        rules_dir = selected_dir.getPath()
 
     if not rules_dir:
-        logger.info("You must choose a capa rules directory before running capa.")
-        return ""  # return empty str to avoid handling both int and str types
+        raise CancelledException
 
     rules_path: pathlib.Path = pathlib.Path(rules_dir)
-    logger.info("running capa using rules from %s", str(rules_path))
 
+    show_monitor_message(f"loading rules from {rules_path}")
     rules = capa.rules.get_rules([rules_path])
-    meta = capa.ghidra.helpers.collect_metadata([rules_path])
-    extractor = capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor()
 
+    show_monitor_message("collecting binary metadata")
+    meta = capa.ghidra.helpers.collect_metadata([rules_path])
+
+    show_monitor_message("running capa analysis")
+    extractor = capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor()
     capabilities = capa.capabilities.common.find_capabilities(rules, extractor, True)
 
+    show_monitor_message("checking for static limitations")
     if capa.capabilities.common.has_static_limitation(rules, capabilities, is_standalone=False):
-        popup("capa explorer encountered warnings during analysis. Please check the console output for more information.")  # type: ignore [name-defined] # noqa: F821
-        logger.info("capa encountered warnings during analysis")
+        show_warn(
+            "capa explorer encountered warnings during analysis. Please check the console output for more information.",
+        )
 
+    show_monitor_message("rendering results")
     return capa.render.json.render(meta, rules, capabilities.matches)
 
 
@@ -328,12 +371,12 @@ def parse_json(capa_data):
             # this requires the correct delimiter used by Ghidra
             # Ex. 'communication/named-pipe/create/create pipe' -> capa::communication::named-pipe::create::create-pipe
             namespace_str = Namespace.DELIMITER.join(meta["namespace"].split("/"))
-            namespace = "capa" + Namespace.DELIMITER + namespace_str + fmt_rule
+            namespace = "capa_explorer" + Namespace.DELIMITER + namespace_str + fmt_rule
         else:
             # lib rules via the official rules repo will not contain data
             # for the "namespaces" key, so format using rule itself
             # Ex. 'contain loop' -> capa::lib::contain-loop
-            namespace = "capa" + Namespace.DELIMITER + "lib" + fmt_rule
+            namespace = "capa_explorer" + Namespace.DELIMITER + "lib" + fmt_rule
 
         yield CapaMatchData(namespace, scope, rule, rule_matches, attack, mbc)
 
@@ -342,44 +385,79 @@ def main():
     logging.basicConfig(level=logging.INFO)
     logging.getLogger().setLevel(logging.INFO)
 
-    if isRunningHeadless():  # type: ignore [name-defined] # noqa: F821
-        logger.error("unsupported Ghidra execution mode")
-        return capa.main.E_UNSUPPORTED_GHIDRA_EXECUTION_MODE
+    choices = ["namespaces", "bookmarks", "comments"]
+    # use ArrayList to resolve ambiguous askChoices overloads (List vs List, List) in PyGhidra
+    choices_java = ArrayList()
+    for c in choices:
+        choices_java.add(c)
 
+    choice_labels = [
+        'add "capa_explorer" namespace for matched functions',
+        "add bookmarks for matched functions",
+        "add comments to matched functions",
+    ]
+    # use ArrayList to resolve ambiguous askChoices overloads (List vs List, List) in PyGhidra
+    choice_labels_java = ArrayList()
+    for c in choice_labels:
+        choice_labels_java.add(c)
+
+    selected = list(askChoices("capa explorer", "select actions:", choices_java, choice_labels_java))  # type: ignore [name-defined] # noqa: F821
+
+    do_namespaces = "namespaces" in selected
+    do_comments = "comments" in selected
+    do_bookmarks = "bookmarks" in selected
+
+    if not any((do_namespaces, do_comments, do_bookmarks)):
+        raise CancelledException("no actions selected")
+
+    # initialize the context for the extractor/helpers
+    capa.features.extractors.ghidra.context.set_context(
+        currentProgram,  # type: ignore [name-defined] # noqa: F821
+        FlatProgramAPI(currentProgram),  # type: ignore [name-defined] # noqa: F821
+        monitor,  # type: ignore [name-defined] # noqa: F821
+    )
+
+    show_monitor_message("checking supported Ghidra version")
     if not capa.ghidra.helpers.is_supported_ghidra_version():
-        logger.error("unsupported Ghidra version")
+        show_error("unsupported Ghidra version")
         return capa.main.E_UNSUPPORTED_GHIDRA_VERSION
 
+    show_monitor_message("checking supported file type")
     if not capa.ghidra.helpers.is_supported_file_type():
-        logger.error("unsupported file type")
+        show_error("unsupported file type")
         return capa.main.E_INVALID_FILE_TYPE
 
+    show_monitor_message("checking supported file architecture")
     if not capa.ghidra.helpers.is_supported_arch_type():
-        logger.error("unsupported file architecture")
+        show_error("unsupported file architecture")
         return capa.main.E_INVALID_FILE_ARCH
 
     # capa_data will always contain {'meta':..., 'rules':...}
     # if the 'rules' key contains no values, then there were no matches
     capa_data = json.loads(get_capabilities())
     if capa_data.get("rules") is None:
-        logger.info("capa explorer found no matches")
-        popup("capa explorer found no matches.")  # type: ignore [name-defined] # noqa: F821
+        show_info("capa explorer found no matches.")
         return capa.main.E_EMPTY_REPORT
 
+    show_monitor_message("processing matches")
     for item in parse_json(capa_data):
-        item.bookmark_functions()
-        item.label_matches()
-    logger.info("capa explorer analysis complete")
-    popup("capa explorer analysis complete.\nPlease see results in the Bookmarks Window and Namespaces section of the Symbol Tree Window.")  # type: ignore [name-defined] # noqa: F821
+        if do_bookmarks:
+            show_monitor_message("adding bookmarks")
+            item.bookmark_functions()
+        if do_namespaces or do_comments:
+            show_monitor_message("adding labels")
+            item.label_matches(do_namespaces, do_comments)
+
+    show_info("capa explorer analysis complete.")
+
     return 0
 
 
 if __name__ == "__main__":
-    if sys.version_info < (3, 10):
-        from capa.exceptions import UnsupportedRuntimeError
-
-        raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.10+")
-    exit_code = main()
-    if exit_code != 0:
-        popup("capa explorer encountered errors during analysis. Please check the console output for more information.")  # type: ignore [name-defined] # noqa: F821
-    sys.exit(exit_code)
+    try:
+        if main() != 0:
+            show_error(
+                "capa explorer encountered errors during analysis. Please check the console output for more information.",
+            )
+    except CancelledException:
+        show_info("capa explorer analysis cancelled.")

capa/helpers.py

@@ -96,11 +96,7 @@ def is_runtime_ida():
 
 
 def is_runtime_ghidra():
-    try:
-        currentProgram  # type: ignore [name-defined] # noqa: F821
-    except NameError:
-        return False
-    return True
+    return importlib.util.find_spec("ghidra") is not None
 
 
 def assert_never(value) -> NoReturn:

capa/ida/plugin/__init__.py

@@ -17,7 +17,6 @@ import logging
 import idaapi
 import ida_kernwin
 
-from capa.ida.plugin.form import CapaExplorerForm
 from capa.ida.plugin.icon import ICON
 
 logger = logging.getLogger(__name__)
@@ -74,6 +73,9 @@ class CapaExplorerPlugin(idaapi.plugin_t):
           arg (int): bitflag. Setting LSB enables automatic analysis upon
           loading. The other bits are currently undefined. See `form.Options`.
         """
+        # delay import to not trigger load of Qt components when not running in idaq, i.e., in idalib
+        from capa.ida.plugin.form import CapaExplorerForm
+
         if not self.form:
             self.form = CapaExplorerForm(self.PLUGIN_NAME, arg)
         else:

capa/ida/plugin/extractor.py

@@ -14,9 +14,10 @@
 
 
 import ida_kernwin
-from PyQt5 import QtCore
+from ida_domain import Database
 
 from capa.ida.plugin.error import UserCancelledError
+from capa.ida.plugin.qt_compat import QtCore, Signal
 from capa.features.extractors.ida.extractor import IdaFeatureExtractor
 from capa.features.extractors.base_extractor import FunctionHandle
 
@@ -24,7 +25,7 @@ from capa.features.extractors.base_extractor import FunctionHandle
 class CapaExplorerProgressIndicator(QtCore.QObject):
     """implement progress signal, used during feature extraction"""
 
-    progress = QtCore.pyqtSignal(str)
+    progress = Signal(str)
 
     def update(self, text):
         """emit progress update
@@ -43,7 +44,8 @@ class CapaExplorerFeatureExtractor(IdaFeatureExtractor):
     """
 
     def __init__(self):
-        super().__init__()
+        db = Database.open()
+        super().__init__(db)
         self.indicator = CapaExplorerProgressIndicator()
 
     def extract_function_features(self, fh: FunctionHandle):

capa/ida/plugin/form.py

@@ -23,7 +23,6 @@ from pathlib import Path
 import idaapi
 import ida_kernwin
 import ida_settings
-from PyQt5 import QtGui, QtCore, QtWidgets
 
 import capa.main
 import capa.rules
@@ -51,6 +50,7 @@ from capa.ida.plugin.hooks import CapaExplorerIdaHooks
 from capa.ida.plugin.model import CapaExplorerDataModel
 from capa.ida.plugin.proxy import CapaExplorerRangeProxyModel, CapaExplorerSearchProxyModel
 from capa.ida.plugin.extractor import CapaExplorerFeatureExtractor
+from capa.ida.plugin.qt_compat import QtGui, QtCore, QtWidgets
 from capa.features.extractors.base_extractor import FunctionHandle
 
 logger = logging.getLogger(__name__)
@@ -1358,7 +1358,7 @@ class CapaExplorerForm(idaapi.PluginForm):
 
         @param state: checked state
         """
-        if state == QtCore.Qt.Checked:
+        if state:
             self.limit_results_to_function(idaapi.get_func(idaapi.get_screen_ea()))
         else:
             self.range_model_proxy.reset_address_range_filter()
@@ -1367,7 +1367,7 @@ class CapaExplorerForm(idaapi.PluginForm):
 
     def slot_checkbox_limit_features_by_ea(self, state):
         """ """
-        if state == QtCore.Qt.Checked:
+        if state:
             self.view_rulegen_features.filter_items_by_ea(idaapi.get_screen_ea())
         else:
             self.view_rulegen_features.show_all_items()

capa/ida/plugin/ida-plugin.json

@@ -0,0 +1,38 @@
+{
+  "IDAMetadataDescriptorVersion": 1,
+  "plugin": {
+    "name": "capa",
+    "entryPoint": "capa_explorer.py",
+    "version": "9.3.1",
+    "idaVersions": ">=7.4",
+    "description": "Identify capabilities in executable files using FLARE's capa framework",
+    "license": "Apache-2.0",
+    "categories": [
+      "malware-analysis",
+      "api-scripting-and-automation",
+      "ui-ux-and-visualization"
+    ],
+    "pythonDependencies": ["flare-capa==9.3.1"],
+    "urls": {
+      "repository": "https://github.com/mandiant/capa"
+    },
+    "authors": [
+      {"name": "Willi Ballenthin", "email": "wballenthin@hex-rays.com"},
+      {"name": "Moritz Raabe", "email": "moritzraabe@google.com"},
+      {"name": "Mike Hunhoff", "email": "mike.hunhoff@gmail.com"},
+      {"name": "Yacine Elhamer", "email": "elhamer.yacine@gmail.com"}
+    ],
+    "keywords": [
+      "capability-detection",
+      "malware-analysis",
+      "behavior-analysis",
+      "reverse-engineering",
+      "att&ck",
+      "rule-engine",
+      "feature-extraction",
+      "yara-like-rules",
+      "static-analysis",
+      "dynamic-analysis"
+    ]
+  }
+}

capa/ida/plugin/item.py

@@ -18,10 +18,10 @@ from typing import Iterator, Optional
 
 import idc
 import idaapi
-from PyQt5 import QtCore
 
 import capa.ida.helpers
 from capa.features.address import Address, FileOffsetAddress, AbsoluteVirtualAddress
+from capa.ida.plugin.qt_compat import QtCore, qt_get_item_flag_tristate
 
 
 def info_to_name(display):
@@ -55,7 +55,7 @@ class CapaExplorerDataItem:
         self.flags = QtCore.Qt.ItemIsEnabled | QtCore.Qt.ItemIsSelectable
 
         if self._can_check:
-            self.flags = self.flags | QtCore.Qt.ItemIsUserCheckable | QtCore.Qt.ItemIsTristate
+            self.flags = self.flags | QtCore.Qt.ItemIsUserCheckable | qt_get_item_flag_tristate()
 
         if self.pred:
             self.pred.appendChild(self)

capa/ida/plugin/model.py

@@ -18,7 +18,6 @@ from collections import deque
 
 import idc
 import idaapi
-from PyQt5 import QtGui, QtCore
 
 import capa.rules
 import capa.ida.helpers
@@ -42,6 +41,7 @@ from capa.ida.plugin.item import (
     CapaExplorerInstructionViewItem,
 )
 from capa.features.address import Address, AbsoluteVirtualAddress
+from capa.ida.plugin.qt_compat import QtGui, QtCore
 
 # default highlight color used in IDA window
 DEFAULT_HIGHLIGHT = 0xE6C700
@@ -269,7 +269,7 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel):
                 visited.add(child_index)
 
                 for idx in range(self.rowCount(child_index)):
-                    stack.append(child_index.child(idx, 0))
+                    stack.append(self.index(idx, 0, child_index))
 
     def reset_ida_highlighting(self, item, checked):
         """reset IDA highlight for item

capa/ida/plugin/proxy.py

@@ -12,10 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from PyQt5 import QtCore
-from PyQt5.QtCore import Qt
-
 from capa.ida.plugin.model import CapaExplorerDataModel
+from capa.ida.plugin.qt_compat import Qt, QtCore
 
 
 class CapaExplorerRangeProxyModel(QtCore.QSortFilterProxyModel):

capa/ida/plugin/qt_compat.py

@@ -0,0 +1,79 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Qt compatibility layer for capa IDA Pro plugin.
+
+Handles PyQt5 (IDA < 9.2) vs PySide6 (IDA >= 9.2) differences.
+This module provides a unified import interface for Qt modules and handles
+API changes between Qt5 and Qt6.
+"""
+
+try:
+    # IDA 9.2+ uses PySide6
+    from PySide6 import QtGui, QtCore, QtWidgets
+    from PySide6.QtGui import QAction
+
+    QT_LIBRARY = "PySide6"
+    Signal = QtCore.Signal
+except ImportError:
+    # Older IDA versions use PyQt5
+    try:
+        from PyQt5 import QtGui, QtCore, QtWidgets
+        from PyQt5.QtWidgets import QAction
+
+        QT_LIBRARY = "PyQt5"
+        Signal = QtCore.pyqtSignal
+    except ImportError:
+        raise ImportError("Neither PySide6 nor PyQt5 is available. Cannot initialize capa IDA plugin.")
+
+Qt = QtCore.Qt
+
+
+def qt_get_item_flag_tristate():
+    """
+    Get the tristate item flag compatible with Qt5 and Qt6.
+
+    Qt5 (PyQt5): Uses Qt.ItemIsTristate
+    Qt6 (PySide6): Qt.ItemIsTristate was removed, uses Qt.ItemIsAutoTristate
+
+    ItemIsAutoTristate automatically manages tristate based on child checkboxes,
+    matching the original ItemIsTristate behavior where parent checkboxes reflect
+    the check state of their children.
+
+    Returns:
+        int: The appropriate flag value for the Qt version
+
+    Raises:
+        AttributeError: If the tristate flag cannot be found in the Qt library
+    """
+    if QT_LIBRARY == "PySide6":
+        # Qt6: ItemIsTristate was removed, replaced with ItemIsAutoTristate
+        # Try different possible locations (API varies slightly across PySide6 versions)
+        if hasattr(Qt, "ItemIsAutoTristate"):
+            return Qt.ItemIsAutoTristate
+        elif hasattr(Qt, "ItemFlag") and hasattr(Qt.ItemFlag, "ItemIsAutoTristate"):
+            return Qt.ItemFlag.ItemIsAutoTristate
+        else:
+            raise AttributeError(
+                "Cannot find ItemIsAutoTristate in PySide6. "
+                + "Your PySide6 version may be incompatible with capa. "
+                + f"Available Qt attributes: {[attr for attr in dir(Qt) if 'Item' in attr]}"
+            )
+    else:
+        # Qt5: Use the original ItemIsTristate flag
+        return Qt.ItemIsTristate
+
+
+__all__ = ["qt_get_item_flag_tristate", "Signal", "QAction", "QtGui", "QtCore", "QtWidgets"]

capa/ida/plugin/view.py

@@ -18,7 +18,6 @@ from collections import Counter
 
 import idc
 import idaapi
-from PyQt5 import QtGui, QtCore, QtWidgets
 
 import capa.rules
 import capa.engine
@@ -28,6 +27,7 @@ import capa.features.basicblock
 from capa.ida.plugin.item import CapaExplorerFunctionItem
 from capa.features.address import AbsoluteVirtualAddress, _NoAddress
 from capa.ida.plugin.model import CapaExplorerDataModel
+from capa.ida.plugin.qt_compat import QtGui, QtCore, Signal, QAction, QtWidgets
 
 MAX_SECTION_SIZE = 750
 
@@ -147,7 +147,7 @@ def calc_item_depth(o):
 
 def build_action(o, display, data, slot):
     """ """
-    action = QtWidgets.QAction(display, o)
+    action = QAction(display, o)
 
     action.setData(data)
     action.triggered.connect(lambda checked: slot(action))
@@ -312,7 +312,7 @@ class CapaExplorerRulegenPreview(QtWidgets.QTextEdit):
 
 
 class CapaExplorerRulegenEditor(QtWidgets.QTreeWidget):
-    updated = QtCore.pyqtSignal()
+    updated = Signal()
 
     def __init__(self, preview, parent=None):
         """ """

capa/loader.py

@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import io
 import os
 import logging
 import datetime
@@ -23,24 +22,13 @@ from pathlib import Path
 from rich.console import Console
 from typing_extensions import assert_never
 
-import capa.perf
 import capa.rules
-import capa.engine
-import capa.helpers
 import capa.version
-import capa.render.json
-import capa.rules.cache
-import capa.render.default
-import capa.render.verbose
 import capa.features.common
 import capa.features.freeze as frz
-import capa.render.vverbose
 import capa.features.extractors
-import capa.render.result_document
 import capa.render.result_document as rdoc
 import capa.features.extractors.common
-import capa.features.extractors.base_extractor
-import capa.features.extractors.cape.extractor
 from capa.rules import RuleSet
 from capa.engine import MatchResults
 from capa.exceptions import UnsupportedOSError, UnsupportedArchError, UnsupportedFormatError
@@ -79,6 +67,7 @@ BACKEND_VMRAY = "vmray"
 BACKEND_FREEZE = "freeze"
 BACKEND_BINEXPORT2 = "binexport2"
 BACKEND_IDA = "ida"
+BACKEND_GHIDRA = "ghidra"
 
 
 class CorruptFile(ValueError):
@@ -178,8 +167,15 @@ def get_workspace(path: Path, input_format: str, sigpaths: list[Path]):
     except Exception as e:
         # vivisect raises raw Exception instances, and we don't want
         # to do a subclass check via isinstance.
-        if type(e) is Exception and "Couldn't convert rva" in e.args[0]:
-            raise CorruptFile(e.args[0]) from e
+        if type(e) is Exception and e.args:
+            error_msg = str(e.args[0])
+
+            if "Couldn't convert rva" in error_msg:
+                raise CorruptFile(error_msg) from e
+            elif "Unsupported Architecture" in error_msg:
+                # Extract architecture number if available
+                arch_info = e.args[1] if len(e.args) > 1 else "unknown"
+                raise CorruptFile(f"Unsupported architecture: {arch_info}") from e
         raise
 
     viv_utils.flirt.register_flirt_signature_analyzers(vw, [str(s) for s in sigpaths])
@@ -338,19 +334,94 @@ def get_extractor(
         import capa.features.extractors.ida.extractor
 
         logger.debug("idalib: opening database...")
-        # idalib writes to stdout (ugh), so we have to capture that
-        # so as not to screw up structured output.
-        with capa.helpers.stdout_redirector(io.BytesIO()):
-            with console.status("analyzing program...", spinner="dots"):
-                if idapro.open_database(str(input_path), run_auto_analysis=True):
-                    raise RuntimeError("failed to analyze input file")
+        idapro.enable_console_messages(False)
+        with console.status("analyzing program...", spinner="dots"):
+            # we set the primary and secondary Lumina servers to 0.0.0.0 to disable Lumina,
+            # which sometimes provides bad names, including overwriting names from debug info.
+            #
+            # use -R to load resources, which can help us embedded PE files.
+            #
+            # return values from open_database:
+            #   0 - Success
+            #   2 - User cancelled or 32-64 bit conversion failed
+            #   4 - Database initialization failed
+            #   -1 - Generic errors (database already open, auto-analysis failed, etc.)
+            #   -2 - User cancelled operation
+            ret = idapro.open_database(
+                str(input_path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0 -R"
+            )
+            if ret != 0:
+                raise RuntimeError("failed to analyze input file")
 
             logger.debug("idalib: waiting for analysis...")
             ida_auto.auto_wait()
             logger.debug("idalib: opened database.")
 
-        return capa.features.extractors.ida.extractor.IdaFeatureExtractor()
+        return capa.features.extractors.ida.extractor.IdaFeatureExtractor.from_current_database()
 
+    elif backend == BACKEND_GHIDRA:
+        import pyghidra
+
+        with console.status("analyzing program...", spinner="dots"):
+            if not pyghidra.started():
+                pyghidra.start()
+
+            import capa.ghidra.helpers
+
+            if not capa.ghidra.helpers.is_supported_ghidra_version():
+                raise RuntimeError("unsupported Ghidra version")
+
+            import tempfile
+
+            tmpdir = tempfile.TemporaryDirectory()
+
+            project_cm = pyghidra.open_project(tmpdir.name, "CapaProject", create=True)
+            project = project_cm.__enter__()
+            try:
+                from ghidra.util.task import TaskMonitor
+
+                monitor = TaskMonitor.DUMMY
+
+                # Import file
+                loader = pyghidra.program_loader().project(project).source(str(input_path)).name(input_path.name)
+                with loader.load() as load_results:
+                    load_results.save(monitor)
+
+                # Open program
+                program, consumer = pyghidra.consume_program(project, "/" + input_path.name)
+
+                # Analyze
+                pyghidra.analyze(program, monitor)
+
+                from ghidra.program.flatapi import FlatProgramAPI
+
+                flat_api = FlatProgramAPI(program)
+
+                import capa.features.extractors.ghidra.context as ghidra_context
+
+                ghidra_context.set_context(program, flat_api, monitor)
+
+                # Wrapper to handle cleanup of program (consumer) and project
+                class GhidraContextWrapper:
+                    def __init__(self, project_cm, program, consumer):
+                        self.project_cm = project_cm
+                        self.program = program
+                        self.consumer = consumer
+
+                    def __exit__(self, exc_type, exc_val, exc_tb):
+                        self.program.release(self.consumer)
+                        self.project_cm.__exit__(exc_type, exc_val, exc_tb)
+
+                cm = GhidraContextWrapper(project_cm, program, consumer)
+
+            except Exception:
+                project_cm.__exit__(None, None, None)
+                tmpdir.cleanup()
+                raise
+
+        import capa.features.extractors.ghidra.extractor
+
+        return capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor(ctx_manager=cm, tmpdir=tmpdir)
     else:
         raise ValueError("unexpected backend: " + backend)
 

capa/main.py

@@ -55,6 +55,7 @@ from capa.loader import (
     BACKEND_VMRAY,
     BACKEND_DOTNET,
     BACKEND_FREEZE,
+    BACKEND_GHIDRA,
     BACKEND_PEFILE,
     BACKEND_DRAKVUF,
     BACKEND_BINEXPORT2,
@@ -298,6 +299,7 @@ def install_common_args(parser, wanted=None):
             (BACKEND_BINJA, "Binary Ninja"),
             (BACKEND_DOTNET, ".NET"),
             (BACKEND_BINEXPORT2, "BinExport2"),
+            (BACKEND_GHIDRA, "Ghidra"),
             (BACKEND_FREEZE, "capa freeze"),
             (BACKEND_CAPE, "CAPE"),
             (BACKEND_DRAKVUF, "DRAKVUF"),
@@ -392,6 +394,7 @@ class ShouldExitError(Exception):
     """raised when a main-related routine indicates the program should exit."""
 
     def __init__(self, status_code: int):
+        super().__init__(status_code)
         self.status_code = status_code
 
 
@@ -1091,7 +1094,7 @@ def ida_main():
 
     meta = capa.ida.helpers.collect_metadata([rules_path])
 
-    capabilities = find_capabilities(rules, capa.features.extractors.ida.extractor.IdaFeatureExtractor())
+    capabilities = find_capabilities(rules, capa.features.extractors.ida.extractor.IdaFeatureExtractor.from_current_database())
 
     meta.analysis.feature_counts = capabilities.feature_counts
     meta.analysis.library_functions = capabilities.library_functions
@@ -1104,14 +1107,26 @@ def ida_main():
 
 
 def ghidra_main():
+    from ghidra.program.flatapi import FlatProgramAPI
+
     import capa.rules
     import capa.ghidra.helpers
     import capa.render.default
+    import capa.features.extractors.ghidra.context
     import capa.features.extractors.ghidra.extractor
 
     logging.basicConfig(level=logging.INFO)
     logging.getLogger().setLevel(logging.INFO)
 
+    # These are provided by the Ghidra scripting environment
+    # but are not available when running standard python
+    # so we have to ignore the linting errors
+    program = currentProgram  # type: ignore [name-defined] # noqa: F821
+    monitor_ = monitor  # type: ignore [name-defined] # noqa: F821
+    flat_api = FlatProgramAPI(program)
+
+    capa.features.extractors.ghidra.context.set_context(program, flat_api, monitor_)
+
     logger.debug("-" * 80)
     logger.debug(" Using default embedded rules.")
     logger.debug(" ")

capa/rules/__init__.py

@@ -274,12 +274,8 @@ SUPPORTED_FEATURES[Scope.FUNCTION].update(SUPPORTED_FEATURES[Scope.BASIC_BLOCK])
 
 
 class InvalidRule(ValueError):
-    def __init__(self, msg):
-        super().__init__()
-        self.msg = msg
-
     def __str__(self):
-        return f"invalid rule: {self.msg}"
+        return f"invalid rule: {super().__str__()}"
 
     def __repr__(self):
         return str(self)
@@ -289,20 +285,15 @@ class InvalidRuleWithPath(InvalidRule):
     def __init__(self, path, msg):
         super().__init__(msg)
         self.path = path
-        self.msg = msg
         self.__cause__ = None
 
     def __str__(self):
-        return f"invalid rule: {self.path}: {self.msg}"
+        return f"invalid rule: {self.path}: {super(InvalidRule, self).__str__()}"
 
 
 class InvalidRuleSet(ValueError):
-    def __init__(self, msg):
-        super().__init__()
-        self.msg = msg
-
     def __str__(self):
-        return f"invalid rule set: {self.msg}"
+        return f"invalid rule set: {super().__str__()}"
 
     def __repr__(self):
         return str(self)
@@ -1102,15 +1093,15 @@ class Rule:
     @lru_cache()
     def _get_yaml_loader():
         try:
-            # prefer to use CLoader to be fast, see #306
+            # prefer to use CLoader to be fast, see #306 / CSafeLoader is the same as CLoader but with safe loading
             # on Linux, make sure you install libyaml-dev or similar
             # on Windows, get WHLs from pyyaml.org/pypi
-            logger.debug("using libyaml CLoader.")
-            return yaml.CLoader
+            logger.debug("using libyaml CSafeLoader.")
+            return yaml.CSafeLoader
         except Exception:
-            logger.debug("unable to import libyaml CLoader, falling back to Python yaml parser.")
+            logger.debug("unable to import libyaml CSafeLoader, falling back to Python yaml parser.")
             logger.debug("this will be slower to load rules.")
-            return yaml.Loader
+            return yaml.SafeLoader
 
     @staticmethod
     def _get_ruamel_yaml_parser():

capa/version.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "9.1.0"
+__version__ = "9.3.1"
 
 
 def get_major_version():

doc/release.md

@@ -7,6 +7,7 @@
 - [ ] Review changes
   - capa https://github.com/mandiant/capa/compare/\<last-release\>...master
   - capa-rules https://github.com/mandiant/capa-rules/compare/\<last-release>\...master
+- [ ] Run `$ bump-my-version bump {patch/minor/major} [--allow-dirty]` to update [capa/version.py](https://github.com/mandiant/capa/blob/master/capa/version.py) and other version files
 - [ ] Update [CHANGELOG.md](https://github.com/mandiant/capa/blob/master/CHANGELOG.md)
   - Do not forget to add a nice introduction thanking contributors
   - Remember that we need a major release if we introduce breaking changes
@@ -36,7 +37,6 @@
     - [capa <release>...master](https://github.com/mandiant/capa/compare/<release>...master)
     - [capa-rules <release>...master](https://github.com/mandiant/capa-rules/compare/<release>...master)
     ```
-- [ ] Update [capa/version.py](https://github.com/mandiant/capa/blob/master/capa/version.py)
 - [ ] Create a PR with the updated [CHANGELOG.md](https://github.com/mandiant/capa/blob/master/CHANGELOG.md) and [capa/version.py](https://github.com/mandiant/capa/blob/master/capa/version.py). Copy this checklist in the PR description.
 - [ ] Update the [homepage](https://github.com/mandiant/capa/blob/master/web/public/index.html) (i.e. What's New section)
 - [ ] After PR review, merge the PR and [create the release in GH](https://github.com/mandiant/capa/releases/new) using text from the [CHANGELOG.md](https://github.com/mandiant/capa/blob/master/CHANGELOG.md).

pyproject.toml

@@ -74,7 +74,8 @@ dependencies = [
     # comments and context.
     "pyyaml>=6",
     "colorama>=0.4",
-    "ida-settings>=2",
+    "ida-netnode>=3.0",
+    "ida-settings>=3.1.0",
     "ruamel.yaml>=0.18",
     "pefile>=2023.2.7",
     "pyelftools>=0.31",
@@ -104,10 +105,17 @@ dependencies = [
 
     "networkx>=3",
 
-    "dnfile>=0.15.0",
+    "dnfile>=0.17.0",
 ]
 dynamic = ["version"]
 
+[tool.pytest.ini_options]
+filterwarnings = [
+    "ignore:builtin type SwigPyPacked has no __module__ attribute:DeprecationWarning",
+    "ignore:builtin type SwigPyObject has no __module__ attribute:DeprecationWarning",
+    "ignore:builtin type swigvarlink has no __module__ attribute:DeprecationWarning",
+]
+
 [tool.setuptools.dynamic]
 version = {attr = "capa.version.__version__"}
 
@@ -121,51 +129,57 @@ dev = [
     # we want all developer environments to be consistent.
     # These dependencies are not used in production environments
     # and should not conflict with other libraries/tooling.
-    "pre-commit==4.1.0",
-    "pytest==8.0.0",
-    "pytest-sugar==1.0.0",
+    "pre-commit==4.5.0",
+    "pytest==9.0.2",
+    "pytest-sugar==1.1.1",
     "pytest-instafail==0.5.0",
-    "flake8==7.1.1",
-    "flake8-bugbear==24.12.12",
+    "flake8==7.3.0",
+    "flake8-bugbear==25.11.29",
     "flake8-encodings==0.5.1",
-    "flake8-comprehensions==3.16.0",
+    "flake8-comprehensions==3.17.0",
     "flake8-logging-format==0.9.0",
     "flake8-no-implicit-concat==0.3.5",
     "flake8-print==5.0.0",
     "flake8-todos==0.3.1",
-    "flake8-simplify==0.21.0",
+    "flake8-simplify==0.30.0",
     "flake8-use-pathlib==0.3.0",
     "flake8-copyright==0.2.4",
-    "ruff==0.11.0",
-    "black==25.1.0",
-    "isort==6.0.0",
-    "mypy==1.15.0",
-    "mypy-protobuf==3.6.0",
-    "PyGithub==2.6.0",
+    "ruff==0.14.7",
+    "black==25.12.0",
+    "isort==7.0.0",
+    "mypy==1.19.1",
+    "mypy-protobuf==4.0.0",
+    "PyGithub==2.8.1",
+    "bump-my-version==1.2.4",
     # type stubs for mypy
     "types-backports==0.1.3",
     "types-colorama==0.4.15.11",
     "types-PyYAML==6.0.8",
-    "types-psutil==7.0.0.20250218",
+    "types-psutil==7.2.0.20251228",
     "types_requests==2.32.0.20240712",
-    "types-protobuf==5.29.1.20241207",
-    "deptry==0.23.0"
+    "types-protobuf==6.32.1.20250918",
+    "deptry==0.24.0"
 ]
 build = [
     # Dev and build dependencies are not relaxed because
     # we want all developer environments to be consistent.
     # These dependencies are not used in production environments
     # and should not conflict with other libraries/tooling.
-    "pyinstaller==6.12.0",
-    "setuptools==76.0.0",
-    "build==1.2.2"
+    "pyinstaller==6.17.0",
+    "setuptools==80.9.0",
+    "build==1.4.0"
 ]
 scripts = [
+    # can (optionally) be more lenient on dependencies here
+    # see comment on dependencies for more context
     "jschema_to_python==1.2.3",
-    "psutil==7.0.0",
+    "psutil==7.2.1",
     "stix2==3.0.1",
     "sarif_om==1.0.4",
-    "requests==2.32.3",
+    "requests>=2.32.4",
+]
+ghidra = [
+    "pyghidra>=3.0.0",
 ]
 
 [tool.deptry]
@@ -197,7 +211,8 @@ known_first_party = [
     "idc",
     "java",
     "netnode",
-    "PyQt5"
+    "PyQt5",
+    "PySide6"
 ]
 
 [tool.deptry.per_rule_ignores]
@@ -205,6 +220,7 @@ known_first_party = [
 DEP002 = [
     "black",
     "build",
+    "bump-my-version",
     "deptry",
     "flake8",
     "flake8-bugbear",

requirements.txt

@@ -10,38 +10,40 @@ annotated-types==0.7.0
 colorama==0.4.6
 cxxfilt==0.3.0
 dncil==1.0.2
-dnfile==0.15.0
+dnfile==0.17.0
 funcy==2.0
-humanize==4.12.0
+humanize==4.15.0
 ida-netnode==3.0
-ida-settings==2.1.0
-intervaltree==3.1.0
-markdown-it-py==3.0.0
+ida-settings==3.2.2
+intervaltree==3.2.1
+markdown-it-py==4.0.0
 mdurl==0.1.2
 msgpack==1.0.8
 networkx==3.4.2
 pefile==2024.8.26
-pip==25.0
-protobuf==6.30.1
+pip==25.3
+protobuf==6.33.1
 pyasn1==0.5.1
 pyasn1-modules==0.3.0
-pycparser==2.22
-pydantic==2.10.1
+pycparser==2.23
+pydantic==2.12.4
 # pydantic pins pydantic-core, 
 # but dependabot updates these separately (which is broken) and is annoying,
 # so we rely on pydantic to pull in the right version of pydantic-core.
 # pydantic-core==2.23.4
-xmltodict==0.14.2
+xmltodict==1.0.2
 pyelftools==0.32
 pygments==2.19.1
+pyghidra==3.0.0
 python-flirt==0.9.2
 pyyaml==6.0.2
-rich==13.9.2
-ruamel-yaml==0.18.6
-ruamel-yaml-clib==0.2.8
-setuptools==76.0.0
+rich==14.2.0
+ruamel-yaml==0.19.1
+ruamel-yaml-clib==0.2.14
+setuptools==80.9.0
 six==1.17.0
 sortedcontainers==2.4.0
 viv-utils==0.8.0
 vivisect==1.2.1
-msgspec==0.19.0
+msgspec==0.20.0
+bump-my-version==1.2.4

scripts/capa2yara.py

@@ -175,8 +175,6 @@ def convert_rule(rule, rulename, cround, depth):
     depth += 1
     logger.info("recursion depth: %d", depth)
 
-    global var_names
-
     def do_statement(s_type, kid):
         yara_strings = ""
         yara_condition = ""

scripts/lint.py

@@ -406,6 +406,7 @@ class DoesntMatchExample(Lint):
                 return True
 
             if rule.name not in capabilities:
+                logger.info('rule "%s" does not match for sample %s', rule.name, example_id)
                 return True
 
 

scripts/show-features.py

@@ -275,7 +275,7 @@ def ida_main():
     function = idc.get_func_attr(idc.here(), idc.FUNCATTR_START)
     print(f"getting features for current function {hex(function)}")
 
-    extractor = capa.features.extractors.ida.extractor.IdaFeatureExtractor()
+    extractor = capa.features.extractors.ida.extractor.IdaFeatureExtractor.from_current_database()
 
     if not function:
         for feature, addr in extractor.extract_file_features():

scripts/show-unused-features.py

@@ -175,7 +175,7 @@ def ida_main():
     function = idc.get_func_attr(idc.here(), idc.FUNCATTR_START)
     print(f"getting features for current function {hex(function)}")
 
-    extractor = capa.features.extractors.ida.extractor.IdaFeatureExtractor()
+    extractor = capa.features.extractors.ida.extractor.IdaFeatureExtractor.from_current_database()
     feature_map: Counter[Feature] = Counter()
 
     feature_map.update([feature for feature, _ in extractor.extract_file_features()])

tests/fixtures.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
+import logging
 import contextlib
 import collections
 from pathlib import Path
@@ -20,7 +20,6 @@ from functools import lru_cache
 
 import pytest
 
-import capa.main
 import capa.features.file
 import capa.features.insn
 import capa.features.common
@@ -53,6 +52,7 @@ from capa.features.extractors.base_extractor import (
 )
 from capa.features.extractors.dnfile.extractor import DnfileFeatureExtractor
 
+logger = logging.getLogger(__name__)
 CD = Path(__file__).resolve().parent
 DOTNET_DIR = CD / "data" / "dotnet"
 DNFILE_TESTFILES = DOTNET_DIR / "dnfile-testfiles"
@@ -200,6 +200,73 @@ def get_binja_extractor(path: Path):
     return extractor
 
 
+# we can't easily cache this because the extractor relies on global state (the opened database)
+# which also has to be closed elsewhere. so, the idalib tests will just take a little bit to run.
+def get_idalib_extractor(path: Path):
+    import capa.features.extractors.ida.idalib as idalib
+
+    if not idalib.has_idalib():
+        raise RuntimeError("cannot find IDA idalib module.")
+
+    if not idalib.load_idalib():
+        raise RuntimeError("failed to load IDA idalib module.")
+
+    import idapro
+    import ida_auto
+
+    import capa.features.extractors.ida.extractor
+
+    logger.debug("idalib: opening database...")
+
+    idapro.enable_console_messages(False)
+
+    # we set the primary and secondary Lumina servers to 0.0.0.0 to disable Lumina,
+    # which sometimes provides bad names, including overwriting names from debug info.
+    #
+    # use -R to load resources, which can help us embedded PE files.
+    #
+    # return values from open_database:
+    #   0 - Success
+    #   2 - User cancelled or 32-64 bit conversion failed
+    #   4 - Database initialization failed
+    #   -1 - Generic errors (database already open, auto-analysis failed, etc.)
+    #   -2 - User cancelled operation
+    ret = idapro.open_database(
+        str(path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0 -R"
+    )
+    if ret != 0:
+        raise RuntimeError("failed to analyze input file")
+
+    logger.debug("idalib: waiting for analysis...")
+    ida_auto.auto_wait()
+    logger.debug("idalib: opened database.")
+
+    extractor = capa.features.extractors.ida.extractor.IdaFeatureExtractor.from_current_database()
+    fixup_idalib(path, extractor)
+    return extractor
+
+
+def fixup_idalib(path: Path, extractor):
+    """
+    IDA fixups to overcome differences between backends
+    """
+    import idaapi
+    import ida_funcs
+
+    def remove_library_id_flag(fva):
+        f = idaapi.get_func(fva)
+        f.flags &= ~ida_funcs.FUNC_LIB
+        ida_funcs.update_func(f)
+
+    if "kernel32-64" in path.name:
+        # remove (correct) library function id, so we can test x64 thunk
+        remove_library_id_flag(0x1800202B0)
+
+    if "al-khaser_x64" in path.name:
+        # remove (correct) library function id, so we can test x64 nested thunk
+        remove_library_id_flag(0x14004B4F0)
+
+
 @lru_cache(maxsize=1)
 def get_cape_extractor(path):
     from capa.helpers import load_json_from_path
@@ -227,13 +294,33 @@ def get_vmray_extractor(path):
     return VMRayExtractor.from_zipfile(path)
 
 
-@lru_cache(maxsize=1)
+GHIDRA_CACHE: dict[Path, tuple] = {}
+
+
 def get_ghidra_extractor(path: Path):
+    # we need to start PyGhidra before importing the extractor
+    # because the extractor imports Ghidra modules that are only available after PyGhidra is started
+    import pyghidra
+
+    if not pyghidra.started():
+        pyghidra.start()
+
+    import capa.features.extractors.ghidra.context
     import capa.features.extractors.ghidra.extractor
 
-    extractor = capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor()
-    setattr(extractor, "path", path.as_posix())
+    if path in GHIDRA_CACHE:
+        extractor, program, flat_api, monitor = GHIDRA_CACHE[path]
+        capa.features.extractors.ghidra.context.set_context(program, flat_api, monitor)
+        return extractor
 
+    # We use a larger cache size to avoid re-opening the same file multiple times
+    # which is very slow with Ghidra.
+    extractor = capa.loader.get_extractor(
+        path, FORMAT_AUTO, OS_AUTO, capa.loader.BACKEND_GHIDRA, [], disable_progress=True
+    )
+
+    ctx = capa.features.extractors.ghidra.context.get_context()
+    GHIDRA_CACHE[path] = (extractor, ctx.program, ctx.flat_api, ctx.monitor)
     return extractor
 
 
@@ -894,20 +981,8 @@ FEATURE_PRESENCE_TESTS = sorted(
         ("mimikatz", "function=0x4556E5", capa.features.insn.API("advapi32.LsaQueryInformationPolicy"), False),
         ("mimikatz", "function=0x4556E5", capa.features.insn.API("LsaQueryInformationPolicy"), True),
         # insn/api: x64
-        (
-            "kernel32-64",
-            "function=0x180001010",
-            capa.features.insn.API("RtlVirtualUnwind"),
-            True,
-        ),
         ("kernel32-64", "function=0x180001010", capa.features.insn.API("RtlVirtualUnwind"), True),
         # insn/api: x64 thunk
-        (
-            "kernel32-64",
-            "function=0x1800202B0",
-            capa.features.insn.API("RtlCaptureContext"),
-            True,
-        ),
         ("kernel32-64", "function=0x1800202B0", capa.features.insn.API("RtlCaptureContext"), True),
         # insn/api: x64 nested thunk
         ("al-khaser x64", "function=0x14004B4F0", capa.features.insn.API("__vcrt_GetModuleHandle"), True),
@@ -995,20 +1070,20 @@ FEATURE_PRESENCE_TESTS = sorted(
         ("pma16-01", "file", OS(OS_WINDOWS), True),
         ("pma16-01", "file", OS(OS_LINUX), False),
         ("mimikatz", "file", OS(OS_WINDOWS), True),
-        ("pma16-01", "function=0x404356", OS(OS_WINDOWS), True),
-        ("pma16-01", "function=0x404356,bb=0x4043B9", OS(OS_WINDOWS), True),
+        ("pma16-01", "function=0x401100", OS(OS_WINDOWS), True),
+        ("pma16-01", "function=0x401100,bb=0x401130", OS(OS_WINDOWS), True),
         ("mimikatz", "function=0x40105D", OS(OS_WINDOWS), True),
         ("pma16-01", "file", Arch(ARCH_I386), True),
         ("pma16-01", "file", Arch(ARCH_AMD64), False),
         ("mimikatz", "file", Arch(ARCH_I386), True),
-        ("pma16-01", "function=0x404356", Arch(ARCH_I386), True),
-        ("pma16-01", "function=0x404356,bb=0x4043B9", Arch(ARCH_I386), True),
+        ("pma16-01", "function=0x401100", Arch(ARCH_I386), True),
+        ("pma16-01", "function=0x401100,bb=0x401130", Arch(ARCH_I386), True),
         ("mimikatz", "function=0x40105D", Arch(ARCH_I386), True),
         ("pma16-01", "file", Format(FORMAT_PE), True),
         ("pma16-01", "file", Format(FORMAT_ELF), False),
         ("mimikatz", "file", Format(FORMAT_PE), True),
         # format is also a global feature
-        ("pma16-01", "function=0x404356", Format(FORMAT_PE), True),
+        ("pma16-01", "function=0x401100", Format(FORMAT_PE), True),
         ("mimikatz", "function=0x456BB9", Format(FORMAT_PE), True),
         # elf support
         ("7351f.elf", "file", OS(OS_LINUX), True),

tests/test_binja_features.py

@@ -70,4 +70,4 @@ def test_standalone_binja_backend():
 @pytest.mark.skipif(binja_present is False, reason="Skip binja tests if the binaryninja Python API is not installed")
 def test_binja_version():
     version = binaryninja.core_version_info()
-    assert version.major == 4 and version.minor == 2
+    assert version.major == 5 and version.minor == 2

tests/test_ghidra_features.py

@@ -11,95 +11,42 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-"""
-Must invoke this script from within the Ghidra Runtime Environment
-"""
-import sys
-import logging
-from pathlib import Path
+import os
+import importlib.util
 
 import pytest
+import fixtures
 
-try:
-    sys.path.append(str(Path(__file__).parent))
-    import fixtures
-finally:
-    sys.path.pop()
+import capa.features.common
+
+ghidra_present = importlib.util.find_spec("pyghidra") is not None and "GHIDRA_INSTALL_DIR" in os.environ
 
 
-logger = logging.getLogger("test_ghidra_features")
-
-ghidra_present: bool = False
-try:
-    import ghidra  # noqa: F401
-
-    ghidra_present = True
-except ImportError:
-    pass
-
-
-def standardize_posix_str(psx_str):
-    """fixture test passes the PosixPath to the test data
-
-    params: psx_str - PosixPath() to the test data
-    return: string that matches test-id sample name
-    """
-
-    if "Practical Malware Analysis Lab" in str(psx_str):
-        # <PosixPath>/'Practical Malware Analysis Lab 16-01.exe_' -> 'pma16-01'
-        wanted_str = "pma" + str(psx_str).split("/")[-1][len("Practical Malware Analysis Lab ") : -5]
-    else:
-        # <PosixPath>/mimikatz.exe_ -> mimikatz
-        wanted_str = str(psx_str).split("/")[-1][:-5]
-
-    if "_" in wanted_str:
-        # al-khaser_x86 -> al-khaser x86
-        wanted_str = wanted_str.replace("_", " ")
-
-    return wanted_str
-
-
-def check_input_file(wanted):
-    """check that test is running on the loaded sample
-
-    params: wanted - PosixPath() passed from test arg
-    """
-
-    import capa.ghidra.helpers as ghidra_helpers
-
-    found = ghidra_helpers.get_file_md5()
-    sample_name = standardize_posix_str(wanted)
-
-    if not found.startswith(fixtures.get_sample_md5_by_name(sample_name)):
-        raise RuntimeError(f"please run the tests against sample with MD5: `{found}`")
-
-
-@pytest.mark.skipif(ghidra_present is False, reason="Ghidra tests must be ran within Ghidra")
-@fixtures.parametrize("sample,scope,feature,expected", fixtures.FEATURE_PRESENCE_TESTS, indirect=["sample", "scope"])
+@pytest.mark.skipif(ghidra_present is False, reason="PyGhidra not installed")
+@fixtures.parametrize(
+    "sample,scope,feature,expected",
+    [
+        (
+            pytest.param(
+                *t,
+                marks=pytest.mark.xfail(
+                    reason="specific to Vivisect and basic blocks do not align with Ghidra's analysis"
+                ),
+            )
+            if t[0] == "294b8d..." and t[2] == capa.features.common.String("\r\n\x00:ht")
+            else t
+        )
+        for t in fixtures.FEATURE_PRESENCE_TESTS
+    ],
+    indirect=["sample", "scope"],
+)
 def test_ghidra_features(sample, scope, feature, expected):
-    try:
-        check_input_file(sample)
-    except RuntimeError:
-        pytest.skip(reason="Test must be ran against sample loaded in Ghidra")
-
     fixtures.do_test_feature_presence(fixtures.get_ghidra_extractor, sample, scope, feature, expected)
 
 
-@pytest.mark.skipif(ghidra_present is False, reason="Ghidra tests must be ran within Ghidra")
+@pytest.mark.skipif(ghidra_present is False, reason="PyGhidra not installed")
 @fixtures.parametrize(
     "sample,scope,feature,expected", fixtures.FEATURE_COUNT_TESTS_GHIDRA, indirect=["sample", "scope"]
 )
 def test_ghidra_feature_counts(sample, scope, feature, expected):
-    try:
-        check_input_file(sample)
-    except RuntimeError:
-        pytest.skip(reason="Test must be ran against sample loaded in Ghidra")
-
     fixtures.do_test_feature_count(fixtures.get_ghidra_extractor, sample, scope, feature, expected)
-
-
-if __name__ == "__main__":
-    # No support for faulthandler module in Ghidrathon, see:
-    # https://github.com/mandiant/Ghidrathon/issues/70
-    sys.exit(pytest.main(["--pyargs", "-p no:faulthandler", "test_ghidra_features"]))

tests/test_ida_features.py

@@ -95,7 +95,7 @@ def get_ida_extractor(_path):
     # have to import this inline so pytest doesn't bail outside of IDA
     import capa.features.extractors.ida.extractor
 
-    return capa.features.extractors.ida.extractor.IdaFeatureExtractor()
+    return capa.features.extractors.ida.extractor.IdaFeatureExtractor.from_current_database()
 
 
 def nocollect(f):

tests/test_idalib_features.py

@@ -0,0 +1,86 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import logging
+from pathlib import Path
+
+import pytest
+import fixtures
+
+import capa.features.extractors.ida.idalib
+from capa.features.file import FunctionName
+from capa.features.insn import API
+from capa.features.common import Characteristic
+
+logger = logging.getLogger(__name__)
+
+idalib_present = capa.features.extractors.ida.idalib.has_idalib()
+if idalib_present:
+    try:
+        import idapro  # noqa: F401 [imported but unused]
+        import ida_kernwin
+
+        kernel_version: str = ida_kernwin.get_kernel_version()
+    except ImportError:
+        idalib_present = False
+        kernel_version = "0.0"
+
+
+@pytest.mark.skipif(idalib_present is False, reason="Skip idalib tests if the idalib Python API is not installed")
+@fixtures.parametrize(
+    "sample,scope,feature,expected",
+    fixtures.FEATURE_PRESENCE_TESTS + fixtures.FEATURE_SYMTAB_FUNC_TESTS,
+    indirect=["sample", "scope"],
+)
+def test_idalib_features(sample: Path, scope, feature, expected):
+    if kernel_version in {"9.0", "9.1"} and sample.name.startswith("2bf18d"):
+        if isinstance(feature, (API, FunctionName)) and feature.value == "__libc_connect":
+            # see discussion here: https://github.com/mandiant/capa/pull/2742#issuecomment-3674146335
+            #
+            # > i confirmed that there were changes in 9.2 related to the ELF loader handling names,
+            # > so I think its reasonable to conclude that 9.1 and older had a bug that
+            # > prevented this name from surfacing.
+            pytest.xfail(f"IDA {kernel_version} does not extract all ELF symbols")
+
+    if kernel_version in {"9.0"} and sample.name.startswith("Practical Malware Analysis Lab 12-04.exe_"):
+        if isinstance(feature, Characteristic) and feature.value == "embedded pe":
+            # see discussion here: https://github.com/mandiant/capa/pull/2742#issuecomment-3667086165
+            #
+            # idalib for IDA 9.0 doesn't support argv arguments, so we can't ask that resources are loaded
+            pytest.xfail("idalib 9.0 does not support loading resource segments")
+
+    try:
+        fixtures.do_test_feature_presence(fixtures.get_idalib_extractor, sample, scope, feature, expected)
+    finally:
+        logger.debug("closing database...")
+        import idapro
+
+        idapro.close_database(save=False)
+        logger.debug("closed database.")
+
+
+@pytest.mark.skipif(idalib_present is False, reason="Skip idalib tests if the idalib Python API is not installed")
+@fixtures.parametrize(
+    "sample,scope,feature,expected",
+    fixtures.FEATURE_COUNT_TESTS,
+    indirect=["sample", "scope"],
+)
+def test_idalib_feature_counts(sample, scope, feature, expected):
+    try:
+        fixtures.do_test_feature_count(fixtures.get_idalib_extractor, sample, scope, feature, expected)
+    finally:
+        logger.debug("closing database...")
+        import idapro
+
+        idapro.close_database(save=False)
+        logger.debug("closed database.")

web/explorer/package-lock.json

@@ -27,7 +27,7 @@
                 "eslint-plugin-vue": "^9.23.0",
                 "jsdom": "^24.1.0",
                 "prettier": "^3.2.5",
-                "vite": "^6.2.3",
+                "vite": "^6.4.1",
                 "vite-plugin-singlefile": "^2.2.0",
                 "vitest": "^3.0.9"
             }
@@ -1416,6 +1416,20 @@
                 "node": ">=8"
             }
         },
+        "node_modules/call-bind-apply-helpers": {
+            "version": "1.0.2",
+            "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+            "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "es-errors": "^1.3.0",
+                "function-bind": "^1.1.2"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/callsites": {
             "version": "3.1.0",
             "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
@@ -1646,6 +1660,21 @@
                 "node": ">=6.0.0"
             }
         },
+        "node_modules/dunder-proto": {
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+            "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "call-bind-apply-helpers": "^1.0.1",
+                "es-errors": "^1.3.0",
+                "gopd": "^1.2.0"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/eastasianwidth": {
             "version": "0.2.0",
             "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
@@ -1711,6 +1740,26 @@
                 "url": "https://github.com/fb55/entities?sponsor=1"
             }
         },
+        "node_modules/es-define-property": {
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+            "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
+        "node_modules/es-errors": {
+            "version": "1.3.0",
+            "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+            "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/es-module-lexer": {
             "version": "1.6.0",
             "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.6.0.tgz",
@@ -1718,6 +1767,35 @@
             "dev": true,
             "license": "MIT"
         },
+        "node_modules/es-object-atoms": {
+            "version": "1.1.1",
+            "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+            "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "es-errors": "^1.3.0"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
+        "node_modules/es-set-tostringtag": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+            "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "es-errors": "^1.3.0",
+                "get-intrinsic": "^1.2.6",
+                "has-tostringtag": "^1.0.2",
+                "hasown": "^2.0.2"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/esbuild": {
             "version": "0.25.1",
             "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.1.tgz",
@@ -2108,13 +2186,16 @@
             }
         },
         "node_modules/form-data": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-            "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==",
+            "version": "4.0.4",
+            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
+            "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
             "dev": true,
+            "license": "MIT",
             "dependencies": {
                 "asynckit": "^0.4.0",
                 "combined-stream": "^1.0.8",
+                "es-set-tostringtag": "^2.1.0",
+                "hasown": "^2.0.2",
                 "mime-types": "^2.1.12"
             },
             "engines": {
@@ -2141,11 +2222,61 @@
                 "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
             }
         },
-        "node_modules/glob": {
-            "version": "10.4.2",
-            "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.2.tgz",
-            "integrity": "sha512-GwMlUF6PkPo3Gk21UxkCohOv0PLcIXVtKyLlpEI28R/cO/4eNOdmLk3CMW1wROV/WR/EsZOWAfBbBOqYvs88/w==",
+        "node_modules/function-bind": {
+            "version": "1.1.2",
+            "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+            "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
             "dev": true,
+            "license": "MIT",
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
+        "node_modules/get-intrinsic": {
+            "version": "1.3.0",
+            "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+            "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "call-bind-apply-helpers": "^1.0.2",
+                "es-define-property": "^1.0.1",
+                "es-errors": "^1.3.0",
+                "es-object-atoms": "^1.1.1",
+                "function-bind": "^1.1.2",
+                "get-proto": "^1.0.1",
+                "gopd": "^1.2.0",
+                "has-symbols": "^1.1.0",
+                "hasown": "^2.0.2",
+                "math-intrinsics": "^1.1.0"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
+        "node_modules/get-proto": {
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+            "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "dunder-proto": "^1.0.1",
+                "es-object-atoms": "^1.0.0"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
+        "node_modules/glob": {
+            "version": "10.5.0",
+            "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
+            "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
+            "dev": true,
+            "license": "ISC",
             "dependencies": {
                 "foreground-child": "^3.1.0",
                 "jackspeak": "^3.1.2",
@@ -2157,9 +2288,6 @@
             "bin": {
                 "glob": "dist/esm/bin.mjs"
             },
-            "engines": {
-                "node": ">=16 || 14 >=14.18"
-            },
             "funding": {
                 "url": "https://github.com/sponsors/isaacs"
             }
@@ -2215,6 +2343,19 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
+        "node_modules/gopd": {
+            "version": "1.2.0",
+            "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+            "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.4"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
         "node_modules/graphemer": {
             "version": "1.4.0",
             "resolved": "https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz",
@@ -2230,6 +2371,48 @@
                 "node": ">=8"
             }
         },
+        "node_modules/has-symbols": {
+            "version": "1.1.0",
+            "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+            "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.4"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
+        "node_modules/has-tostringtag": {
+            "version": "1.0.2",
+            "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+            "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "has-symbols": "^1.0.3"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
+        "node_modules/hasown": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+            "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "function-bind": "^1.1.2"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/highlight.js": {
             "version": "11.9.0",
             "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-11.9.0.tgz",
@@ -2456,10 +2639,11 @@
             }
         },
         "node_modules/js-yaml": {
-            "version": "4.1.0",
-            "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-            "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+            "version": "4.1.1",
+            "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+            "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
             "dev": true,
+            "license": "MIT",
             "dependencies": {
                 "argparse": "^2.0.1"
             },
@@ -2608,6 +2792,16 @@
                 "@jridgewell/sourcemap-codec": "^1.5.0"
             }
         },
+        "node_modules/math-intrinsics": {
+            "version": "1.1.0",
+            "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+            "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/micromatch": {
             "version": "4.0.8",
             "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
@@ -3426,6 +3620,51 @@
             "dev": true,
             "license": "MIT"
         },
+        "node_modules/tinyglobby": {
+            "version": "0.2.13",
+            "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.13.tgz",
+            "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "fdir": "^6.4.4",
+                "picomatch": "^4.0.2"
+            },
+            "engines": {
+                "node": ">=12.0.0"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/SuperchupuDev"
+            }
+        },
+        "node_modules/tinyglobby/node_modules/fdir": {
+            "version": "6.4.4",
+            "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
+            "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
+            "dev": true,
+            "license": "MIT",
+            "peerDependencies": {
+                "picomatch": "^3 || ^4"
+            },
+            "peerDependenciesMeta": {
+                "picomatch": {
+                    "optional": true
+                }
+            }
+        },
+        "node_modules/tinyglobby/node_modules/picomatch": {
+            "version": "4.0.2",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
+            "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=12"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/jonschlinkert"
+            }
+        },
         "node_modules/tinypool": {
             "version": "1.0.2",
             "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-1.0.2.tgz",
@@ -3561,15 +3800,18 @@
             "dev": true
         },
         "node_modules/vite": {
-            "version": "6.2.3",
-            "resolved": "https://registry.npmjs.org/vite/-/vite-6.2.3.tgz",
-            "integrity": "sha512-IzwM54g4y9JA/xAeBPNaDXiBF8Jsgl3VBQ2YQ/wOY6fyW3xMdSoltIV3Bo59DErdqdE6RxUfv8W69DvUorE4Eg==",
+            "version": "6.4.1",
+            "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz",
+            "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "esbuild": "^0.25.0",
+                "fdir": "^6.4.4",
+                "picomatch": "^4.0.2",
                 "postcss": "^8.5.3",
-                "rollup": "^4.30.1"
+                "rollup": "^4.34.9",
+                "tinyglobby": "^0.2.13"
             },
             "bin": {
                 "vite": "bin/vite.js"
@@ -3672,6 +3914,34 @@
                 "vite": "^5.4.11 || ^6.0.0"
             }
         },
+        "node_modules/vite/node_modules/fdir": {
+            "version": "6.4.4",
+            "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
+            "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
+            "dev": true,
+            "license": "MIT",
+            "peerDependencies": {
+                "picomatch": "^3 || ^4"
+            },
+            "peerDependenciesMeta": {
+                "picomatch": {
+                    "optional": true
+                }
+            }
+        },
+        "node_modules/vite/node_modules/picomatch": {
+            "version": "4.0.2",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
+            "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=12"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/jonschlinkert"
+            }
+        },
         "node_modules/vitest": {
             "version": "3.0.9",
             "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.0.9.tgz",

web/explorer/package.json

@@ -33,7 +33,7 @@
         "eslint-plugin-vue": "^9.23.0",
         "jsdom": "^24.1.0",
         "prettier": "^3.2.5",
-        "vite": "^6.2.3",
+        "vite": "^6.4.1",
         "vite-plugin-singlefile": "^2.2.0",
         "vitest": "^3.0.9"
     }

web/public/index.html

@@ -210,35 +210,31 @@
     <div class="row flex-lg-row-reverse align-items-center g-5">
       <h1>What's New</h1>
 
-      <h2 class="mt-3">Rule Updates</h2>
-
-      <ul class="mt-2 ps-5">
-        <!-- TODO(williballenthin): add date -->
-
-        <li>
-          added:
-          <a href="./rules/change registry key timestamp/">
-            change registry key timestamp
-          </a>
-        </li>
-
-        <li>
-          added:
-          <a href="./rules/check mutex and terminate process on windows/">
-            check mutex and terminate process on Windows
-          </a>
-        </li>
-
-        <li>
-          added:
-          <a href="./rules/clear windows event logs remotely/">
-            clear windows event logs remotely
-          </a>
-        </li>
-      </ul>
-
       <h2 class="mt-3">Tool Updates</h2>
-      
+
+      <h3 class="mt-2">v9.3.1 (<em>2025-11-19</em>)</h3>
+      <p class="mt-0">
+        This patch release fixes a missing import for the capa explorer plugin for IDA Pro.
+      </p>
+
+      <h3 class="mt-2">v9.3.0 (<em>2025-11-12</em>)</h3>
+      <p class="mt-0">
+        capa v9.3.0 comes with over 20 new and/or impoved rules.
+        For IDA users the capa explorer plugin is now available via the IDA Pro plugin repository and contains Qt compatibility layer for PyQt5 and PySide6 support.
+        Additionally a Binary Ninja bug has been fixed. Released binaries now include ARM64 binaries (Linux and macOS).
+      </p>
+
+      <h3 class="mt-2">v9.2.1 (<em>2025-06-06</em>)</h3>
+      <p class="mt-0">
+        This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
+      </p>
+
+      <h3 class="mt-2">v9.2.0 (<em>2025-06-03</em>)</h3>
+      <p class="mt-0">
+        This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
+        It also includes an updated rule pack containing new rules and rule fixes.
+      </p>
+
       <h3 class="mt-2">v9.1.0 (<em>2025-03-02</em>)</h3>
       <p class="mt-0">
         This release improves a few aspects of dynamic analysis, relaxing our validation on fields across many CAPE versions, for example.