cape: linux: handle weird argument edge case type

cape: linux: handle status code return types
cape: linux: handle no environ
2026-03-17 15:29:03 -07:00 · 2025-03-19 16:04:31 +00:00 · 2025-03-19 16:04:15 +00:00 · 2025-03-19 16:03:10 +00:00 · 2025-03-19 16:02:56 +00:00 · 2025-03-19 16:01:57 +00:00
36 changed files with 283 additions and 732 deletions
--- a/.bumpversion.toml
+++ b/.bumpversion.toml
@@ -1,22 +0,0 @@
-[tool.bumpversion]
-current_version = "9.2.1"
-
-[[tool.bumpversion.files]]
-filename = "capa/version.py"
-search = '__version__ = "{current_version}"'
-replace = '__version__ = "{new_version}"'
-
-[[tool.bumpversion.files]]
-filename = "capa/ida/plugin/ida-plugin.json"
-search = '"version": "{current_version}"'
-replace = '"version": "{new_version}"'
-
-[[tool.bumpversion.files]]
-filename = "capa/ida/plugin/ida-plugin.json"
-search = '"flare-capa=={current_version}"'
-replace = '"flare-capa=={new_version}"'
-
-[[tool.bumpversion.files]]
-filename = "CHANGELOG.md"
-search = "v{current_version}...master"
-replace = "{current_version}...{new_version}"
--- a/.github/pyinstaller/pyinstaller.spec
+++ b/.github/pyinstaller/pyinstaller.spec
@@ -74,9 +74,6 @@ a = Analysis(
        # only be installed locally.
        "binaryninja",
        "ida",
-        # remove once https://github.com/mandiant/capa/issues/2681 has
-        # been addressed by PyInstaller
-        "pkg_resources",
    ],
 )

--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,7 +9,6 @@ on:
      - '**.md'
  release:
    types: [edited, published]
-  workflow_dispatch: # manual trigger for testing

 permissions:
  contents: write
@@ -23,38 +22,24 @@ jobs:
      fail-fast: true
      matrix:
        include:
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
            # use old linux so that the shared library versioning is more portable
            artifact_name: capa
            asset_name: linux
            python_version: '3.10'
-          - os: ubuntu-22.04-arm
-            artifact_name: capa
-            asset_name: linux-arm64
-            python_version: '3.10'
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
            artifact_name: capa
            asset_name: linux-py312
            python_version: '3.12'
-          - os: windows-2022
+          - os: windows-2019
            artifact_name: capa.exe
            asset_name: windows
            python_version: '3.10'
-          # Windows 11 ARM64 complains of conflicting package version
-          # Additionally, there is no ARM64 build of Python for Python 3.10 on Windows 11 ARM: https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json
-          #- os: windows-11-arm
-          #  artifact_name: capa.exe
-          #  asset_name: windows-arm64
-          #  python_version: '3.12'
          - os: macos-13
            # use older macOS for assumed better portability
            artifact_name: capa
            asset_name: macos
            python_version: '3.10'
-          - os: macos-14
-            artifact_name: capa
-            asset_name: macos-arm64
-            python_version: '3.10'
    steps:
      - name: Checkout capa
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -64,7 +49,7 @@ jobs:
        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
        with:
          python-version: ${{ matrix.python_version }}
-      - if: matrix.os == 'ubuntu-22.04' || matrix.os == 'ubuntu-22.04-arm'
+      - if: matrix.os == 'ubuntu-20.04'
        run: sudo apt-get install -y libyaml-dev
      - name: Upgrade pip, setuptools
        run: python -m pip install --upgrade pip setuptools
@@ -74,28 +59,6 @@ jobs:
          pip install -e .[build]
      - name: Build standalone executable
        run: pyinstaller --log-level DEBUG .github/pyinstaller/pyinstaller.spec
-      - name: Does it run without warnings or errors?
-        shell: bash
-        run: |
-          if [[ "${{ matrix.os }}" == "windows-2022" ]] || [[ "${{ matrix.os }}" == "windows-11-arm" ]]; then
-            EXECUTABLE=".\\dist\\capa"
-          else
-            EXECUTABLE="./dist/capa"
-          fi
-
-          output=$(${EXECUTABLE} --version 2>&1)
-          exit_code=$?
-
-          echo "${output}"
-          echo "${exit_code}"
-
-          if echo "${output}" | grep -iE 'error|warning'; then
-            exit 1
-          fi
-
-          if [[ "${exit_code}" -ne 0 ]]; then
-            exit 1
-          fi
      - name: Does it run (PE)?
        run: dist/capa -d "tests/data/Practical Malware Analysis Lab 01-01.dll_"
      - name: Does it run (Shellcode)?
@@ -111,6 +74,34 @@ jobs:
          name: ${{ matrix.asset_name }}
          path: dist/${{ matrix.artifact_name }}

+  test_run:
+    name: Test run on ${{ matrix.os }} / ${{ matrix.asset_name }}
+    runs-on: ${{ matrix.os }}
+    needs: [build]
+    strategy:
+      matrix:
+        include:
+          # OSs not already tested above
+          - os: ubuntu-22.04
+            artifact_name: capa
+            asset_name: linux
+          - os: ubuntu-22.04
+            artifact_name: capa
+            asset_name: linux-py312
+          - os: windows-2022
+            artifact_name: capa.exe
+            asset_name: windows
+    steps:
+      - name: Download ${{ matrix.asset_name }}
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        with:
+          name: ${{ matrix.asset_name }}
+      - name: Set executable flag
+        if: matrix.os != 'windows-2022'
+        run: chmod +x ${{ matrix.artifact_name }}
+      - name: Run capa
+        run: ./${{ matrix.artifact_name }} -h
+
  zip_and_upload:
    # upload zipped binaries to Release page
    if: github.event_name == 'release'
@@ -122,18 +113,12 @@ jobs:
        include:
          - asset_name: linux
            artifact_name: capa
-          - asset_name: linux-arm64
-            artifact_name: capa
          - asset_name: linux-py312
            artifact_name: capa
          - asset_name: windows
            artifact_name: capa.exe
-          #- asset_name: windows-arm64
-          #  artifact_name: capa.exe
          - asset_name: macos
            artifact_name: capa
-          - asset_name: macos-arm64
-            artifact_name: capa
    steps:
      - name: Download ${{ matrix.asset_name }}
        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -35,7 +35,7 @@ jobs:
        with:
          path: dist/*
      - name: publish package
-        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # release/v1.12.4
+        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # release/v1
        with:
          skip-existing: true
          verbose: true
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -88,16 +88,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04, windows-2022, macos-13]
+        os: [ubuntu-20.04, windows-2019, macos-13]
        # across all operating systems
        python-version: ["3.10", "3.11"]
        include:
          # on Ubuntu run these as well
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
            python-version: "3.10"
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
            python-version: "3.11"
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
            python-version: "3.12"
    steps:
    - name: Checkout capa with submodules
@@ -109,7 +109,7 @@ jobs:
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install pyyaml
-      if: matrix.os == 'ubuntu-22.04'
+      if: matrix.os == 'ubuntu-20.04'
      run: sudo apt-get install -y libyaml-dev
    - name: Install capa
      run: |
@@ -168,7 +168,7 @@ jobs:

  ghidra-tests:
    name: Ghidra tests for ${{ matrix.python-version }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-20.04
    needs: [tests]
    strategy:
      fail-fast: false
--- a/.gitignore
+++ b/.gitignore
@@ -122,7 +122,6 @@ scripts/perf/*.zip
 */.DS_Store
 Pipfile
 Pipfile.lock
-uv.lock
 /cache/
 .github/binja/binaryninja
 .github/binja/download_headless.py
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,116 +3,29 @@
 ## master (unreleased)

 ### New Features
- ci: add support for arm64 binary releases

 ### Breaking Changes

-### New Rules (21)
+### New Rules (4)

- anti-analysis/anti-vm/vm-detection/detect-mouse-movement-via-activity-checks-on-windows tevajdr@gmail.com
- nursery/create-executable-heap moritz.raabe@mandiant.com
- anti-analysis/packer/dxpack/packed-with-dxpack jakubjozwiak@google.com
- anti-analysis/anti-av/patch-bitdefender-hooking-dll-function jakubjozwiak@google.com
- nursery/acquire-load-driver-privileges mehunhoff@google.com
- nursery/communicate-using-ftp mehunhoff@google.com
- linking/static/eclipse-paho-mqtt-c/linked-against-eclipse-paho-mqtt-c jakubjozwiak@google.com
- linking/static/qmqtt/linked-against-qmqtt jakubjozwiak@google.com
- anti-analysis/anti-forensic/disable-powershell-transcription jakubjozwiak@google.com
- host-interaction/powershell/bypass-powershell-constrained-language-mode-via-getsystemlockdownpolicy-patch jakubjozwiak@google.com
- linking/static/grpc/linked-against-grpc jakubjozwiak@google.com
- linking/static/hp-socket/linked-against-hp-socket jakubjozwiak@google.com
- load-code/execute-jscript-via-vsaengine-in-dotnet jakubjozwiak@google.com
- linking/static/funchook/linked-against-funchook jakubjozwiak@google.com
- linking/static/plthook/linked-against-plthook jakubjozwiak@google.com
- host-interaction/network/enumerate-tcp-connections-via-wmi-com-api jakubjozwiak@google.com
- host-interaction/network/routing-table/create-routing-table-entry jakubjozwiak@google.com
- host-interaction/network/routing-table/get-routing-table michael.hunhoff@mandiant.com
- host-interaction/file-system/use-io_uring-io-interface-on-linux jakubjozwiak@google.com
- collection/keylog/log-keystrokes-via-direct-input zeze-zeze
+- communication/socket/connect-socket moritz.raabe@mandiant.com joakim@intezer.com mrhafizfarhad@gmail.com
+- communication/socket/udp/connect-udp-socket mrhafizfarhad@gmail.com
+- nursery/enter-debug-mode-in-dotnet @v1bh475u
 -

 ### Bug Fixes
-
- binja: fix a crash during feature extraction when the MLIL is unavailable @xusheng6 #2714 
+- cape: make some fields optional @williballenthin #2631 #2632
+- lint: add WARN for regex features that contain unescaped dot #2635

 ### capa Explorer Web

 ### capa Explorer IDA Pro plugin

- add `ida-plugin.json` for inclusion in the IDA Pro plugin repository @williballenthin
- ida plugin: add Qt compatibility layer for PyQt5 and PySide6 support @williballenthin #2707
- ida plugin: update ida-settings API @mr-tz #2736
-
 ### Development

- ci: remove redundant "test_run" action from build workflow @mike-hunhoff #2692
- dev: add bumpmyversion to bump and sync versions across the project @mr-tz
-
 ### Raw diffs
- [capa v9.2.1...master](https://github.com/mandiant/capa/compare/v9.2.1...master)
- [capa-rules v9.2.1...master](https://github.com/mandiant/capa-rules/compare/v9.2.1...master)
-
-## v9.2.1
-
-This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
-
-### Bug Fixes
-
- ci: exclude pkg_resources from PyInstaller build @mike-hunhoff #2684
- ci: downgrade Ubuntu version to accommodate older glibc versions @mike-hunhoff #2684
-
-### Development
-
- ci: upgrade Windows version to avoid deprecation @mike-hunhoff #2684
- ci: check if build runs without warnings or errors @mike-hunhoff #2684
-
-### Raw diffs
- [capa v9.2.0...v9.2.1](https://github.com/mandiant/capa/compare/v9.2.0...v9.2.1)
- [capa-rules v9.2.0...v9.2.1](https://github.com/mandiant/capa-rules/compare/v9.2.0...v9.2.1)
-
-## v9.2.0
-
-This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
-It also includes an updated rule pack containing new rules and rule fixes.
-
-### New Features
- vmray: do not restrict analysis to PE and ELF files, e.g. docx @mike-hunhoff #2672
-
-### Breaking Changes
-
-### New Rules (22)
-
- communication/socket/connect-socket moritz.raabe@mandiant.com joakim@intezer.com mrhafizfarhad@gmail.com
- communication/socket/udp/connect-udp-socket mrhafizfarhad@gmail.com
- nursery/enter-debug-mode-in-dotnet @v1bh475u
- nursery/decrypt-data-using-tripledes-in-dotnet 0xRavenspar
- nursery/encrypt-data-using-tripledes-in-dotnet 0xRavenspar
- nursery/disable-system-features-via-registry-on-windows mehunhoff@google.com
- data-manipulation/encryption/chaskey/encrypt-data-using-chaskey still@teamt5.org
- data-manipulation/encryption/speck/encrypt-data-using-speck still@teamt5.org
- load-code/dotnet/load-assembly-via-iassembly still@teamt5.org
- malware-family/donut-loader/load-shellcode-via-donut still@teamt5.org
- nursery/disable-device-guard-features-via-registry-on-windows mehunhoff@google.com
- nursery/disable-firewall-features-via-registry-on-windows mehunhoff@google.com
- nursery/disable-system-restore-features-via-registry-on-windows mehunhoff@google.com
- nursery/disable-windows-defender-features-via-registry-on-windows mehunhoff@google.com
- host-interaction/file-system/write/clear-file-content jakeperalta7
- host-interaction/filter/unload-minifilter-driver JakePeralta7
- exploitation/enumeration/make-suspicious-ntquerysysteminformation-call zdw@google.com
- exploitation/gadgets/load-ntoskrnl zdw@google.com
- exploitation/gadgets/resolve-ntoskrnl-gadgets zdw@google.com
- exploitation/spraying/make-suspicious-ntfscontrolfile-call zdw@google.com
- anti-analysis/anti-forensic/unload-sysmon JakePeralta7
-
-### Bug Fixes
- cape: make some fields optional @williballenthin #2631 #2632
- lint: add WARN for regex features that contain unescaped dot #2635
- lint: add ERROR for incomplete registry control set regex #2643
- binja: update unit test core version #2670
-
-### Raw diffs
- [capa v9.1.0...v9.2.0](https://github.com/mandiant/capa/compare/v9.1.0...v9.2.0)
- [capa-rules v9.1.0...v9.2.0](https://github.com/mandiant/capa-rules/compare/v9.1.0...v9.2.0)
+- [capa v9.1.0...master](https://github.com/mandiant/capa/compare/v9.1.0...master)
+- [capa-rules v9.1.0...master](https://github.com/mandiant/capa-rules/compare/v9.1.0...master)

 ## v9.1.0

--- a/README.md
+++ b/README.md
@@ -315,6 +315,3 @@ If you use Ghidra, then you can use the [capa + Ghidra integration](/capa/ghidra

 ## capa testfiles
 The [capa-testfiles repository](https://github.com/mandiant/capa-testfiles) contains the data we use to test capa's code and rules
-
-## mailing list
-Subscribe to the FLARE mailing list for community announcements! Email "subscribe" to [flare-external@google.com](mailto:flare-external@google.com?subject=subscribe).
--- a/capa/features/extractors/binja/function.py
+++ b/capa/features/extractors/binja/function.py
@@ -19,6 +19,7 @@ from binaryninja import (
    Function,
    BinaryView,
    SymbolType,
+    ILException,
    RegisterValueType,
    VariableSourceType,
    LowLevelILOperation,
@@ -191,8 +192,9 @@ def extract_stackstring(fh: FunctionHandle):
    if bv is None:
        return

-    mlil = func.mlil
-    if mlil is None:
+    try:
+        mlil = func.mlil
+    except ILException:
        return

    for block in mlil.basic_blocks:
--- a/capa/features/extractors/cape/extractor.py
+++ b/capa/features/extractors/cape/extractor.py
@@ -21,9 +21,9 @@ import capa.features.extractors.cape.file
 import capa.features.extractors.cape.thread
 import capa.features.extractors.cape.global_
 import capa.features.extractors.cape.process
-from capa.exceptions import EmptyReportError, UnsupportedFormatError
+from capa.exceptions import EmptyReportError
 from capa.features.common import Feature
-from capa.features.address import Address, AbsoluteVirtualAddress, _NoAddress
+from capa.features.address import NO_ADDRESS, Address, AbsoluteVirtualAddress, _NoAddress
 from capa.features.extractors.cape.models import Call, Static, Process, CapeReport
 from capa.features.extractors.base_extractor import (
    CallHandle,
@@ -53,9 +53,14 @@ class CapeExtractor(DynamicFeatureExtractor):
        self.global_features = list(capa.features.extractors.cape.global_.extract_features(self.report))

    def get_base_address(self) -> Union[AbsoluteVirtualAddress, _NoAddress, None]:
+        if self.report.static is None:
+            return NO_ADDRESS
+
+        if self.report.static.pe is None:
+            # TODO: handle ELF
+            return NO_ADDRESS
+
        # value according to the PE header, the actual trace may use a different imagebase
-        assert self.report.static is not None
-        assert self.report.static.pe is not None
        return AbsoluteVirtualAddress(self.report.static.pe.imagebase)

    def extract_global_features(self) -> Iterator[tuple[Feature, Address]]:
@@ -120,8 +125,10 @@ class CapeExtractor(DynamicFeatureExtractor):
        parts.append(" -> ")
        if call.pretty_return:
            parts.append(call.pretty_return)
-        else:
+        elif call.return_:
            parts.append(hex(call.return_))
+        else:
+            parts.append("?")

        return "".join(parts)

@@ -132,25 +139,11 @@ class CapeExtractor(DynamicFeatureExtractor):
        if cr.info.version not in TESTED_VERSIONS:
            logger.warning("CAPE version '%s' not tested/supported yet", cr.info.version)

-        # TODO(mr-tz): support more file types
-        # https://github.com/mandiant/capa/issues/1933
-        if "PE" not in cr.target.file.type:
-            logger.error(
-                "capa currently only supports PE target files, this target file's type is: '%s'.\nPlease report this at: https://github.com/mandiant/capa/issues/1933",
-                cr.target.file.type,
-            )
-
        # observed in 2.4-CAPE reports from capesandbox.com
        if cr.static is None and cr.target.file.pe is not None:
            cr.static = Static()
            cr.static.pe = cr.target.file.pe

-        if cr.static is None:
-            raise UnsupportedFormatError("CAPE report missing static analysis")
-
-        if cr.static.pe is None:
-            raise UnsupportedFormatError("CAPE report missing PE analysis")
-
        if len(cr.behavior.processes) == 0:
            raise EmptyReportError("CAPE did not capture any processes")

--- a/capa/features/extractors/cape/file.py
+++ b/capa/features/extractors/cape/file.py
@@ -32,7 +32,13 @@ def get_processes(report: CapeReport) -> Iterator[ProcessHandle]:
    """
    seen_processes = {}
    for process in report.behavior.processes:
-        addr = ProcessAddress(pid=process.process_id, ppid=process.parent_id)
+        if process.parent_id is None:
+            # on CAPE for Linux, the root process may have no parent id, so we set that to 0
+            ppid = 0
+        else:
+            ppid = process.parent_id
+
+        addr = ProcessAddress(pid=process.process_id, ppid=ppid)
        yield ProcessHandle(address=addr, inner=process)

        # check for pid and ppid reuse
@@ -52,7 +58,13 @@ def extract_import_names(report: CapeReport) -> Iterator[tuple[Feature, Address]
    """
    extract imported function names
    """
-    assert report.static is not None and report.static.pe is not None
+    if report.static is None:
+        return
+
+    if report.static.pe is None:
+        # TODO: elf
+        return
+
    imports = report.static.pe.imports

    if isinstance(imports, dict):
@@ -70,13 +82,25 @@ def extract_import_names(report: CapeReport) -> Iterator[tuple[Feature, Address]


 def extract_export_names(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
-    assert report.static is not None and report.static.pe is not None
+    if report.static is None:
+        return
+
+    if report.static.pe is None:
+        # TODO: elf
+        return
+
    for function in report.static.pe.exports:
        yield Export(function.name), AbsoluteVirtualAddress(function.address)


 def extract_section_names(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
-    assert report.static is not None and report.static.pe is not None
+    if report.static is None:
+        return
+
+    if report.static.pe is None:
+        # TODO: elf
+        return
+
    for section in report.static.pe.sections:
        yield Section(section.name), AbsoluteVirtualAddress(section.virtual_address)

--- a/capa/features/extractors/cape/global_.py
+++ b/capa/features/extractors/cape/global_.py
@@ -42,9 +42,6 @@ def extract_arch(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
        yield Arch(ARCH_AMD64), NO_ADDRESS
    else:
        logger.warning("unrecognized Architecture: %s", report.target.file.type)
-        raise ValueError(
-            f"unrecognized Architecture from the CAPE report; output of file command: {report.target.file.type}"
-        )


 def extract_format(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
@@ -54,9 +51,6 @@ def extract_format(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
        yield Format(FORMAT_ELF), NO_ADDRESS
    else:
        logger.warning("unknown file format, file command output: %s", report.target.file.type)
-        raise ValueError(
-            f"unrecognized file format from the CAPE report; output of file command: {report.target.file.type}"
-        )


 def extract_os(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
@@ -80,7 +74,10 @@ def extract_os(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
        else:
            # if the operating system information is missing from the cape report, it's likely a bug
            logger.warning("unrecognized OS: %s", file_output)
-            raise ValueError(f"unrecognized OS from the CAPE report; output of file command: {file_output}")
+    elif report.info.machine and report.info.machine.platform == "windows":
+        yield OS(OS_WINDOWS), NO_ADDRESS
+    elif report.info.machine and report.info.machine.platform == "linux":
+        yield OS(OS_LINUX), NO_ADDRESS
    else:
        # the sample is shellcode
        logger.debug("unsupported file format, file command output: %s", file_output)
--- a/capa/features/extractors/cape/models.py
+++ b/capa/features/extractors/cape/models.py
@@ -29,8 +29,26 @@ def validate_hex_bytes(value):
    return bytes.fromhex(value) if isinstance(value, str) else value


+def validate_status_code(value):
+    if isinstance(value, str):
+        if value == "?":
+            # TODO: check for this in the return handling
+            return None
+
+        # like: -1 EINVAL (Invalid argument)
+        # like: 0 (Timeout)
+        # like: 0x8002 (flags O_RDWR|O_LARGEFILE)
+        assert value.endswith(")")
+        num = value.partition(" ")[0]
+        return int(num, 16) if num.startswith("0x") else int(num, 10)
+    else:
+        return value
+
+
 HexInt = Annotated[int, BeforeValidator(validate_hex_int)]
 HexBytes = Annotated[bytes, BeforeValidator(validate_hex_bytes)]
+# this is a status code, such as returned by CAPE for Linux, like: "0 (Timeout)" or "0x8002 (flags O_RDWR|O_LARGEFILE)
+StatusCode = Annotated[int | None, BeforeValidator(validate_status_code)]


 # a model that *cannot* have extra fields
@@ -71,8 +89,13 @@ Emptydict: TypeAlias = BaseModel
 EmptyList: TypeAlias = list[Any]


+class Machine(FlexibleModel):
+    platform: Optional[str] = None
+
+
 class Info(FlexibleModel):
    version: str
+    machine: Optional[Machine] = None


 class ImportedSymbol(FlexibleModel):
@@ -287,16 +310,38 @@ class Argument(FlexibleModel):
    pretty_value: Optional[str] = None


+def validate_argument(value):
+    if isinstance(value, str):
+        # for a few calls on CAPE for Linux, we see arguments like in this call:
+        #
+        #    timestamp: "18:12:17.199276"
+        #    category: "misc"
+        #    api: "uname"
+        #    return: "0"
+        #  ▽ arguments:
+        #       [0]: "{sysname=\"Linux\", nodename=\"laptop\", ...}"
+        #
+        # which is just a string with a JSON-like thing inside,
+        # that we want to map a default unnamed argument.
+        return Argument(name="", value=value)
+    else:
+        return value
+
+
+# mypy isn't happy about assigning to type
+Argument = Annotated[Argument, BeforeValidator(validate_argument)]  # type: ignore
+
+
 class Call(FlexibleModel):
    # timestamp: str
-    thread_id: int
+    thread_id: int | None = None
    # category: str

    api: str

    arguments: list[Argument]
    # status: bool
-    return_: HexInt = Field(alias="return")
+    return_: HexInt | StatusCode = Field(alias="return")
    pretty_return: Optional[str] = None

    # repeated: int
@@ -315,12 +360,12 @@ class Call(FlexibleModel):
 class Process(FlexibleModel):
    process_id: int
    process_name: str
-    parent_id: int
+    parent_id: int | None
    # module_path: str
    # first_seen: str
    calls: list[Call]
-    threads: list[int]
-    environ: dict[str, str]
+    threads: list[int] | None = None  # this can be None for CAPE for Linux, which doesn't track threads.
+    environ: dict[str, str] = Field(default_factory=dict)  # type: ignore


 """
--- a/capa/features/extractors/cape/process.py
+++ b/capa/features/extractors/cape/process.py
@@ -29,6 +29,13 @@ def get_threads(ph: ProcessHandle) -> Iterator[ThreadHandle]:
    get the threads associated with a given process
    """
    process: Process = ph.inner
+
+    if not process.threads:
+        # CAPE for linux doesn't record threads
+        # so we return a default 0 value
+        yield ThreadHandle(address=ThreadAddress(process=ph.address, tid=0), inner={})
+        return
+
    threads: list[int] = process.threads

    for thread in threads:
@@ -42,6 +49,9 @@ def extract_environ_strings(ph: ProcessHandle) -> Iterator[tuple[Feature, Addres
    """
    process: Process = ph.inner

+    if not process.environ:
+        return
+
    for value in (value for value in process.environ.values() if value):
        yield String(value), ph.address

--- a/capa/features/extractors/cape/thread.py
+++ b/capa/features/extractors/cape/thread.py
@@ -29,8 +29,16 @@ def get_calls(ph: ProcessHandle, th: ThreadHandle) -> Iterator[CallHandle]:

    tid = th.address.tid
    for call_index, call in enumerate(process.calls):
-        if call.thread_id != tid:
-            continue
+
+        if call.thread_id is None:
+            # CAPE for linux doesn't record threads
+            # so this must be the 0 value
+            # and we'll enumerate all the calls in this process
+            assert tid == 0
+
+        else:
+            if call.thread_id != tid:
+                continue

        for symbol in generate_symbols("", call.api):
            call.api = symbol
--- a/capa/features/extractors/vmray/init.py
+++ b/capa/features/extractors/vmray/init.py
@@ -96,7 +96,14 @@ class VMRayAnalysis:
                % (self.submission_name, self.submission_type)
            )

-        if self.submission_static is None:
+        if self.submission_static is not None:
+            if self.submission_static.pe is None and self.submission_static.elf is None:
+                # we only support static analysis for PE and ELF files for now
+                raise UnsupportedFormatError(
+                    "archive does not contain a supported file format (submission_name: %s, submission_type: %s)"
+                    % (self.submission_name, self.submission_type)
+                )
+        else:
            # VMRay may not record static analysis for certain file types, e.g. MSI, but we'd still like to match dynamic
            # execution so we continue without and accept that the results may be incomplete
            logger.warning(
--- a/capa/ida/plugin/extractor.py
+++ b/capa/ida/plugin/extractor.py
@@ -14,9 +14,9 @@


 import ida_kernwin
+from PyQt5 import QtCore

 from capa.ida.plugin.error import UserCancelledError
-from capa.ida.plugin.qt_compat import QtCore, Signal
 from capa.features.extractors.ida.extractor import IdaFeatureExtractor
 from capa.features.extractors.base_extractor import FunctionHandle

@@ -24,7 +24,7 @@ from capa.features.extractors.base_extractor import FunctionHandle
 class CapaExplorerProgressIndicator(QtCore.QObject):
    """implement progress signal, used during feature extraction"""

-    progress = Signal(str)
+    progress = QtCore.pyqtSignal(str)

    def update(self, text):
        """emit progress update
--- a/capa/ida/plugin/form.py
+++ b/capa/ida/plugin/form.py
@@ -23,6 +23,7 @@ from pathlib import Path
 import idaapi
 import ida_kernwin
 import ida_settings
+from PyQt5 import QtGui, QtCore, QtWidgets

 import capa.main
 import capa.rules
@@ -50,10 +51,10 @@ from capa.ida.plugin.hooks import CapaExplorerIdaHooks
 from capa.ida.plugin.model import CapaExplorerDataModel
 from capa.ida.plugin.proxy import CapaExplorerRangeProxyModel, CapaExplorerSearchProxyModel
 from capa.ida.plugin.extractor import CapaExplorerFeatureExtractor
-from capa.ida.plugin.qt_compat import QtGui, QtCore, QtWidgets
 from capa.features.extractors.base_extractor import FunctionHandle

 logger = logging.getLogger(__name__)
+settings = ida_settings.IDASettings("capa")

 CAPA_SETTINGS_RULE_PATH = "rule_path"
 CAPA_SETTINGS_RULEGEN_AUTHOR = "rulegen_author"
@@ -78,13 +79,6 @@ AnalyzeOptionsText = {
 }


-def get_setting(key: str, default=None):
-    try:
-        return ida_settings.get_current_plugin_setting(key)
-    except KeyError:
-        return default
-
-
 def write_file(path: Path, data):
    """ """
    path.write_bytes(data)
@@ -113,7 +107,7 @@ class QLineEditClicked(QtWidgets.QLineEdit):
        old = self.text()
        new = str(
            QtWidgets.QFileDialog.getExistingDirectory(
-                self.parent(), "Please select a capa rules directory", get_setting(CAPA_SETTINGS_RULE_PATH, "")
+                self.parent(), "Please select a capa rules directory", settings.user.get(CAPA_SETTINGS_RULE_PATH, "")
            )
        )
        if new:
@@ -131,8 +125,8 @@ class CapaSettingsInputDialog(QtWidgets.QDialog):
        self.setMinimumWidth(500)
        self.setWindowFlags(self.windowFlags() & ~QtCore.Qt.WindowContextHelpButtonHint)

-        self.edit_rule_path = QLineEditClicked(get_setting(CAPA_SETTINGS_RULE_PATH, ""))
-        self.edit_rule_author = QtWidgets.QLineEdit(get_setting(CAPA_SETTINGS_RULEGEN_AUTHOR, ""))
+        self.edit_rule_path = QLineEditClicked(settings.user.get(CAPA_SETTINGS_RULE_PATH, ""))
+        self.edit_rule_author = QtWidgets.QLineEdit(settings.user.get(CAPA_SETTINGS_RULEGEN_AUTHOR, ""))
        self.edit_rule_scope = QtWidgets.QComboBox()
        self.edit_rules_link = QtWidgets.QLabel()
        self.edit_analyze = QtWidgets.QComboBox()
@@ -147,11 +141,11 @@ class CapaSettingsInputDialog(QtWidgets.QDialog):

        scopes = ("file", "function", "basic block", "instruction")
        self.edit_rule_scope.addItems(scopes)
-        self.edit_rule_scope.setCurrentIndex(scopes.index(get_setting(CAPA_SETTINGS_RULEGEN_SCOPE, "function")))
+        self.edit_rule_scope.setCurrentIndex(scopes.index(settings.user.get(CAPA_SETTINGS_RULEGEN_SCOPE, "function")))

        self.edit_analyze.addItems(AnalyzeOptionsText.values())
        # set the default analysis option here
-        self.edit_analyze.setCurrentIndex(get_setting(CAPA_SETTINGS_ANALYZE, Options.NO_ANALYSIS))
+        self.edit_analyze.setCurrentIndex(settings.user.get(CAPA_SETTINGS_ANALYZE, Options.NO_ANALYSIS))

        buttons = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok | QtWidgets.QDialogButtonBox.Cancel, self)

@@ -241,7 +235,7 @@ class CapaExplorerForm(idaapi.PluginForm):

        self.Show()

-        analyze = get_setting(CAPA_SETTINGS_ANALYZE)
+        analyze = settings.user.get(CAPA_SETTINGS_ANALYZE)
        if analyze != Options.NO_ANALYSIS or (option & Options.ANALYZE_AUTO) == Options.ANALYZE_AUTO:
            self.analyze_program(analyze=analyze)

@@ -587,7 +581,7 @@ class CapaExplorerForm(idaapi.PluginForm):

    def ensure_capa_settings_rule_path(self):
        try:
-            path: str = get_setting(CAPA_SETTINGS_RULE_PATH, "")
+            path: str = settings.user.get(CAPA_SETTINGS_RULE_PATH, "")

            # resolve rules directory - check self and settings first, then ask user
            # pathlib.Path considers "" equivalent to "." so we first check if rule path is an empty string
@@ -617,7 +611,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                    logger.error("rule path %s does not exist or cannot be accessed", path)
                    return False

-                ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULE_PATH, path)
+                settings.user[CAPA_SETTINGS_RULE_PATH] = path
        except UserCancelledError:
            capa.ida.helpers.inform_user_ida_ui("Analysis requires capa rules")
            logger.warning(
@@ -641,7 +635,7 @@ class CapaExplorerForm(idaapi.PluginForm):
        if not self.ensure_capa_settings_rule_path():
            return False

-        rule_path: Path = Path(get_setting(CAPA_SETTINGS_RULE_PATH, ""))
+        rule_path: Path = Path(settings.user.get(CAPA_SETTINGS_RULE_PATH, ""))
        try:

            def on_load_rule(_, i, total):
@@ -655,10 +649,10 @@ class CapaExplorerForm(idaapi.PluginForm):
            return None
        except Exception as e:
            capa.ida.helpers.inform_user_ida_ui(
-                f"Failed to load capa rules from {get_setting(CAPA_SETTINGS_RULE_PATH)}"
+                f"Failed to load capa rules from {settings.user[CAPA_SETTINGS_RULE_PATH]}"
            )

-            logger.error("Failed to load capa rules from %s (error: %s).", get_setting(CAPA_SETTINGS_RULE_PATH), e)
+            logger.error("Failed to load capa rules from %s (error: %s).", settings.user[CAPA_SETTINGS_RULE_PATH], e)
            logger.error(
                "Make sure your file directory contains properly "  # noqa: G003 [logging statement uses +]
                + "formatted capa rules. You can download and extract the official rules from %s. "
@@ -667,7 +661,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                CAPA_RULESET_DOC_URL,
            )

-            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULE_PATH, "")
+            settings.user[CAPA_SETTINGS_RULE_PATH] = ""
            return None

    def load_capa_results(self, new_analysis, from_cache):
@@ -707,7 +701,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                    update_wait_box("verifying cached results")

                    count_source_rules = self.program_analysis_ruleset_cache.source_rule_count
-                    user_settings = get_setting(CAPA_SETTINGS_RULE_PATH)
+                    user_settings = settings.user[CAPA_SETTINGS_RULE_PATH]
                    view_status_rules: str = f"{user_settings} ({count_source_rules} rules)"

                    # warn user about potentially outdated rules, depending on the use-case this may be expected
@@ -781,7 +775,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                update_wait_box("extracting features")

                try:
-                    meta = capa.ida.helpers.collect_metadata([Path(get_setting(CAPA_SETTINGS_RULE_PATH))])
+                    meta = capa.ida.helpers.collect_metadata([Path(settings.user[CAPA_SETTINGS_RULE_PATH])])
                    capabilities = capa.capabilities.common.find_capabilities(
                        ruleset, self.feature_extractor, disable_progress=True
                    )
@@ -861,7 +855,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                except Exception as e:
                    logger.exception("Failed to save results to database (error: %s)", e)
                    return False
-                user_settings = get_setting(CAPA_SETTINGS_RULE_PATH)
+                user_settings = settings.user[CAPA_SETTINGS_RULE_PATH]
                count_source_rules = self.program_analysis_ruleset_cache.source_rule_count
                new_view_status = f"capa rules: {user_settings} ({count_source_rules} rules)"
        # regardless of new analysis, render results - e.g. we may only want to render results after checking
@@ -1082,13 +1076,13 @@ class CapaExplorerForm(idaapi.PluginForm):
            # load preview and feature tree
            self.view_rulegen_preview.load_preview_meta(
                self.rulegen_current_function.address if self.rulegen_current_function else None,
-                get_setting(CAPA_SETTINGS_RULEGEN_AUTHOR, "<insert_author>"),
-                get_setting(CAPA_SETTINGS_RULEGEN_SCOPE, "function"),
+                settings.user.get(CAPA_SETTINGS_RULEGEN_AUTHOR, "<insert_author>"),
+                settings.user.get(CAPA_SETTINGS_RULEGEN_SCOPE, "function"),
            )

            self.view_rulegen_features.load_features(all_file_features, all_function_features)

-            self.set_view_status_label(f"capa rules: {get_setting(CAPA_SETTINGS_RULE_PATH)}")
+            self.set_view_status_label(f"capa rules: {settings.user[CAPA_SETTINGS_RULE_PATH]}")
        except Exception as e:
            logger.exception("Failed to render views (error: %s)", e)
            return False
@@ -1309,11 +1303,12 @@ class CapaExplorerForm(idaapi.PluginForm):
        """ """
        dialog = CapaSettingsInputDialog("capa explorer settings", parent=self.parent)
        if dialog.exec_():
-            rule_path, rule_author, rule_scope, analyze = dialog.get_values()
-            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULE_PATH, rule_path)
-            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULEGEN_AUTHOR, rule_author)
-            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULEGEN_SCOPE, rule_scope)
-            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_ANALYZE, analyze)
+            (
+                settings.user[CAPA_SETTINGS_RULE_PATH],
+                settings.user[CAPA_SETTINGS_RULEGEN_AUTHOR],
+                settings.user[CAPA_SETTINGS_RULEGEN_SCOPE],
+                settings.user[CAPA_SETTINGS_ANALYZE],
+            ) = dialog.get_values()

    def save_program_analysis(self):
        """ """
@@ -1363,7 +1358,7 @@ class CapaExplorerForm(idaapi.PluginForm):

        @param state: checked state
        """
-        if state:
+        if state == QtCore.Qt.Checked:
            self.limit_results_to_function(idaapi.get_func(idaapi.get_screen_ea()))
        else:
            self.range_model_proxy.reset_address_range_filter()
@@ -1372,7 +1367,7 @@ class CapaExplorerForm(idaapi.PluginForm):

    def slot_checkbox_limit_features_by_ea(self, state):
        """ """
-        if state:
+        if state == QtCore.Qt.Checked:
            self.view_rulegen_features.filter_items_by_ea(idaapi.get_screen_ea())
        else:
            self.view_rulegen_features.show_all_items()
@@ -1413,7 +1408,7 @@ class CapaExplorerForm(idaapi.PluginForm):
        """create Qt dialog to ask user for a directory"""
        return str(
            QtWidgets.QFileDialog.getExistingDirectory(
-                self.parent, "Please select a capa rules directory", get_setting(CAPA_SETTINGS_RULE_PATH, "")
+                self.parent, "Please select a capa rules directory", settings.user.get(CAPA_SETTINGS_RULE_PATH, "")
            )
        )

@@ -1422,7 +1417,7 @@ class CapaExplorerForm(idaapi.PluginForm):
        return QtWidgets.QFileDialog.getSaveFileName(
            None,
            "Please select a location to save capa rule file",
-            get_setting(CAPA_SETTINGS_RULE_PATH, ""),
+            settings.user.get(CAPA_SETTINGS_RULE_PATH, ""),
            "*.yml",
        )[0]

--- a/capa/ida/plugin/ida-plugin.json
+++ b/capa/ida/plugin/ida-plugin.json
@@ -1,38 +0,0 @@
-{
-  "IDAMetadataDescriptorVersion": 1,
-  "plugin": {
-    "name": "capa",
-    "entryPoint": "capa_explorer.py",
-    "version": "9.2.1",
-    "idaVersions": ">=7.4",
-    "description": "Identify capabilities in executable files using FLARE's capa framework",
-    "license": "Apache-2.0",
-    "categories": [
-      "malware-analysis",
-      "api-scripting-and-automation",
-      "ui-ux-and-visualization"
-    ],
-    "pythonDependencies": ["flare-capa==9.2.1"],
-    "urls": {
-      "repository": "https://github.com/mandiant/capa"
-    },
-    "authors": [
-      {"name": "Willi Ballenthin", "email": "wballenthin@hex-rays.com"},
-      {"name": "Moritz Raabe", "email": "moritzraabe@google.com"},
-      {"name": "Mike Hunhoff", "email": "mike.hunhoff@gmail.com"},
-      {"name": "Yacine Elhamer", "email": "elhamer.yacine@gmail.com"}
-    ],
-    "keywords": [
-      "capability-detection",
-      "malware-analysis",
-      "behavior-analysis",
-      "reverse-engineering",
-      "att&ck",
-      "rule-engine",
-      "feature-extraction",
-      "yara-like-rules",
-      "static-analysis",
-      "dynamic-analysis"
-    ]
-  }
-}
--- a/capa/ida/plugin/item.py
+++ b/capa/ida/plugin/item.py
@@ -18,10 +18,10 @@ from typing import Iterator, Optional

 import idc
 import idaapi
+from PyQt5 import QtCore

 import capa.ida.helpers
 from capa.features.address import Address, FileOffsetAddress, AbsoluteVirtualAddress
-from capa.ida.plugin.qt_compat import QtCore, qt_get_item_flag_tristate


 def info_to_name(display):
@@ -55,7 +55,7 @@ class CapaExplorerDataItem:
        self.flags = QtCore.Qt.ItemIsEnabled | QtCore.Qt.ItemIsSelectable

        if self._can_check:
-            self.flags = self.flags | QtCore.Qt.ItemIsUserCheckable | qt_get_item_flag_tristate()
+            self.flags = self.flags | QtCore.Qt.ItemIsUserCheckable | QtCore.Qt.ItemIsTristate

        if self.pred:
            self.pred.appendChild(self)
--- a/capa/ida/plugin/model.py
+++ b/capa/ida/plugin/model.py
@@ -18,6 +18,7 @@ from collections import deque

 import idc
 import idaapi
+from PyQt5 import QtGui, QtCore

 import capa.rules
 import capa.ida.helpers
@@ -41,7 +42,6 @@ from capa.ida.plugin.item import (
    CapaExplorerInstructionViewItem,
 )
 from capa.features.address import Address, AbsoluteVirtualAddress
-from capa.ida.plugin.qt_compat import QtGui, QtCore

 # default highlight color used in IDA window
 DEFAULT_HIGHLIGHT = 0xE6C700
@@ -269,7 +269,7 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel):
                visited.add(child_index)

                for idx in range(self.rowCount(child_index)):
-                    stack.append(self.index(idx, 0, child_index))
+                    stack.append(child_index.child(idx, 0))

    def reset_ida_highlighting(self, item, checked):
        """reset IDA highlight for item
--- a/capa/ida/plugin/proxy.py
+++ b/capa/ida/plugin/proxy.py
@@ -12,8 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+from PyQt5 import QtCore
+from PyQt5.QtCore import Qt
+
 from capa.ida.plugin.model import CapaExplorerDataModel
-from capa.ida.plugin.qt_compat import Qt, QtCore


 class CapaExplorerRangeProxyModel(QtCore.QSortFilterProxyModel):
--- a/capa/ida/plugin/qt_compat.py
+++ b/capa/ida/plugin/qt_compat.py
@@ -1,79 +0,0 @@
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""
-Qt compatibility layer for capa IDA Pro plugin.
-
-Handles PyQt5 (IDA < 9.2) vs PySide6 (IDA >= 9.2) differences.
-This module provides a unified import interface for Qt modules and handles
-API changes between Qt5 and Qt6.
-"""
-
-try:
-    # IDA 9.2+ uses PySide6
-    from PySide6 import QtGui, QtCore, QtWidgets
-    from PySide6.QtGui import QAction
-
-    QT_LIBRARY = "PySide6"
-    Signal = QtCore.Signal
-except ImportError:
-    # Older IDA versions use PyQt5
-    try:
-        from PyQt5 import QtGui, QtCore, QtWidgets
-        from PyQt5.QtWidgets import QAction
-
-        QT_LIBRARY = "PyQt5"
-        Signal = QtCore.pyqtSignal
-    except ImportError:
-        raise ImportError("Neither PySide6 nor PyQt5 is available. Cannot initialize capa IDA plugin.")
-
-Qt = QtCore.Qt
-
-
-def qt_get_item_flag_tristate():
-    """
-    Get the tristate item flag compatible with Qt5 and Qt6.
-
-    Qt5 (PyQt5): Uses Qt.ItemIsTristate
-    Qt6 (PySide6): Qt.ItemIsTristate was removed, uses Qt.ItemIsAutoTristate
-
-    ItemIsAutoTristate automatically manages tristate based on child checkboxes,
-    matching the original ItemIsTristate behavior where parent checkboxes reflect
-    the check state of their children.
-
-    Returns:
-        int: The appropriate flag value for the Qt version
-
-    Raises:
-        AttributeError: If the tristate flag cannot be found in the Qt library
-    """
-    if QT_LIBRARY == "PySide6":
-        # Qt6: ItemIsTristate was removed, replaced with ItemIsAutoTristate
-        # Try different possible locations (API varies slightly across PySide6 versions)
-        if hasattr(Qt, "ItemIsAutoTristate"):
-            return Qt.ItemIsAutoTristate
-        elif hasattr(Qt, "ItemFlag") and hasattr(Qt.ItemFlag, "ItemIsAutoTristate"):
-            return Qt.ItemFlag.ItemIsAutoTristate
-        else:
-            raise AttributeError(
-                "Cannot find ItemIsAutoTristate in PySide6. "
-                + "Your PySide6 version may be incompatible with capa. "
-                + f"Available Qt attributes: {[attr for attr in dir(Qt) if 'Item' in attr]}"
-            )
-    else:
-        # Qt5: Use the original ItemIsTristate flag
-        return Qt.ItemIsTristate
-
-
-__all__ = ["qt_get_item_flag_tristate", "Signal", "QAction", "QtGui", "QtCore", "QtWidgets"]
--- a/capa/ida/plugin/view.py
+++ b/capa/ida/plugin/view.py
@@ -18,6 +18,7 @@ from collections import Counter

 import idc
 import idaapi
+from PyQt5 import QtGui, QtCore, QtWidgets

 import capa.rules
 import capa.engine
@@ -27,7 +28,6 @@ import capa.features.basicblock
 from capa.ida.plugin.item import CapaExplorerFunctionItem
 from capa.features.address import AbsoluteVirtualAddress, _NoAddress
 from capa.ida.plugin.model import CapaExplorerDataModel
-from capa.ida.plugin.qt_compat import QtGui, QtCore, Signal, QAction, QtWidgets

 MAX_SECTION_SIZE = 750

@@ -147,7 +147,7 @@ def calc_item_depth(o):

 def build_action(o, display, data, slot):
    """ """
-    action = QAction(display, o)
+    action = QtWidgets.QAction(display, o)

    action.setData(data)
    action.triggered.connect(lambda checked: slot(action))
@@ -312,7 +312,7 @@ class CapaExplorerRulegenPreview(QtWidgets.QTextEdit):


 class CapaExplorerRulegenEditor(QtWidgets.QTreeWidget):
-    updated = Signal()
+    updated = QtCore.pyqtSignal()

    def __init__(self, preview, parent=None):
        """ """
--- a/capa/version.py
+++ b/capa/version.py
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-__version__ = "9.2.1"
+__version__ = "9.1.0"


 def get_major_version():
--- a/doc/release.md
+++ b/doc/release.md
@@ -7,7 +7,6 @@
 - [ ] Review changes
  - capa https://github.com/mandiant/capa/compare/\<last-release\>...master
  - capa-rules https://github.com/mandiant/capa-rules/compare/\<last-release>\...master
- [ ] Run `$ bump-my-version bump {patch/minor/major} [--allow-dirty]` to update [capa/version.py](https://github.com/mandiant/capa/blob/master/capa/version.py) and other version files
 - [ ] Update [CHANGELOG.md](https://github.com/mandiant/capa/blob/master/CHANGELOG.md)
  - Do not forget to add a nice introduction thanking contributors
  - Remember that we need a major release if we introduce breaking changes
@@ -37,6 +36,7 @@
    - [capa <release>...master](https://github.com/mandiant/capa/compare/<release>...master)
    - [capa-rules <release>...master](https://github.com/mandiant/capa-rules/compare/<release>...master)
    ```
+- [ ] Update [capa/version.py](https://github.com/mandiant/capa/blob/master/capa/version.py)
 - [ ] Create a PR with the updated [CHANGELOG.md](https://github.com/mandiant/capa/blob/master/CHANGELOG.md) and [capa/version.py](https://github.com/mandiant/capa/blob/master/capa/version.py). Copy this checklist in the PR description.
 - [ ] Update the [homepage](https://github.com/mandiant/capa/blob/master/web/public/index.html) (i.e. What's New section)
 - [ ] After PR review, merge the PR and [create the release in GH](https://github.com/mandiant/capa/releases/new) using text from the [CHANGELOG.md](https://github.com/mandiant/capa/blob/master/CHANGELOG.md).
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -74,7 +74,7 @@ dependencies = [
    # comments and context.
    "pyyaml>=6",
    "colorama>=0.4",
-    "ida-settings>=3.1.0",
+    "ida-settings>=2",
    "ruamel.yaml>=0.18",
    "pefile>=2023.2.7",
    "pyelftools>=0.31",
@@ -104,7 +104,7 @@ dependencies = [

    "networkx>=3",

-    "dnfile>=0.17.0",
+    "dnfile>=0.15.0",
 ]
 dynamic = ["version"]

@@ -121,11 +121,11 @@ dev = [
    # we want all developer environments to be consistent.
    # These dependencies are not used in production environments
    # and should not conflict with other libraries/tooling.
-    "pre-commit==4.2.0",
+    "pre-commit==4.1.0",
    "pytest==8.0.0",
-    "pytest-sugar==1.1.1",
+    "pytest-sugar==1.0.0",
    "pytest-instafail==0.5.0",
-    "flake8==7.3.0",
+    "flake8==7.1.1",
    "flake8-bugbear==24.12.12",
    "flake8-encodings==0.5.1",
    "flake8-comprehensions==3.16.0",
@@ -133,23 +133,22 @@ dev = [
    "flake8-no-implicit-concat==0.3.5",
    "flake8-print==5.0.0",
    "flake8-todos==0.3.1",
-    "flake8-simplify==0.22.0",
+    "flake8-simplify==0.21.0",
    "flake8-use-pathlib==0.3.0",
    "flake8-copyright==0.2.4",
-    "ruff==0.12.0",
+    "ruff==0.11.0",
    "black==25.1.0",
    "isort==6.0.0",
-    "mypy==1.17.1",
+    "mypy==1.15.0",
    "mypy-protobuf==3.6.0",
    "PyGithub==2.6.0",
-    "bump-my-version==1.2.4",
    # type stubs for mypy
    "types-backports==0.1.3",
    "types-colorama==0.4.15.11",
    "types-PyYAML==6.0.8",
    "types-psutil==7.0.0.20250218",
    "types_requests==2.32.0.20240712",
-    "types-protobuf==6.32.1.20250918",
+    "types-protobuf==5.29.1.20241207",
    "deptry==0.23.0"
 ]
 build = [
@@ -157,18 +156,16 @@ build = [
    # we want all developer environments to be consistent.
    # These dependencies are not used in production environments
    # and should not conflict with other libraries/tooling.
-    "pyinstaller==6.14.1",
-    "setuptools==80.9.0",
+    "pyinstaller==6.12.0",
+    "setuptools==76.0.0",
    "build==1.2.2"
 ]
 scripts = [
-    # can (optionally) be more lenient on dependencies here
-    # see comment on dependencies for more context
    "jschema_to_python==1.2.3",
-    "psutil==7.1.2",
+    "psutil==7.0.0",
    "stix2==3.0.1",
    "sarif_om==1.0.4",
-    "requests>=2.32.4",
+    "requests==2.32.3",
 ]

 [tool.deptry]
@@ -200,8 +197,7 @@ known_first_party = [
    "idc",
    "java",
    "netnode",
-    "PyQt5",
-    "PySide6"
+    "PyQt5"
 ]

 [tool.deptry.per_rule_ignores]
@@ -209,7 +205,6 @@ known_first_party = [
 DEP002 = [
    "black",
    "build",
-    "bump-my-version",
    "deptry",
    "flake8",
    "flake8-bugbear",
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,23 +10,23 @@ annotated-types==0.7.0
 colorama==0.4.6
 cxxfilt==0.3.0
 dncil==1.0.2
-dnfile==0.17.0
+dnfile==0.15.0
 funcy==2.0
-humanize==4.13.0
+humanize==4.12.0
 ida-netnode==3.0
-ida-settings==3.2.2
+ida-settings==2.1.0
 intervaltree==3.1.0
-markdown-it-py==4.0.0
+markdown-it-py==3.0.0
 mdurl==0.1.2
 msgpack==1.0.8
 networkx==3.4.2
 pefile==2024.8.26
-pip==25.3
-protobuf==6.31.1
+pip==25.0
+protobuf==6.30.1
 pyasn1==0.5.1
 pyasn1-modules==0.3.0
 pycparser==2.22
-pydantic==2.11.4
+pydantic==2.10.1
 # pydantic pins pydantic-core, 
 # but dependabot updates these separately (which is broken) and is annoying,
 # so we rely on pydantic to pull in the right version of pydantic-core.
@@ -36,13 +36,12 @@ pyelftools==0.32
 pygments==2.19.1
 python-flirt==0.9.2
 pyyaml==6.0.2
-rich==14.2.0
+rich==13.9.2
 ruamel-yaml==0.18.6
-ruamel-yaml-clib==0.2.14
-setuptools==80.9.0
+ruamel-yaml-clib==0.2.8
+setuptools==76.0.0
 six==1.17.0
 sortedcontainers==2.4.0
 viv-utils==0.8.0
 vivisect==1.2.1
 msgspec==0.19.0
-bump-my-version==1.2.4
--- a/2
+++ b/2
--- a/scripts/capa2yara.py
+++ b/scripts/capa2yara.py
@@ -175,6 +175,8 @@ def convert_rule(rule, rulename, cround, depth):
    depth += 1
    logger.info("recursion depth: %d", depth)

+    global var_names
+
    def do_statement(s_type, kid):
        yara_strings = ""
        yara_condition = ""
--- a/scripts/lint.py
+++ b/scripts/lint.py
@@ -406,7 +406,6 @@ class DoesntMatchExample(Lint):
                return True

            if rule.name not in capabilities:
-                logger.info('rule "%s" does not match for sample %s', rule.name, example_id)
                return True


@@ -722,29 +721,6 @@ class FeatureStringTooShort(Lint):
        return False


-class FeatureRegexRegistryControlSetMatchIncomplete(Lint):
-    name = "feature regex registry control set match incomplete"
-    recommendation = (
-        'use "(ControlSet\\d{3}|CurrentControlSet)" to match both indirect references '
-        + 'via "CurrentControlSet" and direct references via "ControlSetXXX"'
-    )
-
-    def check_features(self, ctx: Context, features: list[Feature]):
-        for feature in features:
-            if not isinstance(feature, (Regex,)):
-                continue
-
-            assert isinstance(feature.value, str)
-
-            pat = feature.value.lower()
-
-            if "system\\\\" in pat and "controlset" in pat or "currentcontrolset" in pat:
-                if "system\\\\(controlset\\d{3}|currentcontrolset)" not in pat:
-                    return True
-
-            return False
-
-
 class FeatureRegexContainsUnescapedPeriod(Lint):
    name = "feature regex contains unescaped period"
    recommendation_template = 'escape the period in "{:s}" unless it should be treated as a regex dot operator'
@@ -1007,7 +983,6 @@ FEATURE_LINTS = (
    FeatureNegativeNumber(),
    FeatureNtdllNtoskrnlApi(),
    FeatureRegexContainsUnescapedPeriod(),
-    FeatureRegexRegistryControlSetMatchIncomplete(),
 )


--- a/tests/data
+++ b/tests/data
--- a/tests/test_binja_features.py
+++ b/tests/test_binja_features.py
@@ -70,4 +70,4 @@ def test_standalone_binja_backend():
@pytest.mark.skipif(binja_present is False, reason="Skip binja tests if the binaryninja Python API is not installed")
 def test_binja_version():
    version = binaryninja.core_version_info()
-    assert version.major == 5 and version.minor == 1
+    assert version.major == 4 and version.minor == 2
--- a/web/explorer/package-lock.json
+++ b/web/explorer/package-lock.json
@@ -27,7 +27,7 @@
                "eslint-plugin-vue": "^9.23.0",
                "jsdom": "^24.1.0",
                "prettier": "^3.2.5",
-                "vite": "^6.4.1",
+                "vite": "^6.2.2",
                "vite-plugin-singlefile": "^2.2.0",
                "vitest": "^3.0.9"
            }
@@ -1416,20 +1416,6 @@
                "node": ">=8"
            }
        },
-        "node_modules/call-bind-apply-helpers": {
-            "version": "1.0.2",
-            "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
-            "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "es-errors": "^1.3.0",
-                "function-bind": "^1.1.2"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/callsites": {
            "version": "3.1.0",
            "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
@@ -1660,21 +1646,6 @@
                "node": ">=6.0.0"
            }
        },
-        "node_modules/dunder-proto": {
-            "version": "1.0.1",
-            "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
-            "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "call-bind-apply-helpers": "^1.0.1",
-                "es-errors": "^1.3.0",
-                "gopd": "^1.2.0"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/eastasianwidth": {
            "version": "0.2.0",
            "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
@@ -1740,26 +1711,6 @@
                "url": "https://github.com/fb55/entities?sponsor=1"
            }
        },
-        "node_modules/es-define-property": {
-            "version": "1.0.1",
-            "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
-            "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
-        "node_modules/es-errors": {
-            "version": "1.3.0",
-            "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
-            "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/es-module-lexer": {
            "version": "1.6.0",
            "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.6.0.tgz",
@@ -1767,35 +1718,6 @@
            "dev": true,
            "license": "MIT"
        },
-        "node_modules/es-object-atoms": {
-            "version": "1.1.1",
-            "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
-            "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "es-errors": "^1.3.0"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
-        "node_modules/es-set-tostringtag": {
-            "version": "2.1.0",
-            "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
-            "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "es-errors": "^1.3.0",
-                "get-intrinsic": "^1.2.6",
-                "has-tostringtag": "^1.0.2",
-                "hasown": "^2.0.2"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/esbuild": {
            "version": "0.25.1",
            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.1.tgz",
@@ -2186,16 +2108,13 @@
            }
        },
        "node_modules/form-data": {
-            "version": "4.0.4",
-            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
-            "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
+            "version": "4.0.0",
+            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
+            "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==",
            "dev": true,
-            "license": "MIT",
            "dependencies": {
                "asynckit": "^0.4.0",
                "combined-stream": "^1.0.8",
-                "es-set-tostringtag": "^2.1.0",
-                "hasown": "^2.0.2",
                "mime-types": "^2.1.12"
            },
            "engines": {
@@ -2222,55 +2141,6 @@
                "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
            }
        },
-        "node_modules/function-bind": {
-            "version": "1.1.2",
-            "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
-            "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
-            "dev": true,
-            "license": "MIT",
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
-        "node_modules/get-intrinsic": {
-            "version": "1.3.0",
-            "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
-            "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "call-bind-apply-helpers": "^1.0.2",
-                "es-define-property": "^1.0.1",
-                "es-errors": "^1.3.0",
-                "es-object-atoms": "^1.1.1",
-                "function-bind": "^1.1.2",
-                "get-proto": "^1.0.1",
-                "gopd": "^1.2.0",
-                "has-symbols": "^1.1.0",
-                "hasown": "^2.0.2",
-                "math-intrinsics": "^1.1.0"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
-        "node_modules/get-proto": {
-            "version": "1.0.1",
-            "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
-            "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "dunder-proto": "^1.0.1",
-                "es-object-atoms": "^1.0.0"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/glob": {
            "version": "10.4.2",
            "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.2.tgz",
@@ -2345,19 +2215,6 @@
                "url": "https://github.com/sponsors/sindresorhus"
            }
        },
-        "node_modules/gopd": {
-            "version": "1.2.0",
-            "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
-            "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 0.4"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
        "node_modules/graphemer": {
            "version": "1.4.0",
            "resolved": "https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz",
@@ -2373,48 +2230,6 @@
                "node": ">=8"
            }
        },
-        "node_modules/has-symbols": {
-            "version": "1.1.0",
-            "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
-            "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 0.4"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
-        "node_modules/has-tostringtag": {
-            "version": "1.0.2",
-            "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
-            "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "has-symbols": "^1.0.3"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
-        "node_modules/hasown": {
-            "version": "2.0.2",
-            "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
-            "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "function-bind": "^1.1.2"
-            },
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/highlight.js": {
            "version": "11.9.0",
            "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-11.9.0.tgz",
@@ -2793,16 +2608,6 @@
                "@jridgewell/sourcemap-codec": "^1.5.0"
            }
        },
-        "node_modules/math-intrinsics": {
-            "version": "1.1.0",
-            "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
-            "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 0.4"
-            }
-        },
        "node_modules/micromatch": {
            "version": "4.0.8",
            "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
@@ -3621,51 +3426,6 @@
            "dev": true,
            "license": "MIT"
        },
-        "node_modules/tinyglobby": {
-            "version": "0.2.13",
-            "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.13.tgz",
-            "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "fdir": "^6.4.4",
-                "picomatch": "^4.0.2"
-            },
-            "engines": {
-                "node": ">=12.0.0"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/SuperchupuDev"
-            }
-        },
-        "node_modules/tinyglobby/node_modules/fdir": {
-            "version": "6.4.4",
-            "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
-            "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
-            "dev": true,
-            "license": "MIT",
-            "peerDependencies": {
-                "picomatch": "^3 || ^4"
-            },
-            "peerDependenciesMeta": {
-                "picomatch": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/tinyglobby/node_modules/picomatch": {
-            "version": "4.0.2",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
-            "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=12"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/jonschlinkert"
-            }
-        },
        "node_modules/tinypool": {
            "version": "1.0.2",
            "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-1.0.2.tgz",
@@ -3801,18 +3561,15 @@
            "dev": true
        },
        "node_modules/vite": {
-            "version": "6.4.1",
-            "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz",
-            "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
+            "version": "6.2.2",
+            "resolved": "https://registry.npmjs.org/vite/-/vite-6.2.2.tgz",
+            "integrity": "sha512-yW7PeMM+LkDzc7CgJuRLMW2Jz0FxMOsVJ8Lv3gpgW9WLcb9cTW+121UEr1hvmfR7w3SegR5ItvYyzVz1vxNJgQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "esbuild": "^0.25.0",
-                "fdir": "^6.4.4",
-                "picomatch": "^4.0.2",
                "postcss": "^8.5.3",
-                "rollup": "^4.34.9",
-                "tinyglobby": "^0.2.13"
+                "rollup": "^4.30.1"
            },
            "bin": {
                "vite": "bin/vite.js"
@@ -3915,34 +3672,6 @@
                "vite": "^5.4.11 || ^6.0.0"
            }
        },
-        "node_modules/vite/node_modules/fdir": {
-            "version": "6.4.4",
-            "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
-            "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
-            "dev": true,
-            "license": "MIT",
-            "peerDependencies": {
-                "picomatch": "^3 || ^4"
-            },
-            "peerDependenciesMeta": {
-                "picomatch": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/vite/node_modules/picomatch": {
-            "version": "4.0.2",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
-            "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=12"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/jonschlinkert"
-            }
-        },
        "node_modules/vitest": {
            "version": "3.0.9",
            "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.0.9.tgz",
--- a/web/explorer/package.json
+++ b/web/explorer/package.json
@@ -33,7 +33,7 @@
        "eslint-plugin-vue": "^9.23.0",
        "jsdom": "^24.1.0",
        "prettier": "^3.2.5",
-        "vite": "^6.4.1",
+        "vite": "^6.2.2",
        "vite-plugin-singlefile": "^2.2.0",
        "vitest": "^3.0.9"
    }
--- a/web/public/index.html
+++ b/web/public/index.html
@@ -210,19 +210,35 @@
    <div class="row flex-lg-row-reverse align-items-center g-5">
      <h1>What's New</h1>

+      <h2 class="mt-3">Rule Updates</h2>
+
+      <ul class="mt-2 ps-5">
+        <!-- TODO(williballenthin): add date -->
+
+        <li>
+          added:
+          <a href="./rules/change registry key timestamp/">
+            change registry key timestamp
+          </a>
+        </li>
+
+        <li>
+          added:
+          <a href="./rules/check mutex and terminate process on windows/">
+            check mutex and terminate process on Windows
+          </a>
+        </li>
+
+        <li>
+          added:
+          <a href="./rules/clear windows event logs remotely/">
+            clear windows event logs remotely
+          </a>
+        </li>
+      </ul>
+
      <h2 class="mt-3">Tool Updates</h2>
-
-      <h3 class="mt-2">v9.2.1 (<em>2025-06-06</em>)</h3>
-      <p class="mt-0">
-        This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
-      </p>
-
-      <h3 class="mt-2">v9.2.0 (<em>2025-06-03</em>)</h3>
-      <p class="mt-0">
-        This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
-        It also includes an updated rule pack containing new rules and rule fixes.
-      </p>
-
+      
      <h3 class="mt-2">v9.1.0 (<em>2025-03-02</em>)</h3>
      <p class="mt-0">
        This release improves a few aspects of dynamic analysis, relaxing our validation on fields across many CAPE versions, for example.
Author	SHA1	Message	Date
Willi Ballenthin	c8131bd35b	cape: linux: handle weird argument edge case type	2025-03-19 16:04:31 +00:00
Willi Ballenthin	81419db62a	cape: linux: handle status code return types	2025-03-19 16:04:15 +00:00
Willi Ballenthin	664a6d8043	cape: linux: handle no environ	2025-03-19 16:03:10 +00:00
Willi Ballenthin	4008775786	cape: linux: handle no thread ids	2025-03-19 16:02:56 +00:00
Willi Ballenthin	7d28cf8016	cape: linux: support no parent pid	2025-03-19 16:01:57 +00:00
Willi Ballenthin	c057a3b927	cape: relax requirement for PE input files	2025-03-19 15:15:31 +00:00
Willi Ballenthin	02405e2159	cape: don't require pe baseaddress	2025-03-19 15:15:31 +00:00
Willi Ballenthin	3acc0fe147	cape: detect OS via info.machine.platform	2025-03-19 15:15:31 +00:00