mirror of
https://github.com/mandiant/capa.git
synced 2026-06-12 11:01:31 -07:00
Willi Ballenthin
362 lines
8.4 KiB
YAML
362 lines
8.4 KiB
YAML
- name: simple-number-match
|
|
description: basic number feature matches at function scope
|
|
rules:
|
|
- name: simple-number
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- number: 100
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: number(100)
|
|
expect:
|
|
matches:
|
|
simple-number:
|
|
- 0x401000
|
|
|
|
- name: not-with-and
|
|
description: not inside and prevents match when the negated feature is present
|
|
rules:
|
|
- name: not-with-and-present
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- and:
|
|
- mnemonic: mov
|
|
- not:
|
|
- number: 99
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: number(100)
|
|
insn: 0x401000: mnemonic(mov)
|
|
expect:
|
|
matches:
|
|
not-with-and-present:
|
|
- 0x401000
|
|
|
|
- name: operand-number-match
|
|
description: operand number matches by index and value
|
|
rules:
|
|
- name: operand-number
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- operand[0].number: 0x10
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: operand[0].number(0x10)
|
|
expect:
|
|
matches:
|
|
operand-number:
|
|
- 0x401000
|
|
|
|
- name: operand-number-wrong-index
|
|
description: operand number does not match when the operand index differs
|
|
rules:
|
|
- name: operand-number-idx
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- operand[0].number: 0x10
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: operand[1].number(0x10)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: operand-number-wrong-value
|
|
description: operand number does not match when the value differs
|
|
rules:
|
|
- name: operand-number-val
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- operand[0].number: 0x10
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: operand[0].number(0x11)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: operand-offset-match
|
|
description: operand offset matches by index and value
|
|
rules:
|
|
- name: operand-offset
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- operand[0].offset: 0x10
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: operand[0].offset(0x10)
|
|
expect:
|
|
matches:
|
|
operand-offset:
|
|
- 0x401000
|
|
|
|
- name: operand-offset-wrong-index
|
|
description: operand offset does not match when the operand index differs
|
|
rules:
|
|
- name: operand-offset-idx
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- operand[0].offset: 0x10
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: operand[1].offset(0x10)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: operand-offset-wrong-value
|
|
description: operand offset does not match when the value differs
|
|
rules:
|
|
- name: operand-offset-val
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- operand[0].offset: 0x10
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: operand[0].offset(0x11)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: property-read-match
|
|
description: property/read matches the correct property name and access mode
|
|
rules:
|
|
- name: property-read
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- property/read: System.IO.FileInfo::Length
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: property/read(System.IO.FileInfo::Length)
|
|
expect:
|
|
matches:
|
|
property-read:
|
|
- 0x401000
|
|
|
|
- name: property-read-wrong-access
|
|
description: property/read does not match a property/write feature
|
|
rules:
|
|
- name: property-read-access
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- property/read: System.IO.FileInfo::Length
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: property/write(System.IO.FileInfo::Length)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: property-read-wrong-value
|
|
description: property/read does not match a different property name
|
|
rules:
|
|
- name: property-read-value
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- property/read: System.IO.FileInfo::Length
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: property/read(System.IO.FileInfo::Size)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: os-any-matches-specific
|
|
description: os any matches when a specific os feature is present
|
|
rules:
|
|
- name: os-any-specific
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- or:
|
|
- and:
|
|
- or:
|
|
- os: windows
|
|
- os: linux
|
|
- os: macos
|
|
- string: "Hello world"
|
|
- and:
|
|
- os: any
|
|
- string: "Goodbye world"
|
|
features: |
|
|
func: 0x401000
|
|
func: 0x401000: string(Hello world)
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: os(windows)
|
|
expect:
|
|
matches:
|
|
os-any-specific:
|
|
- 0x401000
|
|
|
|
- name: os-any-matches-any
|
|
description: os any feature matches for "Goodbye world" path
|
|
rules:
|
|
- name: os-any-goodbye
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- or:
|
|
- and:
|
|
- os: any
|
|
- string: "Goodbye world"
|
|
features: |
|
|
func: 0x401000
|
|
func: 0x401000: string(Goodbye world)
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: os(any)
|
|
expect:
|
|
matches:
|
|
os-any-goodbye:
|
|
- 0x401000
|
|
|
|
- name: os-any-matches-specific-os
|
|
description: rule with os any matches when extracted feature is a specific os
|
|
rules:
|
|
- name: os-any-wildcard
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- and:
|
|
- os: any
|
|
- string: "Hello world"
|
|
features: |
|
|
func: 0x401000
|
|
func: 0x401000: string(Hello world)
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: os(windows)
|
|
expect:
|
|
matches:
|
|
os-any-wildcard:
|
|
- 0x401000
|
|
|
|
- name: bytes-exact-match
|
|
description: bytes feature matches when extracted bytes are identical
|
|
rules:
|
|
- name: bytes-exact
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- bytes: 90 90 90 90
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: bytes(90909090)
|
|
expect:
|
|
matches:
|
|
bytes-exact:
|
|
- 0x401000
|
|
|
|
- name: bytes-prefix-match
|
|
description: bytes feature matches when extracted bytes start with the rule pattern
|
|
rules:
|
|
- name: bytes-prefix
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- bytes: 90 90 90 90
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: bytes(9090909090909090)
|
|
expect:
|
|
matches:
|
|
bytes-prefix:
|
|
- 0x401000
|
|
|
|
- name: bytes-no-match
|
|
description: bytes feature does not match when extracted bytes differ
|
|
rules:
|
|
- name: bytes-diff
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- bytes: 90 90 90 90
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: bytes(00000000)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: bytes-too-short
|
|
description: bytes feature does not match when extracted bytes are shorter than the pattern
|
|
rules:
|
|
- name: bytes-short
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- bytes: 90 90 90 90
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: bytes(9090)
|
|
expect:
|
|
matches: {}
|
|
|
|
- name: negative-number-match
|
|
description: negative number matches correctly
|
|
rules:
|
|
- name: negative-num
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- number: -1
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: number(-1)
|
|
expect:
|
|
matches:
|
|
negative-num:
|
|
- 0x401000
|
|
|
|
- name: number-zero-match
|
|
description: number zero matches correctly and is not confused with absence
|
|
rules:
|
|
- name: num-zero
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- number: 0
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: number(0)
|
|
expect:
|
|
matches:
|
|
num-zero:
|
|
- 0x401000
|
|
|
|
- name: characteristic-match
|
|
description: characteristic feature matches correctly
|
|
rules:
|
|
- name: char-nzxor
|
|
scopes:
|
|
static: function
|
|
features:
|
|
- characteristic: nzxor
|
|
features: |
|
|
func: 0x401000
|
|
bb: 0x401000: basic block
|
|
insn: 0x401000: characteristic(nzxor)
|
|
expect:
|
|
matches:
|
|
char-nzxor:
|
|
- 0x401000
|