capa explorer is an IDAPython plugin that integrates the FLARE team's open-source framework, capa, with IDA Pro. capa is a framework that uses a well-defined collection of rules to identify capabilities in a program. You can run capa against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the program is a backdoor, can install services, or relies on HTTP to communicate. capa explorer runs capa directly against your IDA Pro database (IDB) without requiring access to the original binary file. Once a database has been analyzed, capa explorer helps you identify interesting areas of a program and build new capa rules using features extracted from your IDB.
We love using capa explorer during malware analysis because it teaches us what parts of a program suggest a behavior. As we click on rows, capa explorer jumps directly to important addresses in the IDB and highlights key features in the Disassembly view so they stand out visually. To illustrate, we use capa explorer to analyze Lab 14-02 from Practical Malware Analysis (PMA) available here. Our goal is to understand the program's functionality.
After loading Lab 14-02 into IDA and analyzing the database with capa explorer, we see that capa detected a rule match for self delete via COMSPEC environment variable:
We can use capa explorer to navigate our Disassembly view directly to the suspect function and get an assembly-level breakdown of why capa matched self delete via COMSPEC environment variable.
Using the Rule Information and Details columns capa explorer shows us that the suspect function matched self delete via COMSPEC environment variable because it contains capa rule matches for create process, get COMSPEC environment variable,
and query environment variable, references to the strings COMSPEC, > nul, and /c del , and calls to the Windows API functions GetEnvironmentVariableA and ShellExecuteEx.
capa explorer also helps you build new capa rules. To start select the Rule Generator tab, navigate to a function in your Disassembly view,
and click Analyze. capa explorer will extract features from the function and display them in the Features pane. You can add features listed in this pane to the Editor pane
by either double-clicking a feature or using multi-select + right-click to add multiple features at once. The Preview and Editor panes help edit your rule. Use the Preview pane
to modify the rule text directly and the Editor pane to construct and rearrange your hierarchy of statements and features. When you finish a rule you can save it directly to a file by clicking Save.
For more information on the FLARE team's open-source framework, capa, check out the overview in our first blog.
Getting Started
Requirements
capa explorer supports Python >= 3.6 and the following IDA Pro versions:
- IDA 7.4
- IDA 7.5
- IDA 7.6 (caveat below)
If you encounter issues with your specific setup, please open a new Issue.
IDA 7.6 caveat: IDA 7.6sp1 or patch required
As described here:
A rather nasty issue evaded our testing and found its way into IDA 7.6: using the PyQt5 modules that are shipped with IDA, QTreeView (or QTreeWidget) instances will always fail to display contents.
Therefore, in order to use capa under IDA 7.6 you need the Service Pack 1 for IDA 7.6. Alternatively, you can download and install the fix corresponding to your IDA installation, replacing the original QtWidgets DLL with the one contained in the .zip file (links to Hex-Rays):
- Windows: pyqt5_qtwidgets_win
- Linux: pyqt5_qtwidgets_linux
- MacOS (Intel): pyqt5_qtwidgets_mac_x64
- MacOS (AppleSilicon): pyqt5_qtwidgets_mac_arm
Supported File Types
capa explorer is limited to the file types supported by capa, which include:
- Windows 32-bit and 64-bit PE files
- Windows 32-bit and 64-bit shellcode
Installation
You can install capa explorer using the following steps:
- Install capa and its dependencies from PyPI for the Python interpreter used by your IDA installation:
$ pip install flare-capa - Download the standard collection of capa rules (capa explorer needs capa rules to analyze a database)
- Copy capa_explorer.py to your IDA plugins directory
Usage
- Open IDA and analyze a supported file type (select the
Manual LoadandLoad Resourcesoptions in IDA for best results) - Open capa explorer in IDA by navigating to
Edit > Plugins > FLARE capa exploreror using the keyboard shortcutAlt+F5 - Select the
Program Analysistab - Click the
Analyzebutton
When running capa explorer for the first time you are prompted to select a file directory containing capa rules. The plugin conveniently
remembers your selection for future runs; you can change this selection and other default settings by clicking Settings. We recommend
downloading and using the standard collection of capa rules when getting started with the plugin.
Tips for Program Analysis
- Start analysis by clicking the
Analyzebutton - Reset the plugin user interface and remove highlighting from your Disassembly view by clicking the
Resetbutton - Change your capa rules directory and other default settings by clicking
Settings - Hover your cursor over a rule match to view the source content of the rule
- Double-click the
Addresscolumn to navigate your Disassembly view to the address of the associated feature - Double-click a result in the
Rule Informationcolumn to expand its children - Select a checkbox in the
Rule Informationcolumn to highlight the address of the associated feature in your Dissasembly view
Tips for Rule Generator
- Navigate to a function in your Disassembly view and click
Analyzeto get started - Double-click or use multi-select + right-click to add features from the
Featurespane to theEditorpane - Right-click features in the
Editorpane to make context-specific modifications - Drag-and-drop (single click + multi-select support) features in the
Editorpane to construct your hierarchy of statements and features - Right-click anywhere in the
Editorpane not on a feature to remove all features - Add descriptions or comments to a feature by editing the corresponding column in the
Editorpane - Directly edit rule text and metadata fields using the
Previewpane - Change the default rule author and default rule scope displayed in the
Previewpane by clickingSettings
Development
capa explorer is packaged with capa so you will need to install capa locally for development. You can install capa locally by following the steps outlined in Method 3: Inspecting the capa source code of the capa
installation guide. Once installed, copy capa_explorer.py
to your plugins directory to install capa explorer in IDA.
Components
capa explorer consists of two main components:
- An feature extractor built on top of IDA's binary analysis engine
- This component uses IDAPython to extract capa features from your IDBs such as strings, disassembly, and control flow; these extracted features are used by capa to find feature combinations that result in a rule match
- An interactive user interface for displaying and exploring capa rule matches
- This component integrates the feature extractor and capa, providing an interactive user interface to dissect rule matches found by capa using features extracted directly from your IDBs