gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-01-06 17:53:59 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ce7fb39aa841a48e36c3570e745fdb70c2bd9c60
capa/capa/render/verbose.py
William Ballenthin ce7fb39aa8 render: show feature counts 
closes #96
2020-07-03 10:33:14 -06:00

68 lines
2.3 KiB
Python
Raw Blame History

"""
example::
send data
namespace communication
author william.ballenthin@fireeye.com
description all known techniques for sending data to a potential C2 server
scope function
examples BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60
matches 0x10004363
0x100046c9
0x1000454e
0x10003a13
0x10003415
0x10003797
"""
import tabulate
import capa.rules
import capa.render.utils as rutils
def render_verbose(doc):
ostream = rutils.StringIO()
rows = []
rows.append(("md5", doc["meta"]["sample"]["md5"]))
rows.append(("sha1", doc["meta"]["sample"]["sha1"]))
rows.append(("sha256", doc["meta"]["sample"]["sha256"]))
rows.append(("path", doc["meta"]["sample"]["path"]))
rows.append(("timestamp", doc["meta"]["timestamp"]))
rows.append(("capa version", doc["meta"]["version"]))
rows.append(("format", doc["meta"]["analysis"]["format"]))
rows.append(("extractor", doc["meta"]["analysis"]["extractor"]))
rows.append(("base address", hex(doc["meta"]["analysis"]["base_address"])))
rows.append(("function count", len(doc["meta"]["counts"]["functions"])))
rows.append(("total feature count", doc["meta"]["counts"]["file"] + sum(doc["meta"]["counts"]["functions"].values())))
ostream.writeln(tabulate.tabulate(rows, tablefmt="plain"))
ostream.write("\n")
for rule in rutils.capability_rules(doc):
count = len(rule["matches"])
if count == 1:
capability = rutils.bold(rule["meta"]["name"])
else:
capability = "%s (%d matches)" % (rutils.bold(rule["meta"]["name"]), count)
ostream.writeln(capability)
rows = []
for key in ("namespace", "description", "scope"):
if key == "name" or key not in rule["meta"]:
continue
v = rule["meta"][key]
if isinstance(v, list) and len(v) == 1:
v = v[0]
rows.append((key, v))
if rule["meta"]["scope"] != capa.rules.FILE_SCOPE:
locations = doc["rules"][rule["meta"]["name"]]["matches"].keys()
rows.append(("matches", "\n".join(map(rutils.hex, locations))))
ostream.writeln(tabulate.tabulate(rows, tablefmt="plain"))
ostream.write("\n")
return ostream.getvalue()
Reference in New Issue View Git Blame Copy Permalink