gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-06-12 19:11:32 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
eb258c719fa7b743c544aab1fdd02e19dbb456e2
capa/tests/fixtures/features/binexport.json
T
Willi Ballenthin eb258c719f tests: cleanup tests and fixtures
2026-05-11 11:14:28 +02:00

1073 lines
31 KiB
JSON
Raw Blame History

{
"files": [
{
"key": "687e79.ghidra.be2",
"path": "data/binexport2/687e79cde5b0ced75ac229465835054931f9ec438816f2827a8be5f3bd474929.elf_.ghidra.BinExport",
"tags": ["binexport", "elf", "aarch64"]
},
{
"key": "d1e650.ghidra.be2",
"path": "data/binexport2/d1e6506964edbfffb08c0dd32e1486b11fbced7a4bd870ffe79f110298f0efb8.elf_.ghidra.BinExport",
"tags": ["binexport", "elf", "aarch64"]
},
{
"key": "mimikatz.ghidra.be2",
"path": "data/binexport2/mimikatz.exe_.ghidra.BinExport",
"tags": ["binexport"]
}
],
"features": [
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "string: AppDataService start"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "string: nope",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "section: .text"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "section: .nope",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "export: android::clearDir",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "name demangling is not implemented"
}
]
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "export: nope",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "import: fopen"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "import: exit"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "import: _ZN7android10IInterfaceD0Ev"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "import: nope",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1056c0",
"feature": "characteristic: loop"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1075c0",
"feature": "characteristic: loop",
"expected": false
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x114af4",
"feature": "characteristic: tight loop"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x118F1C",
"feature": "characteristic: tight loop"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x11464c",
"feature": "characteristic: tight loop",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x0",
"feature": "characteristic: stack string",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "stack string detection not implemented yet for binexport"
}
]
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "mnemonic: stp"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "mnemonic: adrp"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "mnemonic: bl"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "mnemonic: in",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "mnemonic: adrl",
"expected": false
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x11451c",
"feature": "number: 0x10",
"expected": false,
"comment": "00114524 add x29,sp,#0x10"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105128",
"feature": "number: 0xE0",
"expected": false,
"comment": "00105128 sub sp,sp,#0xE0"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105128,bb=0x1051e4",
"feature": "operand[1].number: 0xFFFFFFFF"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588,bb=0x107588",
"feature": "operand[1].number: 0x8"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588,bb=0x107588,insn=0x1075a4",
"feature": "operand[1].number: 0x8"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105128,bb=0x105450",
"feature": "operand[2].offset: 0x10"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x124854,bb=0x1248AC,insn=0x1248B4",
"feature": "operand[2].offset: -0x48"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x13347c,bb=0x133548,insn=0x133554",
"feature": "operand[2].offset: 0x20",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105C88",
"feature": "number: 0xF000"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1057f8,bb=0x1057f8",
"feature": "number: 0xFFFFFFFFFFFFFFFF"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1066e0,bb=0x1068c4",
"feature": "number: 0xFFFFFFFF"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105128,bb=0x105450",
"feature": "offset: 0x10"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x13347c,bb=0x133548,insn=0x133554",
"feature": "offset: 0x20",
"expected": false,
"comment": "ldp x29,x30,[sp, #0x20]"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x1183e0,bb=0x11849c,insn=0x1184b0",
"feature": "offset: 0x8",
"comment": "stp x20,x0,[x19, #0x8]"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x138688,bb=0x138994,insn=0x1389a8",
"feature": "offset: 0x8",
"comment": "str xzr,[x8, #0x8]!"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x138688,bb=0x138978,insn=0x138984",
"feature": "offset: 0x8",
"comment": "ldr x9,[x8, #0x8]!"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x11451c",
"feature": "offset: 0x20",
"expected": false,
"comment": "ldr x19,[sp], #0x20"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x138a9c,bb=0x138b00,insn=0x138b00",
"feature": "offset: 0x1",
"comment": "ldrb w9,[x8, #0x1]"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x124854,bb=0x1248AC,insn=0x1248B4",
"feature": "offset: -0x48"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105128,bb=0x105128,insn=0x10514c",
"feature": "offset: 0x8",
"comment": "0010514c add x23,param_1,#0x8"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105c88",
"feature": "api: memset"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105c88",
"feature": "api: Nope",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "string: AppDataService start"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1075c0",
"feature": "string: AppDataService"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "string: nope",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x106d58",
"feature": "string: /data/misc/wifi/wpa_supplicant.conf"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105c88",
"feature": "string: /innerRename/"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x106d58",
"feature": "string: /\\/data\\/misc/"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x106d58",
"feature": "substring: /data/misc"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x1165a4",
"feature": "bytes: E4 05 B8 93 70 BA 6B 41 9C D7 92 52 75 BF 6F CC 1E 83 60 CC"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1057f8",
"feature": "bytes: 2F 00 73 00 79 00 73 00 74 00 65 00 6D 00 2F 00 78 00 62 00 69 00 6E 00 2F 00 62 00 75 00 73 00 79 00 62 00 6F 00 78 00",
"expected": false,
"comment": "don't extract byte features for obvious strings"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x114af4",
"feature": "characteristic: nzxor"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x117988",
"feature": "characteristic: nzxor"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105b38",
"feature": "characteristic: recursive call"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x106530",
"feature": "characteristic: recursive call"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x118620",
"feature": "characteristic: indirect call"
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x118500",
"feature": "characteristic: indirect call",
"expected": false
},
{
"file": "d1e650.ghidra.be2",
"location": "function=0x11451c",
"feature": "characteristic: indirect call"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x105080",
"feature": "characteristic: calls from"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1070e8",
"feature": "characteristic: calls from",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1075c0",
"feature": "characteristic: calls to"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "function-name: __libc_init",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "TODO should this be a function-name?"
}
]
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "os: android"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "os: linux",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "os: windows",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "os: android"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1075c0,bb=0x1076c0",
"feature": "os: android"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "arch: i386",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "arch: amd64",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "arch: aarch64"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "arch: aarch64"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x1075c0,bb=0x1076c0",
"feature": "arch: aarch64"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "format: elf"
},
{
"file": "687e79.ghidra.be2",
"location": "file",
"feature": "format: pe",
"expected": false
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "format: elf"
},
{
"file": "687e79.ghidra.be2",
"location": "function=0x107588",
"feature": "format: pe",
"expected": false
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "string: SCardControl",
"explanation": "basic UTF-16LE string"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "string: ACR > ",
"explanation": "UTF-16LE encoded strings with unusual characters and trailing spaces"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "string: nope",
"expected": false,
"explanation": "non-existant string"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "section: .text",
"explanation": "basic section name"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "section: .nope",
"expected": false,
"explanation": "non-existant section"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "import: advapi32.CryptSetHashParam",
"explanation": "import with DLL prefix"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "import: CryptSetHashParam",
"explanation": "import with no DLL prefix"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "import: cabinet.#11",
"explanation": "import by ordinal"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "import: #11",
"expected": false,
"explanation": "non-existant ordinal import"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "import: #nope",
"expected": false,
"explanation": "non-existant ordinal import"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "import: nope",
"expected": false,
"explanation": "non-existant import"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401517",
"feature": "characteristic: loop",
"explanation": "loop"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000",
"feature": "characteristic: loop",
"expected": false,
"explanation": "non-existant loop"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x402EC4",
"feature": "characteristic: tight loop",
"explanation": "tight-loop"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000",
"feature": "characteristic: tight loop",
"expected": false,
"explanation": "non-existant tight-loop"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x402EC4,bb=0x402F8E",
"feature": "characteristic: tight loop",
"explanation": "tight-loop at basic block scope"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000,bb=0x401000",
"feature": "characteristic: tight loop",
"expected": false,
"explanation": "non-existant tight-loop at basic block scope"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "characteristic: stack string",
"explanation": "stack string (but capa doesn't extract it as a string yet)",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "stack string detection not implemented for binexport"
}
]
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000",
"feature": "characteristic: stack string",
"expected": false,
"explanation": "non-existant stack string"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "mnemonic: push",
"explanation": "basic mnemonic"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "mnemonic: in",
"expected": false,
"explanation": "non-existant mnemonic"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D,bb=0x401073,insn=0x401073",
"feature": "number: 0xFF",
"explanation": "number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D,bb=0x401073,insn=0x401073",
"feature": "operand[1].number: 0xFF",
"explanation": "mov eax, 0FFh; instruction operand number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D,bb=0x401073,insn=0x401073",
"feature": "operand[0].number: 0xFF",
"expected": false,
"explanation": "mov eax, 0FFh; non-existant instruction operand number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D,bb=0x4010B0,insn=0x4010B4",
"feature": "operand[0].offset: 4",
"explanation": "cmp [esi+4], ebx; instruction operand offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D,bb=0x4010B0,insn=0x4010B4",
"feature": "operand[1].offset: 4",
"expected": false,
"explanation": "cmp [esi+4], ebx; non-existant instruction operand offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "number: 0xFF",
"explanation": "small number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "number: 0x3136B0",
"explanation": "large number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000",
"feature": "number: 0x0",
"explanation": "zero number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "number: 0xC",
"expected": false,
"explanation": "non-existant number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401553",
"feature": "number: 0xFFFFFFFF",
"explanation": "max u32 number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x43e543",
"feature": "number: 0xFFFFFFF0",
"explanation": "large u32 number"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "offset: 0x0",
"explanation": "cmp [esi], ebx; zero offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "offset: 0x4",
"explanation": "cmp [esi+4], ebx; simple offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "offset: 0x8",
"expected": false,
"explanation": "no instruction in the function references [reg+8]"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4011FB",
"feature": "offset: -0x1",
"explanation": "movzx ecx, [eax-1]; negative offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4011FB",
"feature": "offset: -0x2",
"explanation": "cmp [eax-2], cx; negative offset -2"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4011FB",
"feature": "number: -0x2",
"expected": false,
"explanation": "cmp [eax-2], cx; negative offset shouldn't emit a number too"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401D64,bb=0x401D73,insn=0x401D85",
"feature": "offset: 0x80000000",
"expected": false,
"explanation": "add ecx, 80000000h; too-large immediate should not be considered an offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401CC7,bb=0x401CDE,insn=0x401CF6",
"feature": "offset: 0x10",
"expected": false,
"explanation": "add esp, 10h; stack-relative ADD should not be considered an offset"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x402203,bb=0x402221,insn=0x40223C",
"feature": "offset: 0x4",
"explanation": "add eax, 4; non-stack register ADD should emit an offset feature, treating eax as a pointer"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x471EAB,bb=0x471ED8,insn=0x471EE6",
"feature": "number: 0x4",
"expected": false,
"explanation": "lea ebx, [ecx+eax*4]; should not emit Number feature for the scale"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x47153B,bb=0x4717AB,insn=0x4717B1",
"feature": "number: -0x30",
"expected": false,
"explanation": "lea ecx, [ecx+esi-30h]; should not emit Number feature for the displacement"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401873,bb=0x4018B2,insn=0x4018C0",
"feature": "number: 0x2",
"explanation": "lea ecx, [ebx+2]; should emit Number feature, treating ebx as zero"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x403BAC",
"feature": "api: CryptAcquireContextW",
"explanation": "basic API feature with trailing W"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x403BAC",
"feature": "api: CryptAcquireContext",
"explanation": "basic API feature with stripped W"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x403BAC",
"feature": "api: Nope",
"expected": false,
"explanation": "non-existent API"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "api: LsaQueryInformationPolicy"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40B3C6",
"feature": "api: LocalFree",
"explanation": "tail call to API via jmp"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "string: SCardControl",
"explanation": "basic string"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "string: ACR > ",
"explanation": "basic string with trailing whitespace"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "string: nope",
"expected": false,
"explanation": "basic string not present"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x44EDEF",
"feature": "string: INPUTEVENT",
"explanation": "string referenced via a pointer"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x46D6CE",
"feature": "string: (null)",
"explanation": "string referenced via direct memory reference"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401517",
"feature": "bytes: CA 3B 0E 00 00 00 F8 AF 47",
"explanation": "basic bytes"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x404414",
"feature": "bytes: 01 80 00 00 40 EA 47 00",
"explanation": "basic bytes, which are a pointer"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "bytes: 53 00 43 00 61 00 72 00 64 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00",
"expected": false,
"explanation": "should not extract bytes feature for an obvious string (here: UTF-16LE 'SCardControl')"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000",
"feature": "bytes: FD FF 59 F6 47",
"expected": false,
"explanation": "push offset aAcsAcr1220 ('ACS...') where ACS == 41 00 43 00 happens to be a valid pointer to the middle of an instruction; should not be misinterpreted as bytes feature"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x44570F",
"feature": "bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF",
"expected": false,
"explanation": "regression test for issue #409: should not extract bytes feature from byte sequences read from invalid memory"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x44EDEF",
"feature": "bytes: 49 00 4E 00 50 00 55 00 54 00 45 00 56 00 45 00 4E 00 54 00",
"expected": false,
"explanation": "should not extract bytes feature when instruction references it as a pointer to string bytes"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x410DFC",
"feature": "characteristic: nzxor",
"explanation": "should extract nzxor characteristic, including from xorps SSE instructions"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "characteristic: nzxor",
"expected": false,
"explanation": "non-existant nzxor"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x46D534",
"feature": "characteristic: nzxor",
"expected": false,
"explanation": "should not extract nzxor characteristic for security cookie xors"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "characteristic: peb access",
"expected": false
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "characteristic: gs access",
"expected": false
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x410DFC,bb=0x410F05,insn=0x410F0B",
"feature": "characteristic: nzxor"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x410DFC,bb=0x410F05,insn=0x410F12",
"feature": "characteristic: nzxor"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "characteristic: cross section flow",
"expected": false
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40640e",
"feature": "characteristic: recursive call"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4175FF",
"feature": "characteristic: recursive call",
"expected": false,
"explanation": "issue #386: 0x4175FF makes indirect calls (via dword_4B821C) but never calls itself, directly or via a function-pointer table"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4175FF",
"feature": "characteristic: indirect call"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "characteristic: indirect call",
"expected": false
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "characteristic: calls from"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4702FD",
"feature": "characteristic: calls from",
"expected": false
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D",
"feature": "characteristic: calls to"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x456BB9",
"feature": "characteristic: calls to",
"expected": false,
"explanation": "issue #386: 0x456BB9 is only referenced from a function-pointer table at 0x475834, never via a direct call"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105D,bb=0x401089,insn=0x40108E",
"feature": "characteristic: calls from"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4175FF,bb=0x41761B,insn=0x417620",
"feature": "characteristic: indirect call"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "os: windows"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "arch: i386"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "format: pe"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000,bb=0x401000",
"feature": "basic blocks: x",
"explanation": "basic block feature emitted"
},
{
"file": "mimikatz.ghidra.be2",
"location": "file",
"feature": "basic blocks: 1",
"expected": false,
"explanation": "non-existant basic block feature"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40E5C2",
"feature": "count(basic blocks): 7",
"explanation": "7 basic blocks in function",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "Ghidra identifies different function boundaries; see ghidra-tagged count variant"
}
]
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4702FD",
"feature": "count(characteristic(calls from)): 0",
"explanation": "function has no calls"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40E5C2",
"feature": "count(characteristic(calls from)): 3",
"explanation": "function has 3 calls",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "Ghidra identifies different function boundaries; see ghidra-tagged count variant"
}
]
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4556E5",
"feature": "count(characteristic(calls to)): 0",
"explanation": "function has no callers",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "Ghidra identifies different function boundaries; see ghidra-tagged count variant"
}
]
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40B1F1",
"feature": "count(characteristic(calls to)): 3",
"explanation": "function has 3 callers",
"marks": [
{
"backend": "binexport",
"mark": "xfail",
"reason": "Ghidra identifies different function boundaries; see ghidra-tagged count variant"
}
]
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x4702FD",
"feature": "count(characteristic(calls from)): 0",
"explanation": "Ghidra: function has no calls"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401bf1",
"feature": "count(characteristic(calls to)): 2",
"explanation": "Ghidra: function has 2 callers"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x401000",
"feature": "count(basic blocks): 3",
"explanation": "Ghidra: 3 basic blocks in function"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105d,bb=0x401125,insn=0x401125",
"feature": "count(offset(0x0)): 1",
"explanation": "MOV [EDI], CX matches OFFSET_ZERO_PATTERNS, must yield Offset(0) exactly once"
},
{
"file": "mimikatz.ghidra.be2",
"location": "function=0x40105d,bb=0x401125,insn=0x401125",
"feature": "count(operand[1].offset(0x0)): 1",
"explanation": "MOV [EDI], CX matches OFFSET_ZERO_PATTERNS, must yield OperandOffset(1, 0) exactly once"
}
]
}
Reference in New Issue View Git Blame Copy Permalink