-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dynamic: emit complete features for A/W APIs #2409
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the master (unreleased)
section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: [x] No CHANGELOG update needed
CHANGELOG updated or no update needed, thanks! 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome. LGTM!
@@ -50,7 +51,8 @@ def extract_call_features(ph: ProcessHandle, th: ThreadHandle, ch: CallHandle) - | |||
else: | |||
assert_never(value) | |||
|
|||
yield API(call.api), ch.address | |||
for name in capa.features.extractors.helpers.generate_symbols("", call.api): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should update this API to accept None when the dll isn't present, not the empty string. But that can happen in another PR.
@@ -37,6 +37,8 @@ | |||
), | |||
("0000a657", "process=(1180:3052)", capa.features.common.String("nope"), False), | |||
# thread/api calls | |||
("0000a657", "process=(2900:2852),thread=2904", capa.features.insn.API("RegQueryValueExA"), True), | |||
("0000a657", "process=(2900:2852),thread=2904", capa.features.insn.API("RegQueryValueEx"), True), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perfect, thanks for adding tests
closes #2408
This fixes A/W API detection for CAPE, VMRay, and drakvuf where capa rules that specified A/W APIs without the A/W could not be matched e.g. https://github.com/mandiant/capa-rules/blob/627395d6f19dc76894bbf7d365d28d083fab67cf/lib/create-or-open-registry-key.yml#L4