Comments (8)
mr-tz
commented on June 12, 2024
1
thanks Ana for investigating!
from capa.
Ana06
commented on June 12, 2024
documenting offline discussion:
Instead of adding a new
programscope, we want to addfunctionscope tofilescope. This is clearer than having aprogramand afilescope.
from capa.
williballenthin
commented on June 12, 2024
turns out that right now we include subscope (function, basic block) matches to the file scope. this means file rules are already able to reason about matches across the entire file. is this sufficient?
alternatively, do we want to bubble up all of the function scope features to the file scope? this would be pretty trivial to add, but is it necessary?
pro: maybe could write more expressive rules (though i think we should demonstrate such a rule or two first)
con: increased memory usage/decreased performance at file scope (probably millions of entries in the ctx index)
from capa.
williballenthin
commented on June 12, 2024
in any case, we should add a test or two that demonstrates the existing file-scope matching.
from capa.
Ana06
commented on June 12, 2024
The implementation to to bubble up all of the function scope features to the file scope: https://github.com/fireeye/capa/compare/ana-program-scope
from capa.
Ana06
commented on June 12, 2024
con: increased memory usage/decreased performance at file scope (probably millions of entries in the ctx index)
I think the number of false positives will increase as well. Maybe we should focus on implementing child functions instead of modifying the current file scope.
in any case, we should add a test or two that demonstrates the existing file-scope matching.
We have the test_subscope_rules() and test_match_across_scopes_file_function tests already. Do we need more tests? I am not sure what kind of test would be the best for this.
from capa.
williballenthin
commented on June 12, 2024
I think the number of false positives will increase as well.
good point. even if we add this feature, we should figure out how to avoid the temptation of using file scope when really we just don't support something (like child functions).
i like the idea of returning our attention towards child functions.
from capa.
williballenthin
commented on June 12, 2024
suggesting to implement test_match_across_scopes_file_function was exactly what i had in mind. seems like we already have this feature 🤦.
i suggest we close out this issue.
from capa.
Related Issues (20)
- binexport: loop detection Ghidra-generated BinExport HOT 2
- binexport: Ghidra operand issue (LDP) Ghidra symbol madness? HOT 1
- binexport: consider following data references to resolve pointers to data
- binexport: implement rebase method for AddressSpace file reads
- binexport: thunk computation fails for d1e6506964edbfffb08c0dd32e1486b11fbced7a4bd870ffe79f110298f0efb8 HOT 2
- binexport: add typing where applicable HOT 1
- binexport: document BinExport support
- binexport: enable api library name extraction
- binexport: remove Ghidra symbol madness workaround
- binexport: extract import / export symbols from BinExport file
- binexport: fixture 687e79.be2 tight loop not matched HOT 2
- use bytes.hex/bytes.fromhex instead of binascii
- testfiles GitHub Actions: update HOT 3
- binexport: ghidra: plt/got thunking not handled by Ghidra when indirect global register is used HOT 1
- rule set does not correctly validate dependencies across scopes HOT 1
- pre-filter strings, bytes based on whats found in the file
- prune rule logic using global features HOT 1
- hash lookup common bytes length prefixes
- hash lookup case insensitive strings
- lint or check invalid scope/match combinations when generating rule set HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capa.