Comments (3)
williballenthin
commented on June 3, 2024
plan:
{
$rule-name: {
"meta": {...copy of rule.meta...},
"matches": {
0x401000: { ...TODO: details of logic match...},
...
}
},
...
}from capa.
williballenthin
commented on June 3, 2024
example output:
{
"calculate module 256 via x86 assembly": {...},
"read file via mapping": {
"matches": {
"4198560": {
"children": [
{
"children": [],
"locations": [
4198630
],
"node": {
"feature": {
"api": "kernel32.MapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4198599,
4198661
],
"node": {
"feature": {
"number": 4,
"type": "number"
},
"type": "feature"
},
"success": true
},
{
"children": [
{
"children": [],
"locations": [
4198843
],
"node": {
"feature": {
"api": "kernel32.UnmapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [
{
"children": [],
"node": {
"feature": {
"match": "get file size",
"type": "match"
},
"type": "feature"
},
"success": false
},
{
"children": [],
"locations": [
4198608
],
"node": {
"feature": {
"api": "kernel32.CreateFileMapping",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4198803
],
"node": {
"feature": {
"number": 2,
"type": "number"
},
"type": "feature"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": false
}
],
"node": {
"statement": {
"type": "optional"
},
"type": "statement"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": true
},
"4199488": {
"children": [
{
"children": [],
"locations": [
4199636,
4199717
],
"node": {
"feature": {
"api": "kernel32.MapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4199633,
4199687,
4199903,
4200316,
4200346,
4200382
],
"node": {
"feature": {
"number": 4,
"type": "number"
},
"type": "feature"
},
"success": true
},
{
"children": [
{
"children": [],
"node": {
"feature": {
"api": "kernel32.UnmapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": false
},
{
"children": [
{
"children": [],
"node": {
"feature": {
"match": "get file size",
"type": "match"
},
"type": "feature"
},
"success": false
},
{
"children": [],
"locations": [
4199619,
4199692
],
"node": {
"feature": {
"api": "kernel32.CreateFileMapping",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4199495,
4199546,
4199549,
4199610,
4199869,
4200156,
4200264,
4200313,
4200335
],
"node": {
"feature": {
"number": 2,
"type": "number"
},
"type": "feature"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": false
}
],
"node": {
"statement": {
"type": "optional"
},
"type": "statement"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": true
}
},
"meta": {
"author": "[email protected]",
"capa/nursery": true,
"capa/path": "/home/user/code/capa-pub/capa/../rules/nursery/read-file-via-mapping.yml",
"name": "read file via mapping",
"namespace": "host-interaction/file-system/read",
"scope": "function"
}
}
}from capa.
williballenthin
commented on June 3, 2024
added in #34
from capa.
Related Issues (20)
- binja: optimize performance of name demangling HOT 19
- freeze: extend format to enable storage of dynamic reports HOT 3
- Fix code scanning alert - Token-Permissions
- dynamic: find correct base address used at runtime
- release v6 HOT 5
- Extract export forward information HOT 3
- Extract CFG dispatcher function names
- test_standalone_binja_backend FAILED: invalid rule: feature section(.detourc) not supported for scope function HOT 1
- if in debug mode, disable spinner
- add CONTRIBUTING file
- statement construction for multi-scope rules HOT 5
- BN: parse forwarded exports HOT 7
- dynamic: Time Travel Debugging (TTD) integration HOT 9
- characteristic(forwarded export) is not valid
- static analysis of memory dumps to find capabilities HOT 4
- dynamic analysis via TTD traces HOT 1
- minidump: wrong(?) address to compute RVA HOT 4
- Test IDA plugin after merge of changes from find-dynamic-capabilities branch
- IDA Plugin Hangs on Plugin Launch HOT 4
- Dynamic: Statement construction for mixed-scope rules HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capa.