Comments (6)
williballenthin
commented on June 12, 2024
concern: a linter that reformats rules and may re-order lines probably doesn't handle block comments very well, e.g.:
or:
# only on win10
string: "This program cannot be run in WinXP mode."
# only on winxp
string: "This program cannot be run in Win10 mode."
we should try to avoid using implicit ordering like this in our rules. if we need to group comments, maybe we should do:
or:
or:
# only on win10
string: "This program cannot be run in WinXP mode."
or:
# only on winxp
string: "This program cannot be run in Win10 mode."
although in this case, the inner or blocks don't really mean "or". so maybe we can introduce another keyword, like block or commented, that contains a single statement and can be used for grouping comments?
similar problem for sequences of comments, like:
or:
# only on win10
# but not after 20H1
string: "This program cannot be run in WinXP mode."
i wonder if comments even get extracted into the AST...
YAML doesn't support block comments
from capa.
mr-tz
commented on June 12, 2024
Great point! I would even prefer additional whitespace in subpoints:
rule:
meta:
name: packed with UPX
namespace: anti-analysis/packer/upx
author: [email protected]
att&ck:
- Defense Evasion::Obfuscated Files or Information T1027.002
mbc:
- Anti-Static Analysis::Software Packing
examples:
- CD2CBA9E6313E8DF2C1273593E649682
- Practical Malware Analysis Lab 01-02.exe_:0x0401000
scope: file
features:
- or:
- section: UPX0
- section: UPX1
I'd vote against using or to group comments. So maybe this will need to be responsibility of the user, if they really want it.
Otherwise, the description syntax (string: "'This program cannot be run in WinXP mode.' = only on win10, but not after 20H1") or a line-comment should be used.
from capa.
williballenthin
commented on June 12, 2024
i agree. lets punt on supporting comments like this unless they become critical for some reason. maybe it won't actually be a problem.
from capa.
williballenthin
commented on June 12, 2024
i also like the additional indentation in lists. need to do some research into how to tweak the pyyaml serialization.
yaml/pyyaml#234
https://stackoverflow.com/a/39681672/87207
https://github.com/adrienverge/yamllint
from capa.
williballenthin
commented on June 12, 2024
pyyaml completely drops inline comments during deserialization. we currently have 175 inline comments in our rules. see mandiant/capa-rules#1
we could use ruamel.yaml instead which tries to maintain comments. is this a losing battle?
from capa.
mr-tz
commented on June 12, 2024
I think it's worthwhile keeping these comments to document and further enrich rules.
I haven't looked into what this entails, but let's try to strike a good balance between implementation workload and provided benefit.
from capa.
Related Issues (20)
- refactor ida-explorer to avoid circular updates
- ida-explorer: display failed branches to help with debugging
- ida-explorer: verify that NOT branches are shown
- ida-explorer: extract architecture from processor when handling binary files
- ida-explorer: verify that the cache key is unique enough HOT 1
- ida-explorer: use proper IDA API to fetch segment access
- ida-explorer: use IDA API bin_search not find_binary HOT 2
- elf: implement file export name extractor HOT 7
- elf: extract address for import symbol
- binja: use LLIR SSA to do better stack cookie detection HOT 5
- binja: optimize performance of name demangling HOT 19
- freeze: extend format to enable storage of dynamic reports HOT 3
- Fix code scanning alert - Token-Permissions
- dynamic: find correct base address used at runtime
- release v6 HOT 5
- Extract export forward information HOT 3
- Extract CFG dispatcher function names
- test_standalone_binja_backend FAILED: invalid rule: feature section(.detourc) not supported for scope function HOT 1
- if in debug mode, disable spinner
- add CONTRIBUTING file
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capa.