David Cannings
David Cannings
Common types of embedded OLE data could be parsed automatically, for example: * Packager data * Various Moniker data See [this code](https://github.com/Sicos1977/OfficeExtractor/blob/master/OfficeExtractor/Ole/Package.cs) for an example of the Packager format (but...
Quick rule to detect UAC bypass using RPC. One query on the inclusion of the byte version of the GUID. This does appear in the reference sample (at 0x140020EC0) and...
Work in progress rule for LZO encryption. Found in a sample which requires manual unpacking, therefore looking for alternate samples. Further work needed before merging.
This structure is at a fixed offset in both 32 and 64 bit Windows. This rule looks for a typical function call setup to copy data from this location. It...
The rule [`bypass UAC via token manipulation`](https://github.com/mandiant/capa-rules/blob/master/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml) currently looks for one process typically abused by UAC bypass techniques (`wusa.exe`). It also assumes the process will be run using `ShellExecuteExW`. Two...
The current code base makes assumptions that are incompatible with 64-bit Delphi programs. Find an example of a compiled 64-bit program and investigate total effort to implement 64-bit processing.
Samples such as `44a7cac4d98f4522396712548e3e1dc461557471d399971b97c54ce269142784` appear to have RTTI objects modified. All internal objects are renamed to uppercase, for example `BOOLEAN` and `TOBJECT`. Consider whether to add workarounds for this, which...
At present the code enforces that virtual function tables only exist in one section. Examples have been found where vftables can be found in multiple code sections. It is unknown...
A lot of analysis currently assumes 32 bit, for example by adding 4 to skip DWORDs etc. This issue used to track locations that would need updating for 64 bit...
The current code only supports Windows executables. It also contains a number of assumptions / code paths that only work if the input is a Windows executable. This Github issue...