capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

add example binary for compiled-with-nim.yml

Open mike-hunhoff opened this issue 4 years ago • 8 comments

https://github.com/fireeye/capa-rules/blob/7b77a66e97e780a5fa41f9cef2afabf0a9dd6200/nursery/compiled-with-nim.yml#L1-L16

suggestions:

@williballenthin

5464d5b534614b03032f9b0a9c9e6e0e on VT might be an easy example?

mike-hunhoff avatar Feb 17 '21 15:02 mike-hunhoff

nimThreadVarsSize ?

johnk3r avatar Feb 17 '21 21:02 johnk3r

nimThreadVarsSize ?

Are you suggesting this as a good string to add?

mr-tz avatar Feb 18 '21 08:02 mr-tz

Sorry. Yes, that's right.

johnk3r avatar Feb 19 '21 02:02 johnk3r

Hi @johnk3r! Did you find an example Nim binary containing the string nimThreadVarsSize that wasn't detected by the existing rule?

mike-hunhoff avatar Feb 22 '21 14:02 mike-hunhoff

Hello @mike-hunhoff ,

It was just an idea. The samples I tested were detected with your rule.

johnk3r avatar Feb 23 '21 00:02 johnk3r

@mike-hunhoff ,

Do you need help with that?

johnk3r avatar Mar 26 '21 14:03 johnk3r

I have a sample 580c37831fe98a254eb6c61c692c70d8 that I'll upload to capa-testfiles shortly.

re-fox avatar Mar 26 '21 15:03 re-fox

Thanks, @re-fox, we just need to update the example and then can upgrade this rule!

mr-tz avatar Mar 29 '21 12:03 mr-tz

Example was added and the rule moved out of nursery.

mr-tz avatar Feb 28 '23 13:02 mr-tz