capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

consider appending "via [insert_name] assembly" to applicable rule names

Open mike-hunhoff opened this issue 1 year ago • 3 comments

As we've extended capa to process multiple architectures we should consider appending via [insert_name] assembly to applicable rule names. This should help users better distinguish capa's rules and results.

e.g. https://github.com/mandiant/capa-rules/blob/ff9db744255ecd9d5f5e64c4b93af7613a9441f2/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml can only match x86 assembly but this is not obvious based on the rule name.

mike-hunhoff avatar Jan 08 '25 21:01 mike-hunhoff

Hey @mike-hunhoff ,

I'd like to work on this issue. Could you please assign it to me?

I have a question regarding this issue. Do I need to go through each yml file or are there any particular folders that have architecture specific yml rule files in them?

Thanks!

akh7177 avatar Feb 26 '25 08:02 akh7177

Yes, thats correct. When a rule relies on architecture-specific assembly (typically mnemonics), and would never match on a different architecture, then the rule name should be updated. This will require going through the existing yml rules. They are not found in a particular namespace, so all rules are in scope.

williballenthin avatar Feb 26 '25 08:02 williballenthin

Got it!

Will start working on it soon.

akh7177 avatar Feb 26 '25 17:02 akh7177