capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

bytes feature unable to detect CLSID/RID when pushed via stack

Open Still34 opened this issue 11 months ago • 2 comments

Summary

The following example of a code in Examples currently does not match the relevant rule schedule-task-via-itaskservice, even when the rule was stripped down to just the bytes features, suggesting the bytes feature is currently unable to detect such bytes when pushed via stack at the moment.

Image

Examples

Image

Possible improvements

Additional context

Still34 avatar Feb 14 '25 10:02 Still34

yes this is definitely an issue, and i would expect this behavior today. the bytes (and guid) feature only matches pointers to byte sequences.

the analysis backends don't attempt to do any code reconstruction or emulation to recognize stack data, though it's possible that Binary Ninja might do some of this with their "function outlining" capability.

we could attempt to recognize the 4-byte little endian portion at the instruction level (mov mnemonic, operand 1 number = 0x...), which might be sufficient??

do you have any ideas or suggestions?

do you happen to have a few examples we could use as case studies?

williballenthin avatar Feb 14 '25 11:02 williballenthin

I only have this specific shellcode that matches something like this on top of my head at the moment. I think attempting to match mov instructions would be good enough if this is something that can be attempted on capa's backend.

867dc1142e5a01f991670d41d0ce4362f0814c5171445c44208af10ba9779f06-decrypted.zip

Still34 avatar Feb 14 '25 11:02 Still34