capa-testfiles icon indicating copy to clipboard operation
capa-testfiles copied to clipboard

Published 20 hours ago verified publisher icon mandiant

create directory to group native samples

Open hcnpeiris opened this issue 8 months ago • 7 comments

Summary

  • Added a separate directory for PMA Labs.
  • Plan to add directories for benign and malware samples.
  • Considering using the VirusTotal API in a Python script to automatically classify files.

Question

  • Is using VirusTotal API the best approach, or is there a better way to classify files?

Related Issue

Thank you!

hcnpeiris avatar Mar 09 '25 14:03 hcnpeiris

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Mar 09 '25 14:03 google-cla[bot]

tbh, i'm not sure there are any benign files in test-files, except perhaps things like al-khaser and mimikatz. so i'm not sure it's worth the effort of scripting this, unless you'd like to try for experience.

williballenthin avatar Mar 09 '25 15:03 williballenthin

create directory to group native samples

Fixes capa#1787

To improve the organization of test files, three new directories have been added:

  • /benign: Contains benign test binaries.
  • /malware: Stores malware test samples.
  • /pma_labs: Includes PMA test binaries.

Relevant test files have been moved to these new directories.

Pytest File Updates & Issue

Since this change modifies the test file structure, pytest file paths have been updated accordingly. A PR will be submitted to the capa repository to reflect these changes.

However, one expected failure test (xfailed) unexpectedly passed.
I ran pytest on the latest master branch, and it produced the same result.

Pytest Results After Updating File Paths

Image 2025-03-11 at 18 21

Pytest Results for latest master branch

Image 2025-03-11 at 16 51

Request for Feedback

Can I get feedback on resolving this issue?

Checklist

  • [x] No CHANGELOG update needed
  • [x] No new tests needed
  • [x] No documentation update needed

hcnpeiris avatar Mar 11 '25 13:03 hcnpeiris

I'd advise against benign/malware labels and would suggest to just use native (vs dotnet or sandbox results). It could be a headache to verify for each sample if it's benign or malicious without much benefit.

mr-tz avatar Mar 12 '25 09:03 mr-tz

@mr-tz Oops,I misunderstood it as needing to categorize as malware and benign. Just to clarify, all I need to do is create two separate directories for pma_labs and native , and move the native test binaries to the respective directory?

hcnpeiris avatar Mar 13 '25 02:03 hcnpeiris

@mr-tz Files have been moved as mentioned above. However, the pytest file needs to be updated for the new file paths. I will update it soon.

hcnpeiris avatar Mar 15 '25 17:03 hcnpeiris

@mr-tz I added a PR mandiant/capa#2623 with the updated pytest files. Can I get feedback on it?

hcnpeiris avatar Mar 20 '25 03:03 hcnpeiris

intermediate update, files now in the native directory:

      1 Intel amd64-COFF object file
      1 Zip archive
      4 data
      5 ELF 32-bit
     11 ELF 64-bit
     83 PE32+ executable
    221 PE32 executable

mr-tz avatar Apr 07 '25 13:04 mr-tz