capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

ARM support

Open cosad3s opened this issue 2 years ago • 5 comments

Summary

Today, when using capa on files like: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV)

We got from capa output:

WARNING:capa.features.extractors.elffile:unsupported architecture: ARM
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported architecture.
ERROR:capa: 
ERROR:capa: capa currently only supports analyzing x86 (32- and 64-bit).
ERROR:capa:--------------------------------------------------------------------------------

Do we have a hope to have a compatibility for ARM binaries ?

Motivation

To target binaries in embedded devices for example.

Describe alternatives you've considered

N/A

Additional context

N/A

cosad3s avatar Aug 31 '23 10:08 cosad3s

We have been talking about supporting ARM recently. The primary reason we don't have it today is that we (capa authors that are malware analysts on FLARE) don't see all that much ARM malware, so we're not as familiar with the architecture. I don't think there's any technical reason preventing us from adding ARM support.

@cosad3s can we tag you here when we need help developing and testing ARM support?

williballenthin avatar Sep 01 '23 08:09 williballenthin

Hello, I am not an expert in that domain, but I'll be pleased to test capa in ARM context :)

cosad3s avatar Sep 08 '23 11:09 cosad3s

It would really be a chance to show-off binary ninja's capacity since our analysis is IL based which means few changes will be needed in order to support a new arch, like arm

xusheng6 avatar Sep 26 '23 05:09 xusheng6

A major (self imposed) requirement to merging Arm support is a test suite that gives us confidence that the Arm analysis works as expected. As noted above, we're not really experienced in Arm, so this is a place we'd love some help, such as by highlighting common Arm code patterns, architectural considerations, real-world reversing advice, etc. Concretely, PRs to the capa test cases that assert how Arm analysis should work, for calls, basic blocks, string references, etc. This means both executable testfiles and locations in those files of interesting features.

The existing x86 test suite has enabled us to accept alternative backends, such as Binary Ninja, since we're confident that all backends provide a similar level of analysis/correctness. As we consider Arm support, an Arm test suite will let us accept contributions for Arm analysis backends, such as vivisect, Binary Ninja, IDA, Ghidra, etc.

williballenthin avatar Sep 26 '23 13:09 williballenthin