capa dynamic: vmray: add support for "container" function call parameters

dynamic: vmray: add support for "container" function call parameters

Open mike-hunhoff opened this issue 6 months ago • 0 comments

The "container" type roughly maps to structure and bitfield data. We must first determine if capa can emit features from containers without polluting the matches and then handle the nested structure.

e.g.

[...]
		<param name="pAddrInfo" type="ptr" value="0x5b4030">
			<deref type="container">
				<member name="ai_flags" type="signed_32bit" value="4"/>
				<member name="ai_family" type="signed_32bit" value="2"/>
				<member name="ai_socktype" type="signed_32bit" value="0"/>
				<member name="ai_protocol" type="signed_32bit" value="0"/>
				<member name="ai_addrlen" type="void_ptr" value="0x10"/>
				<member name="ai_canonname" type="void_ptr" value="0x0"/>
				<member name="ai_addr" type="ptr" value="0x5af1a0">
					<deref type="container">
						<member name="sa_family" type="signed_16bit" value="2"/>
						<member name="sin_port" type="unsigned_16bit" value="0x0"/>
						<member name="sin_addr" type="ptr" value="0x100007f">
							<deref type="str" value="127.0.0.1"/>
						</member>
					</deref>
				</member>
				<member name="ai_next" type="void_ptr" value="0x0"/>
			</deref>
		</param>
[...]

Jul 30 '24 16:07 mike-hunhoff

capa capa copied to clipboard

dynamic: vmray: add support for "container" function call parameters

capa
capa copied to clipboard