capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

Capa-plugin for IDA-Pro 9.0.240807 not working

Open v1bh475u opened this issue 9 months ago • 3 comments

Description

I am getting the following error while running it in IDA-Pro v9.0.240807 on archlinux

ERROR:capa.ida.plugin.form:Failed to extract capabilities from database (error: module 'ida_bytes' has no attribute 'bin_search')
Traceback (most recent call last):
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/ida/plugin/form.py", line 779, in load_capa_results
    capabilities = capa.capabilities.common.find_capabilities(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/capabilities/common.py", line 76, in find_capabilities
    return find_static_capabilities(ruleset, extractor, disable_progress=disable_progress, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/capabilities/static.py", line 232, in find_static_capabilities
    all_file_capabilities = find_file_capabilities(ruleset, extractor, function_and_lower_features)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/capabilities/common.py", line 43, in find_file_capabilities
    for feature, va in itertools.chain(extractor.extract_file_features(), extractor.extract_global_features()):
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/features/extractors/ida/extractor.py", line 58, in extract_file_features
    yield from capa.features.extractors.ida.file.extract_features()
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/features/extractors/ida/file.py", line 204, in extract_features
    for feature, addr in file_handler():
                         ^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/features/extractors/ida/file.py", line 89, in extract_file_embedded_pe
    for ea, _ in check_segment_for_pe(seg):
                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/features/extractors/ida/file.py", line 55, in check_segment_for_pe
    for off in capa.features.extractors.ida.helpers.find_byte_sequence(seg.start_ea, seg.end_ea, mzx):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/vibhatsu/Documents/workspace/gsoc-capa/capa/capa/features/extractors/ida/helpers.py", line 51, in find_byte_sequence
    ea = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
         ^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'ida_bytes' has no attribute 'bin_search'. Did you mean: 'bin_search3'?

Steps to Reproduce

  1. Copied the capa_explorer.py into plugins directory.
  1. Tried running capa-plugin on mimikatz.exe_

Expected behavior:

It should have run smoothly showing the matched rules.

Actual behavior: It throws error.

Versions

capa: version 9.0.1 OS: Arch Linux x86_64 Kernel: Linux 6.12.19-1-lts

Additional Information

It is fixed by changing the bin_search by bin_search3 here: https://github.com/mandiant/capa/blob/d00f1729730589424f45d47196add191a8ad5772/capa/features/extractors/ida/helpers.py#L51 But I am not sure where this is coming from. In the official documentation of hexrays, ida_bytes is said to have bin_search function.

v1bh475u avatar Mar 20 '25 09:03 v1bh475u

see also #2497

williballenthin avatar Mar 20 '25 11:03 williballenthin

Maybe my installation is a bit malformed or maybe the apis were updated after this version.

v1bh475u avatar Mar 20 '25 12:03 v1bh475u

I'm experiencing the same issue.

infernosalex avatar Jul 17 '25 20:07 infernosalex