capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

Discrepancy in capa analysis results between `vivisect` and `IDA` backends

Open r0ny123 opened this issue 7 months ago • 3 comments

Description

When running capa with both the vivisect and IDA backends via the CLI on the same binary, Vivisect successfully identifies AES-related functionality while the IDA backend fails to detect the same capabilities. Additionally, when using the -d flag, Vivisect extracts more features than IDA, which may contribute to the discrepancy in capability matches.

Steps to Reproduce

  1. Run capa on the same binary using both Vivisect and IDA backends:
capa -b vivisect path\to\binary -d 
capa -b ida path\to\binary -d
  1. Observe the difference in AES-related matches and feature extraction between the two backends.

Expected behavior: Both backends should ideally extract similar features and identify the same capabilities, especially common ones like AES encryption.

Actual behavior: vivisect backend detects the following AES-related capabilities:

encrypt data using AES (2 matches)
namespace  data-manipulation/encryption/aes
scope      function
matches    0x180001614
           0x18000209C

reference AES constants (2 matches)
namespace  data-manipulation/encryption/aes
scope      function
matches    0x180001614
           0x18000209C

Versions

  • capa version: 9.1.0

  • IDA version: 9.0.20241216

  • OS: Windows 10

  • SHA256: c0e4894f3a0d23d0d47b0c270ceeb78543f775abaf013b33de8b1d3cd46e0ed8

r0ny123 avatar May 14 '25 06:05 r0ny123

This is what I get with binja backend:

hash data with CRC32
namespace  data-manipulation/checksum/crc32
scope      function                        
matches    0x1800075D0                     

reference Base64 string
namespace  data-manipulation/encoding/base64
scope      file                             

encrypt data using RC4 PRGA (3 matches)
namespace  data-manipulation/encryption/rc4
scope      function                        
matches    0x180001370                     
           0x1800014E0                     
           0x18000D66C                     

hash data using fnv
namespace    data-manipulation/hashing/fnv                                               
description  can be any Fowler-Noll-Vo (FNV) hash variant, including FNV-1, FNV-1a, FNV-0
scope        function                                                                    
matches      0x18000D490                                                                 

create or open mutex on Windows
namespace  host-interaction/mutex
scope      instruction           
matches    0x18000DFAE           

resolve function by parsing PE exports
namespace  load-code/pe
scope      function    
matches    0x180009110

xusheng6 avatar May 14 '25 07:05 xusheng6

Interesting.

r0ny123 avatar May 14 '25 07:05 r0ny123

Possible dupe of #2638; likely an issue with vivisect and the workspace loaded in IDA.

Still34 avatar Jun 09 '25 09:06 Still34