capa
capa copied to clipboard
mandiant
Crash on binary analysis: Exception: Invalid String Size: 0
capa crashes with exception while attempting to analyze a binary:
Traceback (most recent call last):
File "main.py", line 1149, in <module>
File "main.py", line 1033, in main
File "main.py", line 871, in get_extractor_from_cli
File "loader.py", line 299, in get_extractor
File "loader.py", line 170, in get_workspace
File "viv_utils/__init__.py", line 118, in getWorkspace
File "vivisect/__init__.py", line 2891, in loadFromFile
File "vivisect/parsers/elf.py", line 32, in parseFile
File "vivisect/parsers/elf.py", line 637, in loadElfIntoWorkspace
File "vivisect/__init__.py", line 2272, in makeString
Exception: Invalid String Size: 0
[PYI-656177:ERROR] Failed to execute script 'main' due to unhandled exception!
Offending binary (untrusted / do not execute):
https://drive.google.com/file/d/1Bh_m-4UO5zckNCmJOVm8S7vRfW3uhWdv/view?usp=sharing
@Valentin-Metz Sir I am interested to work on your issue . Can you confirm is it still there , can you give me what it says if done with --debug . What is the OS you working on ?
@Jinsakai-25 we've not attempted any fix, so the bug is likely still present. i don't believe the underlying OS will make any difference, but if you have reason to think otherwise, please explain.
i think this is a bug in vivisect that you should be able to trigger by loading the attached ELF file. i don't think capa will need any direct fixes.
it's possible that the bug is fixed with https://github.com/vivisect/vivisect/pull/659 so @Jinsakai-25 you could start by confirming that.
unfortunately that PR is stalled so i don't know if it will ever be merged.
@Valentin-Metz Sir I am interested to work on your issue . Can you confirm is it still there , can you give me what it says if done with --debug . What is the OS you working on ?
Linux fedora-desktop 6.15.9-201.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Aug 2 11:37:34 UTC 2025 x86_64 GNU/Linux
/tmp ❯ ./capa caps_screen_recorder --debug 53s 13:35:39
DEBUG capa: -------------------------------------------------------------------------------- main.py:475
DEBUG capa: Using default embedded rules. main.py:476
DEBUG capa: To provide your own rules, use the form: main.py:477
DEBUG capa: main.py:478
DEBUG capa: `capa.exe -r ./path/to/rules/ /path/to/mal.exe`. main.py:479
DEBUG capa: main.py:480
DEBUG capa: You can see the current default rule set here: main.py:481
DEBUG capa: main.py:482
DEBUG capa: https://github.com/mandiant/capa-rules main.py:483
DEBUG capa: -------------------------------------------------------------------------------- main.py:484
DEBUG capa.rules: reading rules from directory /tmp/_MEIASWvNK/rules __init__.py:2167
DEBUG capa.rules.cache: loading rule set from cache: /tmp/_MEIASWvNK/cache/capa-f09830e0.cache cache.py:157
DEBUG capa: successfully loaded 995 rules main.py:693
DEBUG capa.features.extractors.elffile: Symbol table '.dynsym' contains 289 entries: elffile.py:40
DEBUG capa.features.extractors.elffile: Symbol table '.symtab' contains 54441 entries: elffile.py:40
DEBUG capa.features.extractors.elffile: Dynamic segment contains 289 symbols: elffile.py:65
DEBUG capa.features.extractors.elffile: Dynamic Segment contains 2 relocation tables: elffile.py:116
DEBUG capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01 elf.py:154
DEBUG capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 12 elf.py:184
DEBUG capa.features.extractors.elf: guess: osabi: None elf.py:1482
DEBUG capa.features.extractors.elf: ph:namesz: 0x04 descsz: 0x14 type: 0x0003 elf.py:599
DEBUG capa.features.extractors.elf: name: GNU elf.py:602
DEBUG capa.features.extractors.elf: guess: ph notes: None elf.py:1489
DEBUG capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x14 type: 0x0003 elf.py:648
DEBUG capa.features.extractors.elf: sh:name: GNU elf.py:652
DEBUG capa.features.extractors.elf: GNU_ABI_TAG: 0x8d1d24be elf.py:664
DEBUG capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x10 type: 0x0001 elf.py:648
DEBUG capa.features.extractors.elf: sh:name: GNU elf.py:652
DEBUG capa.features.extractors.elf: GNU_ABI_TAG: 0x00 elf.py:664
DEBUG capa.features.extractors.elf: abi tag: OS.LINUX earliest compatible kernel: 3.2.0 elf.py:670
DEBUG capa.features.extractors.elf: guess: sh notes: OS.LINUX elf.py:1496
DEBUG capa.features.extractors.elf: .ident: GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0rustc version 1.88.0 (6b00bc388 2025-06-23) elf.py:873
DEBUG capa.features.extractors.elf: guess: .ident: OS.LINUX elf.py:1503
DEBUG capa.features.extractors.elf: guess: linker: OS.LINUX elf.py:1510
DEBUG capa.features.extractors.elf: guess: ABI versions needed: OS.LINUX elf.py:1517
DEBUG capa.features.extractors.elf: guess: needed dependencies: None elf.py:1524
DEBUG capa.features.extractors.elf: symtab: _ZN3std3sys3pal4unix5linux5pidfd5PidFd8try_wait17h08c3a4bee33bb5d2E looks like OS.LINUX elf.py:970
DEBUG capa.features.extractors.elf: guess: pertinent symbol name: OS.LINUX elf.py:1531
DEBUG capa.features.extractors.elf: go buildinfo: found data segment elf.py:1010
DEBUG capa.features.extractors.elf: go buildinfo: no buildinfo magic elf.py:1096
DEBUG capa.features.extractors.elf: guess: Go buildinfo: None elf.py:1538
DEBUG capa.features.extractors.elf: guess: Go source: None elf.py:1545
DEBUG capa.features.extractors.elf: guess: vdso strings: None elf.py:1552
DEBUG capa.capabilities.common: analyzed file and extracted 120108 features common.py:53
DEBUG capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01 elf.py:154
DEBUG capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 12 elf.py:184
DEBUG capa.features.extractors.elf: guess: osabi: None elf.py:1482
DEBUG capa.features.extractors.elf: ph:namesz: 0x04 descsz: 0x14 type: 0x0003 elf.py:599
DEBUG capa.features.extractors.elf: name: GNU elf.py:602
DEBUG capa.features.extractors.elf: guess: ph notes: None elf.py:1489
DEBUG capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x14 type: 0x0003 elf.py:648
DEBUG capa.features.extractors.elf: sh:name: GNU elf.py:652
DEBUG capa.features.extractors.elf: GNU_ABI_TAG: 0x8d1d24be elf.py:664
DEBUG capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x10 type: 0x0001 elf.py:648
DEBUG capa.features.extractors.elf: sh:name: GNU elf.py:652
DEBUG capa.features.extractors.elf: GNU_ABI_TAG: 0x00 elf.py:664
DEBUG capa.features.extractors.elf: abi tag: OS.LINUX earliest compatible kernel: 3.2.0 elf.py:670
DEBUG capa.features.extractors.elf: guess: sh notes: OS.LINUX elf.py:1496
DEBUG capa.features.extractors.elf: .ident: GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0rustc version 1.88.0 (6b00bc388 2025-06-23) elf.py:873
DEBUG capa.features.extractors.elf: guess: .ident: OS.LINUX elf.py:1503
DEBUG capa.features.extractors.elf: guess: linker: OS.LINUX elf.py:1510
DEBUG capa.features.extractors.elf: guess: ABI versions needed: OS.LINUX elf.py:1517
DEBUG capa.features.extractors.elf: guess: needed dependencies: None elf.py:1524
DEBUG capa.features.extractors.elf: symtab: _ZN3std3sys3pal4unix5linux5pidfd5PidFd8try_wait17h08c3a4bee33bb5d2E looks like OS.LINUX elf.py:970
DEBUG capa.features.extractors.elf: guess: pertinent symbol name: OS.LINUX elf.py:1531
DEBUG capa.features.extractors.elf: go buildinfo: found data segment elf.py:1010
DEBUG capa.features.extractors.elf: go buildinfo: no buildinfo magic elf.py:1096
DEBUG capa.features.extractors.elf: guess: Go buildinfo: None elf.py:1538
DEBUG capa.features.extractors.elf: guess: Go source: None elf.py:1545
DEBUG capa.features.extractors.elf: guess: vdso strings: None elf.py:1552
DEBUG capa: skipping library code matching: signatures only supports PE files main.py:821
DEBUG capa: format: elf main.py:867
DEBUG capa: backend: vivisect main.py:868
DEBUG viv_utils.idaloader: failed to import IDA Pro modules idaloader.py:24
DEBUG capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01 elf.py:154
DEBUG capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 12 elf.py:184
DEBUG capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01 elf.py:154
DEBUG capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 12 elf.py:184
DEBUG capa.features.extractors.elf: guess: osabi: None elf.py:1482
DEBUG capa.features.extractors.elf: ph:namesz: 0x04 descsz: 0x14 type: 0x0003 elf.py:599
DEBUG capa.features.extractors.elf: name: GNU elf.py:602
DEBUG capa.features.extractors.elf: guess: ph notes: None elf.py:1489
DEBUG capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x14 type: 0x0003 elf.py:648
DEBUG capa.features.extractors.elf: sh:name: GNU elf.py:652
DEBUG capa.features.extractors.elf: GNU_ABI_TAG: 0x8d1d24be elf.py:664
DEBUG capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x10 type: 0x0001 elf.py:648
DEBUG capa.features.extractors.elf: sh:name: GNU elf.py:652
DEBUG capa.features.extractors.elf: GNU_ABI_TAG: 0x00 elf.py:664
DEBUG capa.features.extractors.elf: abi tag: OS.LINUX earliest compatible kernel: 3.2.0 elf.py:670
DEBUG capa.features.extractors.elf: guess: sh notes: OS.LINUX elf.py:1496
DEBUG capa.features.extractors.elf: .ident: GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0rustc version 1.88.0 (6b00bc388 2025-06-23) elf.py:873
DEBUG capa.features.extractors.elf: guess: .ident: OS.LINUX elf.py:1503
DEBUG capa.features.extractors.elf: guess: linker: OS.LINUX elf.py:1510
DEBUG capa.features.extractors.elf: guess: ABI versions needed: OS.LINUX elf.py:1517
DEBUG capa.features.extractors.elf: guess: needed dependencies: None elf.py:1524
DEBUG capa.features.extractors.elf: symtab: _ZN3std3sys3pal4unix5linux5pidfd5PidFd8try_wait17h08c3a4bee33bb5d2E looks like OS.LINUX elf.py:970
DEBUG capa.features.extractors.elf: guess: pertinent symbol name: OS.LINUX elf.py:1531
DEBUG capa.features.extractors.elf: go buildinfo: found data segment elf.py:1010
DEBUG capa.features.extractors.elf: go buildinfo: no buildinfo magic elf.py:1096
DEBUG capa.features.extractors.elf: guess: Go buildinfo: None elf.py:1538
DEBUG capa.features.extractors.elf: guess: Go source: None elf.py:1545
DEBUG capa.features.extractors.elf: guess: vdso strings: None elf.py:1552
DEBUG capa.loader: generating vivisect workspace for: caps_screen_recorder loader.py:160
Traceback (most recent call last):
File "main.py", line 1149, in <module>
File "main.py", line 1033, in main
File "main.py", line 871, in get_extractor_from_cli
File "loader.py", line 299, in get_extractor
File "loader.py", line 170, in get_workspace
File "viv_utils/__init__.py", line 118, in getWorkspace
File "vivisect/__init__.py", line 2891, in loadFromFile
File "vivisect/parsers/elf.py", line 32, in parseFile
File "vivisect/parsers/elf.py", line 637, in loadElfIntoWorkspace
File "vivisect/__init__.py", line 2272, in makeString
Exception: Invalid String Size: 0
[PYI-3674090:ERROR] Failed to execute script 'main' due to unhandled exception!
the error comes from here: https://github.com/vivisect/vivisect/blob/d04e519337c205111e0b34df6db39444d0fcc148/vivisect/parsers/elf.py#L636C21-L637C59 when the symbol size is zero
this indeed is fixed in the PR here: https://github.com/vivisect/vivisect/pull/659 specifically this commit: https://github.com/vivisect/vivisect/commit/c8019edb8cd6425925cc78f878d4395bc085565a