capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

feature: function count

Open mr-tz opened this issue 4 years ago • 3 comments 

rule:
  meta:
    name: contain few functions
    examples:
      - 068a76d4823419b376d418cf03215d5c
  features:
    - count(function): 10 or less

Is something like this possible or would we need a new feature?

Would it be worth adding? Currently I can only think of using this for packer detection.

EDIT: also for anti-disassembly, see PMA chapter 15

mr-tz avatar May 03 '21 20:05 mr-tz

Is something like this possible or would we need a new feature?

I don't think we can do this today. Function features bubble up to File features, so the scope: file would be appropriate; however, we don't extract a feature for each function start (how else would this be used?) so there's nothing relevant to work with at the file scope.

williballenthin avatar May 03 '21 21:05 williballenthin

we could approximate this today like so:

scope: file
features:
  - count(characteristic(calls to)): 10 or less

which says: "there are ten or fewer resolved calls". though, i find this to be a kinda tricky rule - would need to document it well.

(note: i haven't tested this rule, but i think it should work)

williballenthin avatar May 03 '21 21:05 williballenthin

unfortunately not: invalid rule: feature characteristic(calls to) not support for scope file

mr-tz avatar May 04 '21 15:05 mr-tz