mandiant
skip matching rules in code within functions that are only called from library functions
Summary
Some functions that are not identified as library functions but are only called from library functions do match capa rules. An enhancement would be to skip matching rules associated to capabilities not only within library functions but also within functions only called from library functions.
Motivation
As capa is aimed at detecting capabilities and behaviours within the programmer's code and not within library code this will reduce the hits an analyst have to look at that are relevant.
Describe alternatives you've considered
Skip finding capabilities and behaviours within functions that are not originally detected as library code but it i safe to assume they are library functions since they are only called from library code.
Additional context
Seen in a DLL where the library function __IsNonwritableInCurrentImage calls the function sub_1000AFD0, not detected as library function by IDA Pro.
I like this idea and its definitely in the spirit of what we've been doing with capa analysis.
Implementation-wise, we already extract enough information to generate a call graph that we could use to filter the results. TBD on whether this filtering happens after feature extraction, though, which wouldn't reduce runtime but would still reduce FP output.
Would it be possible to add this to viv_utils so all dependencies just get this feature? Not sure this would work there though as I think it may focus on single functions only.
we could put into viv-utils the logic that decides which functions call which functions and therefore should/nt be included in analysis (i think this is called a "dominator" in graph theory). then capa can be a client of this logic, along with other dependencies. floss might also make use of the logic.
im not sure how we'd decide "is a library function?". maybe clients bring their own list of functions that it thinks are libraries (such as via FLIRT, etc).