Mike Hunhoff
Mike Hunhoff
As we extend capa to support more technologies/languages the feature name `api` may become confusing. For example, one could argue a class can be considered (or part of) an API...
- `ldftn`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.ldftn?view=net-6.0 - `ldvirftn`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.ldvirtftn?view=net-6.0 e.g. ``` ... ldftn instance void malware.methods::timer_callback(object) ... newobj instance void [mscorlib]System.Threading.TimerCallback::.ctor(object, native int) ``` emit ```yaml - namespace: malware - class: malware.methods -...
see https://github.com/mandiant/capa-rules/issues/591. we can probably use existing `bytes` feature for this.
This would allow us to match `calls from`, `calls to`, and `recursive call`.
most of the characteristics we emit won't apply to dotnet, so, let's collect ideas for new dotnet characteristics here.
Update explorer to cache a rule set for multiple runs - allow user to manually reload a rule set from their capa rules directory via plugin UI e.g. `Rules >...
Enable users to cancel capa explorer analysis during file feature extraction step. This really only matters for very large files with a lot of file features. Presently capa explorer displays...
observed interesting API call technique:  IDA appears to detect the proper API call for decompilation: ![Screen Shot 2021-02-12 at 10 46 34...
We've had a suggestion that capa explorer optionally support adding rule match annotations/comments/etc. to the IDB.
Remembering all of the namespaces can be difficult, especially when writing a new capa rule. Let's explore solutions that will provide users with namespace hints that they can leverage while...