Mike Hunhoff
Mike Hunhoff
e.g. something like this:  I think the most important information is still shown and I also don't think we lose anything by removing the structural expressions?
see original https://github.com/mandiant/capa/pull/2208#discussion_r1680205936
``` ERROR:capa.ida.plugin.form:Failed to render results (error: '
Ghidra's extension does not link `CallGraph.Vertex` messages to `Module` messages for imported functions e.g. `kernel32.ReadFile`. Truly I'm not sure if `CallGraph.Vertex` messages representing imported functions should be linked to `Module`...
There is no horizontal scroll when expanding long entries, which makes viewing the corresponding columns impossible. This issue was experienced in Chrome, not sure if specific to this browser or...
I'd expect this to be set, which is true for the other binaries.
``` [...] dnfile/__init__.py", line 295, in __init__ sig = _struct.unpack_from("
source of the exception https://github.com/mandiant/capa/blob/8c8b67a6eaef0b78ff6f053583f951e0692fd8b5/capa/features/extractors/pefile.py#L133 Input file appears to be corrupted, resulting in a bad `pe.FILE_HEADER.Machine` value, which throws a `KeyError` exception. PM for source sample.
We should reconsider the `att&ck` classification for https://github.com/mandiant/capa-rules/blob/64b174e50253cbd506df40e7728531b801636a56/host-interaction/bootloader/get-uefi-variable.yml#L11 and https://github.com/mandiant/capa-rules/blob/64b174e50253cbd506df40e7728531b801636a56/host-interaction/bootloader/set-uefi-variable.yml#L11. Without additional indicators, I'm not sure that we can draw the conclusion that getting/setting UEFI variables results in boot persistence.
https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/