Mike Hunhoff
Mike Hunhoff
sub task of #982. for each [`newobj` instruction ](https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.newobj?view=net-6.0) emit `namespace`, `class`, and `api` features where `api` is in the format `.::ctor` where `ctor` is capa's way to identify object...
[capa_explorer.py](https://github.com/mandiant/capa/blob/master/capa/ghidra/capa_explorer.py) adds comments and bookmarks when executed. We should enable users to choose which of these options, if any, they want to use when the script is executed. [capa_ghidra.py](https://github.com/mandiant/capa/blob/fde1de3250ccb7c46d0ef36f60f830d679ea79c1/capa/ghidra/capa_ghidra.py#L103-L117) can...
capa's rule caching is great but not obvious. This caused a huge headache when debugging #1897 as the problem code was skipped entirely when capa used its local rule cache....
Ok so it looks like we need the opposite of `fixtures.get_sample_md5_by_name` e.g. `fixtures.get_sample_short_name_by_md5` or the like. Let's leave this code as-is for now and I'll open a separate issue to...
Add support to calculate IL basic blocks, enabling basic block scope and loop detection for .NET files.
Research and implement if its possible to determine OS for .NET file; these should all be PEs so my best guess without further research is focusing on statically detecting the...
Here is a profiling snippet from running capa on `mimikatz.exe_` in Ghidra. Let's review and see if there are opportunities to reduce the cumulative times for Ghidra-related functions: ``` 273564231...
Calls to `monitor().isCancelled()` can be used to stop execution if a user chooses to cancel a script run. This is especially important for long runs. Let's use `monitor().isCancelled()` where it...