Mike Hunhoff

Ghidra: addresses are not exported for all instructions that begin a basic block

2

see https://github.com/google/binexport/issues/128#issuecomment-2078054664

see https://github.com/google/binexport/issues/128#issuecomment-2078054664

ghidra: instruction: nzxor security cookie check is incorrect

2

https://github.com/mandiant/capa/blob/4b1a5003df926eb790eb14e9a70e68bf93ca1f2a/capa/features/extractors/ghidra/insn.py#L428-L438 This incorrectly checks if the instruction's parent function consists of a single basic block. The intention is to check if the XOR operation is within the first or last...

e.g. divide the display into "columns" that allow users to sort by top level element including the rule name and namespace

e.g. https://github.com/mandiant/capa/blob/1360e0838954c801dc13450c9daed423191a88a5/capa/features/extractors/cape/global_.py#L51 I'm surprised that none of our linters catch this...

binexport: ghidra: plt/got thunking not handled by Ghidra when indirect global register is used

1

Documenting this as a known issue here. Ghidra developers are aware and I've [asked for clarification](https://github.com/NationalSecurityAgency/ghidra/issues/5825#issuecomment-2150609967) if there is a fix planned. Otherwise, we'll likely need to handle this in...

The main argument for this is to take advantage of name demangling handled by the underlying disassembler (IDA, Ghidra, etc.). Optionally, add name demangling to capa's `ElfFeatureExtractor`.

see original comment https://github.com/mandiant/capa/blob/0ab5f5baff744c32624f815f53726cecf5897565/capa/features/extractors/binexport2/insn.py#L85