re-fox

Thanks for the comments, looking forward to more analysis backends. In Ghidra, Radare, and BinaryNinja the analysis level can be adjusted. Running aggressive function finders may result in some bad...

Example at `capa-testfiles/03b236b23b1ec37c663527c1f53af3fe.dll_` The following basic block: ``` 0x180024c27 488d4c2420 lea rcx, [lpSystemInfo] ; LPSYSTEM_INFO lpSystemInfo 0x180024c2c ff15f6f40200 call qword [GetNativeSystemInfo] ; 0x180054128 ; VOID GetNativeSystemInfo(LPSYSTEM_INFO lpSystemInfo) 0x180024c32 8b542424 mov...

It looks like a sample is in `capa-testfiles` `5f66b82558ca92e54e77f216ef4c066c.exe_` In the following basic block ``` 0x00445817 68c4a14b00 push 0x4ba1c4 0x0044581c 68bca14b00 push 0x4ba1bc 0x00445821 68c0a14b00 push 0x4ba1c0 0x00445826 e8815c0200 call...

Just a contextual comment: One of the issues I encountered when writing this signature is just the sheer amount of variations encountered of this algorithm. Fortunately, most implementations have the...

I took a quick initial look at this Here's a basic block from sample `8bac633f24d21e9f88425e0d3fbaf5c5` ``` 0x10004620 ror ecx, 0xd 0x10004623 movsx eax, al 0x10004626 lea edx, [edx + 1]...

After giving this a closer look, I may have been overly optimistic. Basic blocks like `0x6545E4B0` in sample `capa-testfiles/0761142efbda6c4b1e801223de723578.dll_` make this more difficult. Large basic blocks with many arithmetic instructions....

I have a sample `580c37831fe98a254eb6c61c692c70d8` that I'll upload to capa-testfiles shortly.

This looks good. Also tied to https://github.com/fireeye/capa-rules/issues/55

A version of cryptopp is in the capa-testfiles repo `94d3c854aadbcfde46b2f82801015c31`, although it may be useful to find older/newer builds to check signatures against. IIRC this was the file used for...

Quite a few changes were updated last night, I re-ran the analysis and posted up the new results. I'll keep editing this issue on a semi-regular basis to keep the...