Willi Ballenthin

oh hey look its @fboldewin!

potential strategy: do an emulation pass (such as via viv-utils `FullCoverageEmulatorDriver`) and extract reg/stack context at each call site. then use calling convention and API definition info to extract arguments....

> I vote we boot #982 to the next release. #982 ties in with some other .NET feature parsing I believe we will need more research and discussion on before...

As a programmer, I get the difference between instance and class. But from a perspective of matching malware behavior, does it make enough difference to warrant a new feature? Note...

this seems useful. it make take a bit of work to enable this without affecting performance too much. but perhaps performance tuning is needed anyways. i wonder if there are...

- [ ] create branch - [ ] update gh settings - [ ] update CI (if necessary) - [ ] capa-rules - [ ] capa-testfiles

there is some existing code in [import-to-ida.py](https://github.com/fireeye/capa/blob/master/scripts/import-to-ida.py) that prompts for an existing json result document and applies comments to the IDB. perhaps this can be incorporated into the plugin, too?

reported upstream here: https://github.com/vivisect/vivisect/issues/497

`import floss` agree it would be nice to catch this, and we probably could relax the stackstring detection logic to detect this global dynamic string (and also heap strings). only...

@psifertex would be interested to hear your feedback on our plan here: http://www.williballenthin.com/post/2020-05-20-sketch-modern-python-in-ghidra/