Willi Ballenthin
Willi Ballenthin
i think it would be worthwhile to get the tests running (and passing) in CI. this means: - add the example files to capa-testfiles and get those merged, and -...
yes, the subscope should have a single child item, one of and/or/X or more. a subscope block is translated (behind the scenes) into a separate capa rule and all capa...
looks like this is only enforced during deserialization, though we should probably have a lint for it, too https://github.com/fireeye/capa/blob/master/capa/rules.py#L565-L568 
we can support this by translating the bytes literal into a regular express (python supports byte literals in regexes). how would you use this feature?
when referring to an argument, we should be able to refer to its specific index. we should also try to associate the argument with its declared name. so like: ```yml...
we'll need to figure out how to handle a subset of types commonly used for arguments, like pointers to strings. does specifying a value as a string, like `lpName: "foo.exe"`...
thought: if we migrate most of our rules to use this feature, then we could probably natively support decompiler backends, like ghidra and hex-rays. we should consider the fragmentation of...
we could add this as part of capa 4.0 (probably introduces insn scope) or defer for 5.0+ as this will be a breaking change to rule syntax.
via https://github.com/mandiant/capa/pull/930#issuecomment-1083795849 and above probably want to support at least the following "types": ```yaml - operand[{0,1,n}].number: ... - operand[{0,1,n}].string: ... - operand[{0,1,n}].substring: ... - operand[{0,1,n}].bytes: ... - operand[{0,1,n}].flag: ... ```
We had a similar idea for analyzing Windows memory dumps; however, there's stumbling block: of all the loaded modules in the dump, which one should be analyzed and displayed? I...