Willi Ballenthin
Willi Ballenthin
we can process WinDbg Time Travel Debugging (TTD) traces and extract API calls, string/data references, and other features and analyze them in a dynamic context, like @yelhamer has done with...
BinExport is an intermediate representation of disassembly produced by various tools, like IDA, Binary Ninja, Ghidra, etc. The data is stored in a ProtoBuf format: https://github.com/google/binexport/blob/main/binexport2.proto It includes many of...
via #1744, remove support for `scope: unspecified` once the rule migration is complete.
https://github.com/mandiant/capa/blob/3cf748a135f41ac5dff86f377dae816eb529b5a0/capa/features/extractors/base_extractor.py#L15
https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/helpers.py#L31
https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/binja/insn.py#L327
https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/binja/helpers.py#L46
via discussion in https://github.com/mandiant/capa-rules/issues/736 for ELF samples, parse the .symtab, if present to provide: ```[tasklist] - [x] ELF: use symtab entries for API feature function names - [x] ELF: use...
https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/insn.py#L408 https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/insn.py#L430 https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/insn.py#L435
https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/ida/plugin/cache.py#L40 https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/ida/plugin/cache.py#L46