Willi Ballenthin

https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/ida/plugin/form.py#L794

https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/ida/plugin/model.py#L375

https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/ida/plugin/model.py#L424

https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/ida/plugin/view.py#L505

detectString: correctly compute substring length

2

this PR fixes the string length calculation when the requested string is a substring of a longer string that begins somewhere before it. in this case, take the longer string...

Ghidra: capture string references

1

The Ghidra exporter should populate the `string_reference` table. https://github.com/google/binexport/blob/5795afc727e7ab66072ea12b38f3e9c978bfa046/java/src/main/java/com/google/security/binexport/BinExport2Builder.java#L534

The Ghidra exporter should populate the `data_reference` table. https://github.com/google/binexport/blob/5795afc727e7ab66072ea12b38f3e9c978bfa046/java/src/main/java/com/google/security/binexport/BinExport2Builder.java#L535

 ```yaml - TLS_client_method - SSL_CTX_new ```

use the stackoverflow snapshot databases to extract MSDN API functions commonly (or not) recommended in answers but not yet referenced by any capa rule. this can help suggest categories of...

rules for ELF/Linux sample

14

even when the OS is specified manually, we don't get many results. we should spend some time writing rules that match the interesting behavior for this ELF/Linux sample: ``` capa...