Willi Ballenthin
Willi Ballenthin
Method (and field, and ...) signatures are represented by data in a custom binary format that is stored in the `#Blob` stream. The best references I've found for parsing this...
closes #2074 ref #2063, particularly "tighten rule pre-selection" and "lots of time spent in instancecheck" Stacked on #1950, so I've marked this as a PR onto that branch so the...
https://github.com/mandiant/capa/blob/b59df659c93ecead5f585cb03739a31327dbff91/capa/features/common.py#L486
As shown in #2061, perhaps 70% of capa runtime is spent evaluating rule logic. That means, if we want to make capa run faster, improvements to the logic evaluation code...
via @Ana06 ``` ERROR:capa.ida.plugin.form:Failed to extract capabilities from database (error: in method 'get_bytes', argument 2 of type 'unsigned int') Traceback (most recent call last): File "C:\Python310\lib\site-packages\capa\ida\plugin\form.py", line 772, in load_capa_results...
capa-rules contains at least one rule with an impossible dependency, and capa nor its linter complains. We should ensure that capa correct tracks dependencies across scopes, or warns the user...
Today, we match case insensitive strings by invoking the regex matching engine. But, we have quite a few of these features in our rule set (409???). Like with bytes above,...
Today, we match bytes by doing a prefix search against encountered bytes (up to 0x100 long). Since many sequences of bytes we search for have some structure (well, common length),...
Once the global features are known (arch, os, format, etc.), then prune logic from the rules that won't ever match. This way, the same global feature are not re-evaluated over...
To avoid searching for strings/bytes that won't ever be found at a particular scope, we could first check that each string/bytes is present *somewhere* in the file. If its not,...