search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
538 stars 163 forks source link

validate payment card number using luhn algorithm with no lookup table: doesn't match against notepad.exe #534

Closed erhlee-bird closed 1 year ago

erhlee-bird commented 2 years ago

Summary

Rule Name: "validate payment card number using luhn algorithm with no lookup table"

The aforementioned rule doesn't match against a version of notepad.exe (sha256:d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2).

I don't think the file is actually exhibiting the represented behavior but the rule seems like it should match from how the rule is written.

Examples

notepad.exe (sha256:d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2) Function located at 14000a098

  1. There's a loop at 14000ac6d satisfying the loop characteristic requirement

image

  1. There is a basic block at 14000a8e2 that satisfies the next inline basic block rule "Digital Root check number*2 < 0x9"

image

  1. There is a basic block at 14000aa76 that satisfies the next inline basic block rule "Conversion of chr to int (LEA REG,[REG+ -0x30])"

image

  1. There is a basic block at 14000ad3c that satisfies the last inline basic block rule "Final section returning checkum % 10"

image

Possible improvements

As a false negative, I think the rule should match according to the specified rule features.

So if this rule did match, I think it would actually be a false positive as a result of the basic block scope being very wide.

If the "Final section returning checkum % 10" rule were at like an instruction scope to look for specifically div 10 or something along those lines, this probably wouldn't match.

Additional context

mr-tz commented 2 years ago

Thanks for the detailed report! I'll have to take a deeper look at this.

And instruction scope or feature (https://github.com/mandiant/capa/issues/767) would help for sure with various FPs.

re-fox commented 2 years ago

Just a contextual comment: One of the issues I encountered when writing this signature is just the sheer amount of variations encountered of this algorithm. Fortunately, most implementations have the same features (Digit summing, lookup tables).

I roughly documented variants of the algorithm that this rule was written against -> https://github.com/re-fox/documentation/blob/master/algorithms/luhns.md. While I don't think all of those are in capa-testfiles, they may help give some samples to regression test against.

With this said, adding the instruction scope would help in reducing FP's, especially when dealing with samples where the basic blocks contain a lot of arithmetic or are overly large.

mr-tz commented 1 year ago

We've since added the instruction scope and improved the rule accordingly.

2., 3. and 4. now do not hit anymore, so the function should not and does not match :)