search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
519 stars 157 forks source link

Error saying "rule version is wrong" showed up with IDA7.7 and python3.9.10 #634

Closed vxcall closed 1 year ago

vxcall commented 1 year ago

Hi, I need help with the error i encountered. :pensive:

versions

windows 10 IDA 7.7 python 3.9.10 flare-capa 4.0.1 capa-rules 4.0.1

issue

I installed the plugin for IDA, and specified capa rules directory that is capa-rules-4.0.1\anti-analysis\anti-debugging\debugger-detection The following error appeared in the output pane.

ERROR:capa.ida.plugin.form:Failed to load rules from C:/Users/pseuxide/Documents/Reverse Engineering/IDA Pro 7.7/IDA Pro 7.7/capa-rules-4.0.1/anti-analysis/anti-debugging/debugger-detection (error: invalid rule: rule "check for software breakpoints" depends on missing rule "contain loop").
ERROR:capa.ida.plugin.form:Make sure your file directory contains properly formatted capa rules. You can download the standard collection of capa rules from https://github.com/mandiant/capa-rules.
ERROR:capa.ida.plugin.form:Please ensure you're using the rules that correspond to your major version of capa (4)
ERROR:capa.ida.plugin.form:You can check out these rules with the following command:
    $ git clone https://github.com/mandiant/capa-rules.git -b v4 /local/path/to/rules
ERROR:capa.ida.plugin.form:Or, for more details, see the rule set documentation here: https://github.com/mandiant/capa/blob/master/doc/rules.md
INFO:capa.ida.plugin.form:Analysis failed.

of course the rules are for capa 4.0.1, i downloaded from tags. The target is nothing complicated one. its from flare-on 9 :).

the issue maybe relate?

This is not happening with only IDA plugin, but with normal capa executable When I executed following command,

./capa.exe --rules "path\to\capa-rules-4.0.1\anti-analysis\anti-debugging\debugger-detection" "path\to\file.exe"

following error showed up

ERROR:capa:invalid rule: rule "check for PEB BeingDebugged flag" depends on missing rule "PEB access"
Traceback (most recent call last):
  File "main.py", line 1019, in main
  File "rules.py", line 1050, in __init__
  File "rules.py", line 965, in ensure_rule_dependencies_are_met
capa.rules.InvalidRule: invalid rule: rule "check for PEB BeingDebugged flag" depends on missing rule "PEB access"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "main.py", line 1197, in <module>
  File "main.py", line 1038, in main
  File "version.py", line 5, in get_major_version
ValueError: invalid literal for int() with base 10: 'v4'
[728] Failed to execute script 'main' due to unhandled exception!
mr-tz commented 1 year ago

Hey, this is a rule dependency issue because the PEB BeingDebugged rule depends on PEB access which is located outside of this directory. To filter rules, please try the -t option in the CLI tool, i.e. -t anti-debugging. In the IDA plugin you can filter after running all rules in the search bar on top. Please let me know how this works for you.

vxcall commented 1 year ago

Thank you it worked...! :relieved: I misunderstood that i had to specify particular directory containing .yml themselves. I cant wait to play with this amazing tool !! image

mr-tz commented 1 year ago

Awesome, good luck and please let us know what works or how we can improve the tool!