search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
531 stars 160 forks source link

Cleanup Nt* and Zw* api definitions #720

Open mr-tz opened 1 year ago

mr-tz commented 1 year ago

Various rules have just the Nt function or just the Zw function. Some have both.

Example: NtQuerySystemInformation listed but ZwQuerySystemInformation was missing (until upcoming PR here).

Cleaning this up would solve it for the current rules, but what about future ones?

  1. add a lint? (we have a semi-related lint for "feature api may overlap with ntdll and ntoskrnl")
  2. modify a) the feature extractor or b) the rule parser to emit Nt/Zw/... extractor
    • downside: could emit non-existing apis
    • upside: easier rule writing
williballenthin commented 1 year ago

i think adding a lint for this is a great idea

williballenthin commented 1 year ago

as you mentioned for (2), i don't really like the idea of emitting, particularly because things like show-features will list function APIs that potentially don't exist.