search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
531 stars 160 forks source link

Update and add Cabinet archive related rules #808

Closed jtothej closed 11 months ago

jtothej commented 1 year ago

Suggesting following rearrangement as FCI/FDI API functions are dependent on each other so I'm not sure if it's worth to have separate rules for each of them:

FCICreate and FDICreate can be potentially used for shellcode execution via callback functions (TODO) so adding them as library functions: lib/create-file-compression-interface-context.yml lib/create-file-decompression-interface-context.yml

Rules indicating creation or extraction of data from Cabinet file: data-manipulation/compression/create-cabinet-file.yml data-manipulation/compression/extract-files-from-cabinet.yml

CC: @mike-hunhoff

mr-tz commented 1 year ago

@mike-hunhoff, can you take a look?

mr-tz commented 11 months ago

@mike-hunhoff bump :)