search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
517 stars 157 forks source link

upgrade rules using updated script #839

Closed mr-tz closed 9 months ago

mr-tz commented 10 months ago

837 and all the comments broke the GitHub web UI...

Repeating the work now here using a script and fixing things locally - for the most part.

mr-tz commented 10 months ago

See https://github.com/mandiant/capa-rules/pull/839/commits/409da0b775bd467d70826e5149974f3b2fffdbc3 for some first updates to rules with subscopes. Is that what you had in mind @williballenthin @yelhamer?

mr-tz commented 10 months ago

I think all rules have been upgraded now.

I did not use the process scope in any rule so far.

The linter needs to use the changes from the dynamic-feature-extraction branch to pass.

mr-tz commented 10 months ago

If you've looked at a dozen or so changes from each commit (as they roughly group changes) I'm fairly confident in these updates and don't think we need a detailed review of each rule.

williballenthin commented 10 months ago

ah, that's a great way to group changes. i'll do this review tomorrow. thanks!

williballenthin commented 10 months ago
williballenthin commented 10 months ago

@mr-tz please see dbefb55

image

mr-tz commented 10 months ago

Is VMCI_SOCKETS_GET_AF_VALUE a valid argument to socket?

The other changes look good, thank you!

williballenthin commented 10 months ago

via here: https://github.com/mandiant/capa/blob/210a13d94ea40114e01b40927c77c1c74047780f/capa/rules/__init__.py#L544

an instruction subscope acts implicitly like an and: so we can save a line/indentation by not adding those. same with call. maybe we can do a cleanup of all the rules in another PR.

williballenthin commented 10 months ago

Is VMCI_SOCKETS_GET_AF_VALUE a valid argument to socket?

ah, you're right, this is only passed to DeviceIoControl/ioctl. updated the logic to look like:

      - and:
        - os: windows
        - api: DeviceIoControl
        - number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE
        - optional:
          - api: socket
      - and:
        - os: linux
        - api: ioctl
        - number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE
        - optional:
          - api: socket

scope: basic block/call

mr-tz commented 10 months ago

For call scope the optional socket would never match and the scopes should still be thread (and function) IMO.

mr-tz commented 10 months ago

via here: https://github.com/mandiant/capa/blob/210a13d94ea40114e01b40927c77c1c74047780f/capa/rules/__init__.py#L544

an instruction subscope acts implicitly like an and: so we can save a line/indentation by not adding those. same with call. maybe we can do a cleanup of all the rules in another PR.

I don't see that implemented for call, but think we should add and simplify the rules.

mr-tz commented 9 months ago

rebased to master and: