Open Ana06 opened 11 months ago
can't detect it very easily since the loop isn't tight, like you said. we could write a rule with function scope matching and(non zero xor, has loop) but this doesn't seem very specific at all.
for this specific function we could also limit the number of basic blocks and/or #callers and/or #callees. that might be reasonably robust but doesn't generalize the technique very well.
do you all have any other ideas?
Another approach would be to extend tight loops to capture "almost tight loops" (in the feature extraction).
capa doesn't detect null-preserving XOR because the XOR is not in a tight loop. Can we detect it?
Tested with capa 6.1.0 using sample 4ce210df92602f9cf4990357eb63f1f05cb5e89d03426a98a77ef98d6ff967bc