search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
531 stars 160 forks source link

null-preserving XOR not identified #840

Open Ana06 opened 11 months ago

Ana06 commented 11 months ago

capa doesn't detect null-preserving XOR because the XOR is not in a tight loop. Can we detect it?

Screenshot 2023-11-06 at 15 20 47

Tested with capa 6.1.0 using sample 4ce210df92602f9cf4990357eb63f1f05cb5e89d03426a98a77ef98d6ff967bc

williballenthin commented 11 months ago

can't detect it very easily since the loop isn't tight, like you said. we could write a rule with function scope matching and(non zero xor, has loop) but this doesn't seem very specific at all.

for this specific function we could also limit the number of basic blocks and/or #callers and/or #callees. that might be reasonably robust but doesn't generalize the technique very well.

do you all have any other ideas?

mr-tz commented 11 months ago

Another approach would be to extend tight loops to capture "almost tight loops" (in the feature extraction).