search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
514 stars 157 forks source link

Update reference-analysis-tools-strings.yml #861

Closed ruppde closed 7 months ago

ruppde commented 8 months ago

fix 2 problems:

  1. fix false positive by not hitting, if there was a word character before ida: 
    
regex: /ida[gqtuw]?(\.exe)?$/i
- "@.didat" @ file+0x2F7

405d4c2ef7419bf265edef0fe86c8ba1ed634b10dccaaa0a6c6b953645598619



2. regex didn't match ida64.exe because it required one of the characters in the brackets.

<!--
Thank you for contributing to capa! <3

Please ensure that:
1. each rule passes thorough linting (in rules directory: `python ../scripts/lint.py --thorough -t "<your rule name>" -v .`)
2. you've uploaded each referenced example binary (optional, but greatly appreciated) to https://github.com/fireeye/capa-testfiles

Please mention the issue your PR addresses (if any):
closes #issue_number
-->
williballenthin commented 8 months ago
  1. - "@.didat" @ file+0x2F7 is this actually a reference to the IDA filename, or a FP?
williballenthin commented 8 months ago

more generally, the four character pattern "ida[gqtuw]" seems like it might very easily show up in random strings. should we restrict it further, like ensuring its not found within a substring, but only a whole string?

- or:
  - string: idag
  - string: idaq
  - string: idat
  - string: idau
  - string: idaw
  - string: /ida[gqtuw]?\.exe/i

small filenames must be matched verbatim, as whole string, or longer filename can be a part of a longer string.

ruppde commented 8 months ago

yes, fp.

I think the $ in the end prevents it from hitting any random substring.

or consider putting that string in its own rule which gets "potential" in the title?

mr-tz commented 7 months ago

thank you, @ruppde!