search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
537 stars 163 forks source link

Revert "Add Base64 VBMI lookup table detection" #924

Closed mr-tz closed 2 months ago

mr-tz commented 2 months ago

Reverts mandiant/capa-rules#918

per the linter:

 decode data using Base64 via VBMI lookup table                                                                                                                                                                                                                                                                                                    
  FAIL: doesn't match on referenced example: Fix the rule logic or provide a different example

@Still34 could you take another look at this?

Still34 commented 2 months ago

Huh, it matches for me though - or do both conditions I wrote have to be met? If so, I tried uploading the other sample but it kept failing CI checks. image

Still34 commented 2 months ago

Well that's strange, it's matching in the IDA plugin but not the capa standalone? image

mr-tz commented 2 months ago

Let me check what features vivisect extracts.

mr-tz commented 2 months ago

Vivisect seems to have issues handling the v/movdq instructions, so we cannot use this rule as is unfortunately...

image

 bb: 0x1400085D0: basic block
  insn: 0x1400085D0: mnemonic(lea)
  insn: 0x1400085D0: offset(-0x284)
  insn: 0x1400085D0: operand[1].offset(-0x284)
  insn: 0x1400085D0: number(-0x284)
  insn: 0x1400085D0: operand[1].number(-0x284)
  insn: 0x1400085D7: mnemonic(bound)
  insn: 0x1400085D9: mnemonic(dec)
  insn: 0x1400085D9: offset(0x6F)
  insn: 0x1400085D9: operand[0].offset(0x6F)
  insn: 0x1400085DC: characteristic(nzxor)
  insn: 0x1400085DC: mnemonic(xor)
  insn: 0x1400085DC: offset(-0xF)
  insn: 0x1400085DC: operand[0].offset(-0xF)
  insn: 0x1400085DF: mnemonic(dec)
  insn: 0x1400085DF: offset(0x6F)
  insn: 0x1400085DF: operand[0].offset(0x6F)
  insn: 0x1400085E2: mnemonic(add)
  insn: 0x1400085E2: offset(-0x27)
  insn: 0x1400085E2: operand[0].offset(-0x27)
  insn: 0x1400085E7: mnemonic(jnc)
 bb: 0x1400085ED: basic block
  insn: 0x1400085ED: mnemonic(bound)
  insn: 0x1400085EF: mnemonic(jg)
 bb: 0x1400085F1: basic block
  insn: 0x1400085F1: mnemonic(outsd)
  insn: 0x1400085F1: offset(0x0)
  insn: 0x1400085F1: operand[1].offset(0x0)
  insn: 0x1400085F2: mnemonic(sub)
  insn: 0x1400085F2: number(0x14049)
  insn: 0x1400085F2: operand[1].number(0x14049)
  insn: 0x1400085F7: mnemonic(bound)
  insn: 0x1400085F9: mnemonic(jg)
 bb: 0x1400085FB: basic block
  insn: 0x1400085FB: mnemonic(outsd)
  insn: 0x1400085FB: offset(0x0)
  insn: 0x1400085FB: operand[1].offset(0x0)
  insn: 0x1400085FC: mnemonic(and)
  insn: 0x1400085FC: number(0x1407F)
  insn: 0x1400085FC: operand[1].number(0x1407F)
  insn: 0x140008601: mnemonic(mov)
  insn: 0x140008604: mnemonic(mov)
  insn: 0x140008607: mnemonic(bound)
  insn: 0x140008609: mnemonic(jg)
mr-tz commented 2 months ago

TODO: open an issue with vivisect to inquire on this.

mr-tz commented 2 months ago

solved via #925