Capa explorer fails to run

[r0ny123]

Prerequisites

• [X] Put an X between the brackets on this line if you have done all of the following:
  • Checked that your issue isn't already filed: search

Description

Getting Error while invoking ida_capa_explorer.py using IDApro.

Steps to Reproduce

1. Load a file into IDA
2. then Alt+F7
3. Navigate to ida_capa_explorer.py and open it

Expected behavior:

It should open the capa explorer with the results.

Actual behavior:

the explorer is opening without the results.

Versions

Latest capa and python 2.7 on IDA Pro 7.0

Additional Information

I know the capa is meant to be working on 7.4 or 7.5 but looking at the error it seems capa can't locate rules path.

This is the following error thrown by IDA Pro:

INFO:capa:--------------------------------------------------------------------------------
INFO:capa: Using default embedded rules.
INFO:capa: 
INFO:capa: You can see the current default rule set here:
INFO:capa:     https://github.com/fireeye/capa-rules
INFO:capa:--------------------------------------------------------------------------------
IDAPython: Error while calling Python callback <OnCreate>:
Traceback (most recent call last):
  File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 104, in OnCreate
    self.load_capa_results()
  File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 362, in load_capa_results
    rules = capa.main.get_rules(rules_path)
  File "C:\python27-x64\lib\site-packages\capa\main.py", line 304, in get_rules
    raise IOError("rule path %s does not exist or cannot be accessed" % rule_path)
IOError: rule path C:/python27-x64/Lib/site-packages/capa/ida\../..\rules does not exist or cannot be accessed
INFO:capa:form closed.

[mr-tz]

Can you ensure you've downloaded capa-rules either directly or via loading the git submodule (see https://github.com/fireeye/capa/blob/master/doc/installation.md#2-check-out-source-code)?

[r0ny123]

yes I later on downloaded the capa rules directly and placed them under C:\python27-x64\Lib\site-packages and the previous error was resolved but got some other following errors:

INFO:capa:--------------------------------------------------------------------------------
INFO:capa: Using default embedded rules.
INFO:capa: 
INFO:capa: You can see the current default rule set here:
INFO:capa:     https://github.com/fireeye/capa-rules
INFO:capa:--------------------------------------------------------------------------------
IDAPython: Error while calling Python callback <OnCreate>:
Traceback (most recent call last):
  File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 104, in OnCreate
    self.load_capa_results()
  File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 368, in load_capa_results
    rules, capa.features.extractors.ida.IdaFeatureExtractor(), True
  File "C:\python27-x64\lib\site-packages\capa\main.py", line 106, in find_capabilities
    function_matches, bb_matches, feature_count = find_function_capabilities(ruleset, extractor, f)
  File "C:\python27-x64\lib\site-packages\capa\main.py", line 63, in find_function_capabilities
    for feature, va in extractor.extract_insn_features(f, bb, insn):
  File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\__init__.py", line 75, in extract_insn_features
    for (feature, ea) in capa.features.extractors.ida.insn.extract_features(f, bb, insn):
  File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\insn.py", line 347, in extract_features
    for (feature, ea) in inst_handler(f, bb, insn):
  File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\insn.py", line 76, in extract_insn_number_features
    if capa.features.extractors.ida.helpers.is_sp_modified(insn):
  File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\helpers.py", line 229, in is_sp_modified
    if op.reg == idautils.procregs.sp.reg and is_op_write(insn, op):
  File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\helpers.py", line 218, in is_op_write
    return idaapi.has_cf_chg(insn.get_canon_feature(), op.n)
AttributeError: 'module' object has no attribute 'has_cf_chg'
INFO:capa:form closed.

Any work around for this issue? And I think downloading capa rules should also be documented under https://github.com/fireeye/capa/blob/master/doc/installation.md#method-2-using-capa-as-a-python-library

[r0ny123]

And I think downloading capa rules should also be documented under https://github.com/fireeye/capa/blob/master/doc/installation.md#method-2-using-capa-as-a-python-library

Oh, I see this is already in discussion, +1 from me!

[mr-tz]

Any work around for this issue?

I can't currently test in IDA 7.0. What output do you get for idaapi.has_cf_chg in the Python console (Output window)?

[r0ny123]

Output: AttributeError: 'module' object has no attribute 'has_cf_chg'

[mr-tz]

Looks like this API call is not yet supported or maybe in a different module? @mike-hunhoff may be able to provide some help here (likely next week though).

We'll try to support older IDA versions, but will mostly focus on the current versions.

[r0ny123]

Thanks!

[lordtmk]

Hi guys, first thanks for all the work done to capa so far. I have the same setup than r0ny, did all the steps and got the same error : AttributeError: 'module' object has no attribute 'has_cf_chg'

I checked on the web and i saw that 'has_cf_chg' belong to ida_idp module. So i changed all idaapi calls in helpers.py to ida_idp.

Now i got a new error, i don't now if thats due to the modification but that seems different.

I know that you're making a great work actually, but i think many people use IDA 7.0 nowadays and are stuck.

(Pardon my english, i'm french)

INFO:capa:--------------------------------------------------------------------------------
INFO:capa: Using default embedded rules.
INFO:capa: 
INFO:capa: You can see the current default rule set here:
INFO:capa:     https://github.com/fireeye/capa-rules
INFO:capa:--------------------------------------------------------------------------------
WARNING:capa:skipping non-.yml file: LICENSE.txt
IDAPython: Error while calling Python callback <OnCreate>:
Traceback (most recent call last):
  File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 104, in OnCreate
    self.load_capa_results()
  File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 365, in load_capa_results
    meta = capa.ida.helpers.collect_metadata()
  File "C:\python27-x64\lib\site-packages\capa\ida\helpers\__init__.py", line 66, in collect_metadata
    "sha256": capa.features.bytes_to_str(idaapi.retrieve_input_file_sha256()),
  File "C:\python27-x64\lib\site-packages\capa\features\__init__.py", line 18, in bytes_to_str
    return codecs.encode(b, "hex")
  File "C:\python27-x64\Lib\encodings\hex_codec.py", line 24, in hex_encode
    output = binascii.b2a_hex(input)
TypeError: b2a_hex() argument 1 must be string or buffer, not None

[mr-tz]

I did some digging in an older IDA 7.0:

1. My version (7.0.170914 Windows x64) does not even include any reference to has_cf_chg, can you try $ grep -Eir has_cf_chg <IDADIR>? We may need an alternative way to check operand writes/reads.
2. For the failing bytes_to_str it looks like retrieve_input_file_sha256 is failing (likely a bug, I saw some discussions online), to circumvent, can you try adding this to the start of bytes_to_str in capa\features\__init__.py?

   if not b:
   return ""

Again, unfortunately this will be very hard to support for all (especially older) IDA versions given the differences in Python, IDA SDK, and IDAPython versions. Hopefully, we'll find ways to make it work though.

[williballenthin]

we should version check at the start of the script and bail if an unsupported version of IDA is encountered.

179

[lordtmk]

1 : Nothing happens

2 :

IDAPython: Error while calling Python callback <OnCreate>: Traceback (most recent call last): File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 104, in OnCreate self.load_capa_results() File "C:/python27-x64/Lib/site-packages/capa/ida/ida_capa_explorer.py", line 368, in load_capa_results rules, capa.features.extractors.ida.IdaFeatureExtractor(), True File "C:\python27-x64\lib\site-packages\capa\main.py", line 106, in find_capabilities function_matches, bb_matches, feature_count = find_function_capabilities(ruleset, extractor, f) File "C:\python27-x64\lib\site-packages\capa\main.py", line 63, in find_function_capabilities for feature, va in extractor.extract_insn_features(f, bb, insn): File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\__init__.py", line 75, in extract_insn_features for (feature, ea) in capa.features.extractors.ida.insn.extract_features(f, bb, insn): File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\insn.py", line 347, in extract_features for (feature, ea) in inst_handler(f, bb, insn): File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\insn.py", line 120, in extract_insn_string_features found = capa.features.extractors.ida.helpers.find_string_at(ref) File "C:\python27-x64\lib\site-packages\capa\features\extractors\ida\helpers.py", line 164, in find_string_at found = idaapi.get_strlit_contents(ea, -1, idaapi.STRTYPE_C) File "C:\Program Files\IDA 7.0\python\ida_bytes.py", line 2087, in get_strlit_contents return _ida_bytes.get_strlit_contents(*args) OverflowError: in method 'get_strlit_contents', argument 2 of type 'size_t'

[mr-tz]

Yeah 😞 Looks like your version does not support this API call (1) and that the get_strlit_contents (2) behaves buggy/unexpected as well.

[mr-tz]

As mentioned before, given API differences we won't be able to support all versions of IDA Pro. We'll add a check to clarify what is supported to the plugin; tracked in https://github.com/fireeye/capa/issues/179.

For older versions using the importer script is a good workaround: https://github.com/fireeye/capa/blob/master/scripts/import-to-ida.py

[r0ny123]

I am gonna try that import script.

[Dextera0007]

Anyone familiar with the errors below when running capa against PE file: ERROR : Capa: default embedded rules not found (maybe you installed capa as a library ) ERROR: Provide your own rule set via the -r option

[mr-tz]

Yes, you need to download the rules as well. Please see the plugin documentation for details.

[Dextera0007]

Previously downloaded capa-rules : https://github.com/mandiant/capa-rules still encounters the same error. At the very least if I can run capa from the command line using default embedded rules. Where's the plugin documentation detail is located?

---

De : Moritz @.> Envoyé : mardi 23 juillet 2024 05:04 À : mandiant/capa @.> Cc : Dextera0007 @.>; Comment @.> Objet : Re: [mandiant/capa] Capa explorer fails to run (#165)

Yes, you need to download the rules as well. Please see the plugin documentation for details.

— Reply to this email directly, view it on GitHubhttps://github.com/mandiant/capa/issues/165#issuecomment-2244659864, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGOJ7M7NJAO6EDDDYNYOP23ZNYMC5AVCNFSM6AAAAABLJGJURWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBUGY2TSOBWGQ. You are receiving this because you commented.

[williballenthin]

https://github.com/mandiant/capa/tree/master/capa/ida/plugin#getting-started

[Dextera0007]

Anyone familiar with this error message " ERROR: capa: provide your own rule set via the -r option "