search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.82k stars 555 forks source link

lint: skip check of ntdll.NtProtectVirtualMemory #1675

Closed williballenthin closed 1 year ago

williballenthin commented 1 year ago 
@williballenthin ➜ /workspaces/capa (master) $ python scripts/lint.py -t "Tracing" rules/ 
INFO:lint:successfully loaded 823 rules
INFO:lint:collecting potentially referenced samples

 patch Event Tracing for Windows function                                            
  WARN: feature api may overlap with ntdll and ntoskrnl: check if NtProtectVirtualMemory is exported by both ntdll and ntoskrnl; if true, consider removing ntdll module requirement to improve detection

rules with WARN:                                                                     
  - patch Event Tracing for Windows function

INFO:lint:no lints failed, nice!
williballenthin commented 1 year ago

also:

@williballenthin ➜ /workspaces/capa (fix/issue-1675) $ python scripts/lint.py rules/ 

INFO:lint:successfully loaded 826 rules
INFO:lint:collecting potentially referenced samples

 get UEFI variable                                                                                                                                                                                                                    
  WARN: feature api may overlap with ntdll and ntoskrnl: check if NtEnumerateSystemEnvironmentValuesEx is exported by both ntdll and ntoskrnl; if true, consider removing ntdll module requirement to improve detection               

rules with WARN:                                                                                                                                                                                                                      
  - get UEFI variable

INFO:lint:no lints failed, nice!