ARM support - Githubissues

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.

https://mandiant.github.io/capa/

Apache License 2.0

4.07k stars 512 forks source link

ARM support #1774

Open cosad3s opened 1 year ago

cosad3s commented 1 year ago

Summary

Today, when using capa on files like: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV)

We got from capa output:

WARNING:capa.features.extractors.elffile:unsupported architecture: ARM
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported architecture.
ERROR:capa: 
ERROR:capa: capa currently only supports analyzing x86 (32- and 64-bit).
ERROR:capa:--------------------------------------------------------------------------------

Do we have a hope to have a compatibility for ARM binaries ?

Motivation

To target binaries in embedded devices for example.

Describe alternatives you've considered

N/A

Additional context

N/A

williballenthin commented 1 year ago

We have been talking about supporting ARM recently. The primary reason we don't have it today is that we (capa authors that are malware analysts on FLARE) don't see all that much ARM malware, so we're not as familiar with the architecture. I don't think there's any technical reason preventing us from adding ARM support.

@cosad3s can we tag you here when we need help developing and testing ARM support?

cosad3s commented 12 months ago

Hello, I am not an expert in that domain, but I'll be pleased to test capa in ARM context :)

xusheng6 commented 11 months ago

It would really be a chance to show-off binary ninja's capacity since our analysis is IL based which means few changes will be needed in order to support a new arch, like arm

williballenthin commented 11 months ago

A major (self imposed) requirement to merging Arm support is a test suite that gives us confidence that the Arm analysis works as expected. As noted above, we're not really experienced in Arm, so this is a place we'd love some help, such as by highlighting common Arm code patterns, architectural considerations, real-world reversing advice, etc. Concretely, PRs to the capa test cases that assert how Arm analysis should work, for calls, basic blocks, string references, etc. This means both executable testfiles and locations in those files of interesting features.

The existing x86 test suite has enabled us to accept alternative backends, such as Binary Ninja, since we're confident that all backends provide a similar level of analysis/correctness. As we consider Arm support, an Arm test suite will let us accept contributions for Arm analysis backends, such as vivisect, Binary Ninja, IDA, Ghidra, etc.