search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
Apache License 2.0
3.98k stars 499 forks source link

Dynamic support for other file types besides Windows PEs #1933

Open mr-tz opened 5 months ago

mr-tz commented 5 months ago

The current dynamic extractor focuses on PEs, CAPE sandbox supports other types which should be added down the road.

There's several requirements on the target file type, including:

reference: https://github.com/mandiant/capa/issues/1880

eingel86 commented 4 months ago

Dear @mr-tz ,

I found errors that brought me back to this page. The errors are these:

ERROR:capa.features.extractors.cape.extractor:capa currently only supports PE target files, this target file's type is: 'Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {61446857-88E0-42BA-9333-2C1F5E61F834}, Number of Words: 10, Subject: scrapper, Author: scrapper, Name of Creating Application: scrapper, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Feb 21 01:46:35 2024, Last Saved Time/Date: Wed Feb 21 01:46:35 2024, Last Printed: Wed Feb 21 01:46:35 2024, Number of Pages: 450'. feb 23 10:43:44 capev2sandbox python3[45107]: Please report this at: https://github.com/mandiant/capa/issues/1933 feb 23 10:43:44 capev2sandbox python3[45107]: 2024-02-23 10:43:44,275 [Task 10] [capa.features.extractors.cape.extractor] ERROR: capa currently only supports PE target files, this target file's type is: 'Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {61446857-88E0-42BA-9333-2C1F5E61F834}, Number of Words: 10, Subject: scrapper, Author: scrapper, Name of Creating Application: scrapper, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Feb 21 01:46:35 2024, Last Saved Time/Date: Wed Feb 21 01:46:35 2024, Last Printed: Wed Feb 21 01:46:35 2024, Number of Pages: 450'. feb 23 10:43:44 capev2sandbox python3[45107]: Please report this at: https://github.com/mandiant/capa/issues/1933

do you know how the problem can be solved?

mr-tz commented 4 months ago

Hey, thanks for the info! There's a few architectural/plumbing changes we have to make to support more file types. Supporting documents could be an interesting research project as part of this. Unfortunately, currently I think it's not a quick fix we can provide unless someone from the community steps up to work on this.

albertososa95 commented 1 month ago

Hi, I'm using CAPEv2 and I've this error: [capa.features.extractors.cape.extractor] ERROR: capa currently only supports PE target files, this target file's type is: 'EICAR virus test files'..

Does this means that I can only analyze PE files?

mr-tz commented 1 month ago

That is correct.