search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
Apache License 2.0
4.01k stars 505 forks source link

ida-explorer: replace deprecated IDA API find_binary with bin_search #2011

Closed s-ff closed 4 months ago

s-ff commented 5 months ago

This change closes #1606 by replacing the deprecated IDA API find_binary with bin_search.

Checklist

s-ff commented 4 months ago

Hi @mike-hunhoff,

I have run the test_ida_features.py test script using the following steps:

  1. From my repo, I ran pip install . to install flare-capa with my changes.
  2. Copy capa_explorer.py to IDA plugins folder.
  3. While the target test file mimikatz.exe_ is loaded in IDA, I ran the script using : File > Script file... (or Alt+F7)
Here is the output of the test: ``` Python> -------------------------------------------------------------------------------- PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-basic block-7 PASS: test_ida_feature_counts/mimikatz-function=0x4702FD-characteristic(calls from)-0 PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-characteristic(calls from)-3 PASS: test_ida_feature_counts/mimikatz-function=0x4556E5-characteristic(calls to)-0 PASS: test_ida_feature_counts/mimikatz-function=0x40B1F1-characteristic(calls to)-3 SKIP: test_ida_features/294b8d...-function=0x404970,bb=0x404970,insn=0x40499F-string(\r\n\x00:ht)-False SKIP: test_ida_features/64d9f-function=0x10001510,bb=0x100015B0-offset(0x4000)-True SKIP: test_ida_features/7351f.elf-file-os(linux)-True SKIP: test_ida_features/7351f.elf-file-os(windows)-False SKIP: test_ida_features/7351f.elf-file-format(elf)-True SKIP: test_ida_features/7351f.elf-file-format(pe)-False SKIP: test_ida_features/7351f.elf-file-arch(i386)-False SKIP: test_ida_features/7351f.elf-file-arch(amd64)-True SKIP: test_ida_features/7351f.elf-function=0x408753-string(/dev/null)-True SKIP: test_ida_features/7351f.elf-function=0x408753,bb=0x408781-api(open)-True SKIP: test_ida_features/773290...-function=0x140001140-string(%s:\\\\OfficePackagesForWDAG)-True SKIP: test_ida_features/79abd...-function=0x10002385,bb=0x10002385-characteristic(call $+5)-True SKIP: test_ida_features/946a9...-function=0x10001510,bb=0x100015c0-characteristic(call $+5)-True SKIP: test_ida_features/a1982...-function=0x4014D0-characteristic(cross section flow)-True SKIP: test_ida_features/al-khaser x64-function=0x14004B4F0-api(__vcrt_GetModuleHandle)-True SKIP: test_ida_features/c91887...-function=0x40156F-api(CloseClipboard)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CreatePipe)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.SetHandleInformation)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CloseHandle)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.WriteFile)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(CreatePipe)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(SetHandleInformation)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(CloseHandle)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(WriteFile)-True SKIP: test_ida_features/ea2876-file-export(vresion.GetFileVersionInfoA)-True SKIP: test_ida_features/ea2876-file-characteristic(forwarded export)-True SKIP: test_ida_features/kernel32-file-export(BaseThreadInitThunk)-True SKIP: test_ida_features/kernel32-file-export(lstrlenW)-True SKIP: test_ida_features/kernel32-file-export(nope)-False SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(gs access)-True SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(cross section flow)-False SKIP: test_ida_features/kernel32-64-function=0x1800017D0-characteristic(peb access)-True SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True PASS: test_ida_features/mimikatz-file-string(SCardControl)-True PASS: test_ida_features/mimikatz-file-string(SCardTransmit)-True PASS: test_ida_features/mimikatz-file-string(ACR > )-True PASS: test_ida_features/mimikatz-file-string(nope)-False PASS: test_ida_features/mimikatz-file-section(.text)-True PASS: test_ida_features/mimikatz-file-section(.nope)-False PASS: test_ida_features/mimikatz-file-import(advapi32.CryptSetHashParam)-True PASS: test_ida_features/mimikatz-file-import(CryptSetHashParam)-True PASS: test_ida_features/mimikatz-file-import(kernel32.IsWow64Process)-True PASS: test_ida_features/mimikatz-file-import(IsWow64Process)-True PASS: test_ida_features/mimikatz-file-import(msvcrt.exit)-True PASS: test_ida_features/mimikatz-file-import(cabinet.#11)-True PASS: test_ida_features/mimikatz-file-import(#11)-False PASS: test_ida_features/mimikatz-file-import(#nope)-False PASS: test_ida_features/mimikatz-file-import(nope)-False PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContextW)-True PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContext)-True PASS: test_ida_features/mimikatz-file-import(CryptAcquireContextW)-True PASS: test_ida_features/mimikatz-file-import(CryptAcquireContext)-True PASS: test_ida_features/mimikatz-file-os(windows)-True PASS: test_ida_features/mimikatz-file-arch(i386)-True PASS: test_ida_features/mimikatz-file-format(pe)-True PASS: test_ida_features/mimikatz-function=0x401000-characteristic(loop)-False PASS: test_ida_features/mimikatz-function=0x401000-characteristic(tight loop)-False PASS: test_ida_features/mimikatz-function=0x401000-characteristic(stack string)-False PASS: test_ida_features/mimikatz-function=0x401000-number(0x0)-True PASS: test_ida_features/mimikatz-function=0x401000-bytes(FD FF 59 F6 47)-False PASS: test_ida_features/mimikatz-function=0x401000,bb=0x401000-characteristic(tight loop)-False PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(push)-True PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(movzx)-True PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(xor)-True PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(in)-False PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(out)-False PASS: test_ida_features/mimikatz-function=0x40105D-number(0xFF)-True PASS: test_ida_features/mimikatz-function=0x40105D-number(0x3136B0)-True PASS: test_ida_features/mimikatz-function=0x40105D-number(0xC)-False PASS: test_ida_features/mimikatz-function=0x40105D-number(0x10)-False PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x0)-True PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x4)-True PASS: test_ida_features/mimikatz-function=0x40105D-offset(0xC)-True PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x8)-False PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x10)-False PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardControl)-True PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardTransmit)-True PASS: test_ida_features/mimikatz-function=0x40105D-string(ACR > )-True PASS: test_ida_features/mimikatz-function=0x40105D-string(nope)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 54 00 72 00 61 00 6E 00 73 00 6D 00 69 00 74 00)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(41 00 43 00 52 00 20 00 20 00 3E 00 20 00)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(6E 6F 70 65)-False PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(nzxor)-False PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(calls to)-True PASS: test_ida_features/mimikatz-function=0x40105D-os(windows)-True PASS: test_ida_features/mimikatz-function=0x40105D-arch(i386)-True PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[1].number(0xFF)-True PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[0].number(0xFF)-False PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[0].offset(0x4)-True PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[1].offset(0x4)-False PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x1)-True PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x2)-True PASS: test_ida_features/mimikatz-function=0x401517-characteristic(loop)-True PASS: test_ida_features/mimikatz-function=0x401517-bytes(CA 3B 0E 00 00 00 F8 AF 47)-True PASS: test_ida_features/mimikatz-function=0x401553-number(0xFFFFFFFF)-True PASS: test_ida_features/mimikatz-function=0x401873,bb=0x4018B2,insn=0x4018C0-number(0x2)-True PASS: test_ida_features/mimikatz-function=0x401CC7,bb=0x401CDE,insn=0x401CF6-offset(0x10)-False PASS: test_ida_features/mimikatz-function=0x401D64,bb=0x401D73,insn=0x401D85-offset(0x80000000)-False PASS: test_ida_features/mimikatz-function=0x402203,bb=0x402221,insn=0x40223C-offset(0x4)-True PASS: test_ida_features/mimikatz-function=0x402EC4-characteristic(tight loop)-True PASS: test_ida_features/mimikatz-function=0x402EC4,bb=0x402F8E-characteristic(tight loop)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContextW)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContext)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptGenKey)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptImportKey)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptDestroyKey)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContextW)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContext)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptGenKey)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptImportKey)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptDestroyKey)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(Nope)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.Nope)-False PASS: test_ida_features/mimikatz-function=0x404414-bytes(01 80 00 00 40 EA 47 00)-True PASS: test_ida_features/mimikatz-function=0x40640e-characteristic(recursive call)-True PASS: test_ida_features/mimikatz-function=0x40B3C6-api(LocalFree)-True PASS: test_ida_features/mimikatz-function=0x410DFC-characteristic(nzxor)-True PASS: test_ida_features/mimikatz-function=0x410dfc-characteristic(nzxor)-True PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(recursive call)-False PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(indirect call)-True PASS: test_ida_features/mimikatz-function=0x43e543-number(0xFFFFFFF0)-True PASS: test_ida_features/mimikatz-function=0x44570F-bytes(FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF)-False PASS: test_ida_features/mimikatz-function=0x44EDEF-string(INPUTEVENT)-True PASS: test_ida_features/mimikatz-function=0x44EDEF-bytes(49 00 4E 00 50 00 55 00 54 00 45 00 56 00 45 00 4E 00 54 00)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(stack string)-True PASS: test_ida_features/mimikatz-function=0x4556E5-api(advapi32.LsaQueryInformationPolicy)-False PASS: test_ida_features/mimikatz-function=0x4556E5-api(LsaQueryInformationPolicy)-True PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(peb access)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(gs access)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(cross section flow)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(indirect call)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(calls from)-True PASS: test_ida_features/mimikatz-function=0x456BB9-characteristic(calls to)-False PASS: test_ida_features/mimikatz-function=0x456BB9-format(pe)-True PASS: test_ida_features/mimikatz-function=0x46D534-characteristic(nzxor)-False PASS: test_ida_features/mimikatz-function=0x46D6CE-string((null))-True PASS: test_ida_features/mimikatz-function=0x4702FD-characteristic(calls from)-False PASS: test_ida_features/mimikatz-function=0x47153B,bb=0x4717AB,insn=0x4717B1-number(-0x30)-False PASS: test_ida_features/mimikatz-function=0x471EAB,bb=0x471ED8,insn=0x471EE6-number(0x4)-False SKIP: test_ida_features/pma12-04-file-characteristic(embedded pe)-True SKIP: test_ida_features/pma16-01-file-function-name(__aulldiv)-True SKIP: test_ida_features/pma16-01-file-os(windows)-True SKIP: test_ida_features/pma16-01-file-os(linux)-False SKIP: test_ida_features/pma16-01-file-arch(i386)-True SKIP: test_ida_features/pma16-01-file-arch(amd64)-False SKIP: test_ida_features/pma16-01-file-format(pe)-True SKIP: test_ida_features/pma16-01-file-format(elf)-False SKIP: test_ida_features/pma16-01-function=0x4021B0-regex(string =~ HTTP/1.0)-True SKIP: test_ida_features/pma16-01-function=0x402F40-regex(string =~ www.practicalmalwareanalysis.com)-True SKIP: test_ida_features/pma16-01-function=0x402F40-substring(practicalmalwareanalysis.com)-True SKIP: test_ida_features/pma16-01-function=0x404356-os(windows)-True SKIP: test_ida_features/pma16-01-function=0x404356-arch(i386)-True SKIP: test_ida_features/pma16-01-function=0x404356-format(pe)-True SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-os(windows)-True SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-arch(i386)-True PASS: test_ida_features/mimikatz-file-import(cabinet.FCIAddFile)-True DONE ```
s-ff commented 4 months ago

Hi @mike-hunhoff,

Good point - ida_bytes.parse_bin_pat_str does indeed change the first input passed to it. Thus, it doesn't make sense decalring a global variable IDA_BYTES_PATTERNS. On the other hand ida_nalt.get_default_encoding_idx(ida_nalt.BPU_1B) could be used a global variable for reuse.

Here is a snippet demonstrating this case:

grafik

Here is the output of the test: ``` -------------------------------------------------------------------------------- PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-basic block-7 PASS: test_ida_feature_counts/mimikatz-function=0x4702FD-characteristic(calls from)-0 PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-characteristic(calls from)-3 PASS: test_ida_feature_counts/mimikatz-function=0x4556E5-characteristic(calls to)-0 PASS: test_ida_feature_counts/mimikatz-function=0x40B1F1-characteristic(calls to)-3 SKIP: test_ida_features/294b8d...-function=0x404970,bb=0x404970,insn=0x40499F-string(\r\n\x00:ht)-False SKIP: test_ida_features/64d9f-function=0x10001510,bb=0x100015B0-offset(0x4000)-True SKIP: test_ida_features/7351f.elf-file-os(linux)-True SKIP: test_ida_features/7351f.elf-file-os(windows)-False SKIP: test_ida_features/7351f.elf-file-format(elf)-True SKIP: test_ida_features/7351f.elf-file-format(pe)-False SKIP: test_ida_features/7351f.elf-file-arch(i386)-False SKIP: test_ida_features/7351f.elf-file-arch(amd64)-True SKIP: test_ida_features/7351f.elf-function=0x408753-string(/dev/null)-True SKIP: test_ida_features/7351f.elf-function=0x408753,bb=0x408781-api(open)-True SKIP: test_ida_features/773290...-function=0x140001140-string(%s:\\\\OfficePackagesForWDAG)-True SKIP: test_ida_features/79abd...-function=0x10002385,bb=0x10002385-characteristic(call $+5)-True SKIP: test_ida_features/946a9...-function=0x10001510,bb=0x100015c0-characteristic(call $+5)-True SKIP: test_ida_features/a1982...-function=0x4014D0-characteristic(cross section flow)-True SKIP: test_ida_features/al-khaser x64-function=0x14004B4F0-api(__vcrt_GetModuleHandle)-True SKIP: test_ida_features/c91887...-function=0x40156F-api(CloseClipboard)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CreatePipe)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.SetHandleInformation)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CloseHandle)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.WriteFile)-False SKIP: test_ida_features/c91887...-function=0x401A77-api(CreatePipe)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(SetHandleInformation)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(CloseHandle)-True SKIP: test_ida_features/c91887...-function=0x401A77-api(WriteFile)-True SKIP: test_ida_features/ea2876-file-export(vresion.GetFileVersionInfoA)-True SKIP: test_ida_features/ea2876-file-characteristic(forwarded export)-True SKIP: test_ida_features/kernel32-file-export(BaseThreadInitThunk)-True SKIP: test_ida_features/kernel32-file-export(lstrlenW)-True SKIP: test_ida_features/kernel32-file-export(nope)-False SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(gs access)-True SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(cross section flow)-False SKIP: test_ida_features/kernel32-64-function=0x1800017D0-characteristic(peb access)-True SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True PASS: test_ida_features/mimikatz-file-string(SCardControl)-True PASS: test_ida_features/mimikatz-file-string(SCardTransmit)-True PASS: test_ida_features/mimikatz-file-string(ACR > )-True PASS: test_ida_features/mimikatz-file-string(nope)-False PASS: test_ida_features/mimikatz-file-section(.text)-True PASS: test_ida_features/mimikatz-file-section(.nope)-False PASS: test_ida_features/mimikatz-file-import(advapi32.CryptSetHashParam)-True PASS: test_ida_features/mimikatz-file-import(CryptSetHashParam)-True PASS: test_ida_features/mimikatz-file-import(kernel32.IsWow64Process)-True PASS: test_ida_features/mimikatz-file-import(IsWow64Process)-True PASS: test_ida_features/mimikatz-file-import(msvcrt.exit)-True PASS: test_ida_features/mimikatz-file-import(cabinet.#11)-True PASS: test_ida_features/mimikatz-file-import(#11)-False PASS: test_ida_features/mimikatz-file-import(#nope)-False PASS: test_ida_features/mimikatz-file-import(nope)-False PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContextW)-True PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContext)-True PASS: test_ida_features/mimikatz-file-import(CryptAcquireContextW)-True PASS: test_ida_features/mimikatz-file-import(CryptAcquireContext)-True PASS: test_ida_features/mimikatz-file-os(windows)-True PASS: test_ida_features/mimikatz-file-arch(i386)-True PASS: test_ida_features/mimikatz-file-format(pe)-True PASS: test_ida_features/mimikatz-function=0x401000-characteristic(loop)-False PASS: test_ida_features/mimikatz-function=0x401000-characteristic(tight loop)-False PASS: test_ida_features/mimikatz-function=0x401000-characteristic(stack string)-False PASS: test_ida_features/mimikatz-function=0x401000-number(0x0)-True PASS: test_ida_features/mimikatz-function=0x401000-bytes(FD FF 59 F6 47)-False PASS: test_ida_features/mimikatz-function=0x401000,bb=0x401000-characteristic(tight loop)-False PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(push)-True PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(movzx)-True PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(xor)-True PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(in)-False PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(out)-False PASS: test_ida_features/mimikatz-function=0x40105D-number(0xFF)-True PASS: test_ida_features/mimikatz-function=0x40105D-number(0x3136B0)-True PASS: test_ida_features/mimikatz-function=0x40105D-number(0xC)-False PASS: test_ida_features/mimikatz-function=0x40105D-number(0x10)-False PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x0)-True PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x4)-True PASS: test_ida_features/mimikatz-function=0x40105D-offset(0xC)-True PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x8)-False PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x10)-False PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardControl)-True PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardTransmit)-True PASS: test_ida_features/mimikatz-function=0x40105D-string(ACR > )-True PASS: test_ida_features/mimikatz-function=0x40105D-string(nope)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 54 00 72 00 61 00 6E 00 73 00 6D 00 69 00 74 00)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(41 00 43 00 52 00 20 00 20 00 3E 00 20 00)-False PASS: test_ida_features/mimikatz-function=0x40105D-bytes(6E 6F 70 65)-False PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(nzxor)-False PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(calls to)-True PASS: test_ida_features/mimikatz-function=0x40105D-os(windows)-True PASS: test_ida_features/mimikatz-function=0x40105D-arch(i386)-True PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[1].number(0xFF)-True PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[0].number(0xFF)-False PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[0].offset(0x4)-True PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[1].offset(0x4)-False PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x1)-True PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x2)-True PASS: test_ida_features/mimikatz-function=0x401517-characteristic(loop)-True PASS: test_ida_features/mimikatz-function=0x401517-bytes(CA 3B 0E 00 00 00 F8 AF 47)-True PASS: test_ida_features/mimikatz-function=0x401553-number(0xFFFFFFFF)-True PASS: test_ida_features/mimikatz-function=0x401873,bb=0x4018B2,insn=0x4018C0-number(0x2)-True PASS: test_ida_features/mimikatz-function=0x401CC7,bb=0x401CDE,insn=0x401CF6-offset(0x10)-False PASS: test_ida_features/mimikatz-function=0x401D64,bb=0x401D73,insn=0x401D85-offset(0x80000000)-False PASS: test_ida_features/mimikatz-function=0x402203,bb=0x402221,insn=0x40223C-offset(0x4)-True PASS: test_ida_features/mimikatz-function=0x402EC4-characteristic(tight loop)-True PASS: test_ida_features/mimikatz-function=0x402EC4,bb=0x402F8E-characteristic(tight loop)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContextW)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContext)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptGenKey)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptImportKey)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptDestroyKey)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContextW)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContext)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptGenKey)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptImportKey)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptDestroyKey)-True PASS: test_ida_features/mimikatz-function=0x403BAC-api(Nope)-False PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.Nope)-False PASS: test_ida_features/mimikatz-function=0x404414-bytes(01 80 00 00 40 EA 47 00)-True PASS: test_ida_features/mimikatz-function=0x40640e-characteristic(recursive call)-True PASS: test_ida_features/mimikatz-function=0x40B3C6-api(LocalFree)-True PASS: test_ida_features/mimikatz-function=0x410DFC-characteristic(nzxor)-True PASS: test_ida_features/mimikatz-function=0x410dfc-characteristic(nzxor)-True PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(recursive call)-False PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(indirect call)-True PASS: test_ida_features/mimikatz-function=0x43e543-number(0xFFFFFFF0)-True PASS: test_ida_features/mimikatz-function=0x44570F-bytes(FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF)-False PASS: test_ida_features/mimikatz-function=0x44EDEF-string(INPUTEVENT)-True PASS: test_ida_features/mimikatz-function=0x44EDEF-bytes(49 00 4E 00 50 00 55 00 54 00 45 00 56 00 45 00 4E 00 54 00)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(stack string)-True PASS: test_ida_features/mimikatz-function=0x4556E5-api(advapi32.LsaQueryInformationPolicy)-False PASS: test_ida_features/mimikatz-function=0x4556E5-api(LsaQueryInformationPolicy)-True PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(peb access)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(gs access)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(cross section flow)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(indirect call)-False PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(calls from)-True PASS: test_ida_features/mimikatz-function=0x456BB9-characteristic(calls to)-False PASS: test_ida_features/mimikatz-function=0x456BB9-format(pe)-True PASS: test_ida_features/mimikatz-function=0x46D534-characteristic(nzxor)-False PASS: test_ida_features/mimikatz-function=0x46D6CE-string((null))-True PASS: test_ida_features/mimikatz-function=0x4702FD-characteristic(calls from)-False PASS: test_ida_features/mimikatz-function=0x47153B,bb=0x4717AB,insn=0x4717B1-number(-0x30)-False PASS: test_ida_features/mimikatz-function=0x471EAB,bb=0x471ED8,insn=0x471EE6-number(0x4)-False SKIP: test_ida_features/pma12-04-file-characteristic(embedded pe)-True SKIP: test_ida_features/pma16-01-file-function-name(__aulldiv)-True SKIP: test_ida_features/pma16-01-file-os(windows)-True SKIP: test_ida_features/pma16-01-file-os(linux)-False SKIP: test_ida_features/pma16-01-file-arch(i386)-True SKIP: test_ida_features/pma16-01-file-arch(amd64)-False SKIP: test_ida_features/pma16-01-file-format(pe)-True SKIP: test_ida_features/pma16-01-file-format(elf)-False SKIP: test_ida_features/pma16-01-function=0x4021B0-regex(string =~ HTTP/1.0)-True SKIP: test_ida_features/pma16-01-function=0x402F40-regex(string =~ www.practicalmalwareanalysis.com)-True SKIP: test_ida_features/pma16-01-function=0x402F40-substring(practicalmalwareanalysis.com)-True SKIP: test_ida_features/pma16-01-function=0x404356-os(windows)-True SKIP: test_ida_features/pma16-01-function=0x404356-arch(i386)-True SKIP: test_ida_features/pma16-01-function=0x404356-format(pe)-True SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-os(windows)-True SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-arch(i386)-True PASS: test_ida_features/mimikatz-file-import(cabinet.FCIAddFile)-True DONE ```

Please let me know if you need anything else before you merge this.