search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.48k stars 535 forks source link

dotnet: yield FORMAT_DOTNET before FORMAT_PE when processing .NET files #2022

Closed mike-hunhoff closed 6 months ago

mike-hunhoff commented 7 months ago

We should change the order used to yield multiple formats for .NET files so FORMAT_DOTNET is used for capa's output metadata.

https://github.com/mandiant/capa/blob/49231366f1cbb800f296c60a2cb99f97466e2e33/capa/features/extractors/dotnetfile.py#L51-L53

This order doesn't matter for matching but does matter when collecting the file's metadata because we default to the first in the list

https://github.com/mandiant/capa/blob/49231366f1cbb800f296c60a2cb99f97466e2e33/capa/loader.py#L385-L387

mr-tz commented 7 months ago

Alternatively, display all formats.

samadpls commented 7 months ago

Hi @mr-tz , can i take this issue :)

mr-tz commented 7 months ago

of course