Add nzxor charecteristic in BinExport extractor.

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.

Apache License 2.0

3.99k stars 499 forks source link

Add nzxor charecteristic in BinExport extractor. #2073

Closed larchchen closed 1 month ago

larchchen commented 2 months ago

by referencing vivisect implementation.

Checklist

[x] No CHANGELOG update needed
[x] No new tests needed
[x] No documentation update needed

mr-tz commented 2 months ago

Can you share a sample that contains EOR (and stack cookies) for testing?

larchchen commented 1 month ago

Can you share a sample that contains EOR (and stack cookies) for testing?

After seeking for some help, it is still quite difficult to get an example using EOR for stack cookie checks. Most ARM/AArch64 I have checked are using CMP then B.NE for stack checks. Some of them may use ITTTT.

Not sure if it is worth to create a Arm64X PE test file for this case.

mr-tz commented 1 month ago

That's good information. We don't need to do that check then for the respective binaries. Do you have a AArch64 sample that should match nzxor?

larchchen commented 1 month ago

sample d1e6506964edbfffb08c0dd32e1486b11fbced7a4bd870ffe79f110298f0efb8 would do.

mr-tz commented 1 month ago

thanks!