rule set does not correctly validate dependencies across scopes

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.

https://mandiant.github.io/capa/

Apache License 2.0

4.14k stars 522 forks source link

rule set does not correctly validate dependencies across scopes #2124

Open williballenthin opened 3 months ago

williballenthin commented 3 months ago

capa-rules contains at least one rule with an impossible dependency, and capa nor its linter complains. We should ensure that capa correct tracks dependencies across scopes, or warns the user when its impossible.

log keystrokes via application hook is a dynamic: call scoped rule that relies on set application hook, which is a dynamic: thread scoped rule. Since we evaluate from small to large scopes (call before thread), this dependency will never be satisfied.

williballenthin commented 3 months ago

also allocate memory > link function at runtime on Windows

mr-tz commented 2 weeks ago

@williballenthin is it fine if we punt this again to the next release or should we address it now for v7.3.0?