Open mike-hunhoff opened 4 years ago
we can support this by translating the bytes literal into a regular express (python supports byte literals in regexes).
how would you use this feature?
I was looking for this feature to write rules for direct syscall invocations - commonly generated by tooling like SysWhispers.
4C 8B D1 mov r10, rcx
B8 ?? ?? ?? ?? mov eax, ??
0F 05 syscall
C3 retn
should be a pretty straight forward byte sequence for a capa rule, but I'm not sure how I would implement without byte wildcards.
edit: I kept working on this and I think I should be able to do it with mnemonics after reading the Heaven's Gate rule. probably a similar situation for a lot these
edit: I kept working on this and I think I should be able to do it with mnemonics after reading the Heaven's Gate rule. probably a similar situation for a lot these
right, in capa we could match on a basic block containing something like:
features:
- and:
- mnemonic: syscall
- mnemonic: retn
Do you have a file/hash you can share for this specific example?
I was using WdToggle, a Beacon Object File using the InlineWhispers library to test - https://github.com/outflanknl/WdToggle
BOF's are a bit odd to run against capa, since they're more structured than shellcode but not PE's, but running them as shellcode seems to work just fine. WdToggle was an arbitrary choice on my end - mostly because it was linked in the InlineWhispers repository.
Add support for wildcards and skips for
bytes
feature similar to Yara hexadecimal strings.