support wildcards and skips for bytes feature

[mike-hunhoff]

Add support for wildcards and skips for bytes feature similar to Yara hexadecimal strings.

[williballenthin]

we can support this by translating the bytes literal into a regular express (python supports byte literals in regexes).

how would you use this feature?

[kulinacs]

I was looking for this feature to write rules for direct syscall invocations - commonly generated by tooling like SysWhispers.

4C 8B D1                mov     r10, rcx
B8 ?? ?? ?? ??          mov     eax, ??
0F 05                   syscall
C3                      retn

should be a pretty straight forward byte sequence for a capa rule, but I'm not sure how I would implement without byte wildcards.

edit: I kept working on this and I think I should be able to do it with mnemonics after reading the Heaven's Gate rule. probably a similar situation for a lot these

[mr-tz]

edit: I kept working on this and I think I should be able to do it with mnemonics after reading the Heaven's Gate rule. probably a similar situation for a lot these

right, in capa we could match on a basic block containing something like:

  features:
    - and:
      - mnemonic: syscall
      - mnemonic: retn

Do you have a file/hash you can share for this specific example?

[kulinacs]

I was using WdToggle, a Beacon Object File using the InlineWhispers library to test - https://github.com/outflanknl/WdToggle

BOF's are a bit odd to run against capa, since they're more structured than shellcode but not PE's, but running them as shellcode seems to work just fine. WdToggle was an arbitrary choice on my end - mostly because it was linked in the InlineWhispers repository.