search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.1k stars 512 forks source link

IDA 7.5 compatibility #2371

Closed h4rdee closed 2 days ago

h4rdee commented 2 days ago

Description

I've used capa ida plugin and decided to update it I've uninstalled previous flare-capa package, then installed it again I also removed old rules and pulled new ones Then when i tried to use plugin, i got following error:

  File "C:\Users\...\AppData\Local\Programs\Python\Python38\lib\site-packages\capa\features\extractors\ida\helpers.py", line 32, in find_byte_sequence
    patterns = ida_bytes.compiled_binpat_vec_t()
AttributeError: module 'ida_bytes' has no attribute 'compiled_binpat_vec_t'

Which i'm assuming is because IDA 7.5 SDK doesn't have such thing as compiled_binpat_vec_t

Can be related to https://github.com/mandiant/capa/pull/2011

Steps to Reproduce

Pretty much described above

Expected behavior:

Plugin works properly (IDA 7.5 should be supported by capa plugin afaik (?))

Actual behavior:

AttributeError: module 'ida_bytes' has no attribute 'compiled_binpat_vec_t'

Versions

IDA Pro 7.5 Latest capa version (7.2.0) Python 3.8.10

Additional Information

Can be fixed by adding backward-compatibility layer to an API described above

h4rdee commented 2 days ago

Fixed it by downgrading code to previous version, seems to be working now image

h4rdee commented 2 days ago

image I'm kinda curious hows this left unchecked @s-ff (feels like breaking change tbh)

mr-tz commented 2 days ago

Good find, we'll have to add a compat layer to support the older IDA API here.