search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
Apache License 2.0
4k stars 503 forks source link

Feature request: loop scope #502

Open Ana06 opened 3 years ago

Ana06 commented 3 years ago

Introducing a new loop scope could be useful in some rules. For example:


rule:
  meta:
    name: enumerate PE sections
    namespace: load-code/pe
    author: "@Ana06"
    scope: function
    references:
      - https://0x00sec.org/t/reflective-dll-injection/3080
      - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
    examples:
      - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
  features:
    - and:
      - offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections
      - basic block:
        - or:
          - and:
            - description: IMAGE_FIRST_SECTION(nt_header)
            - offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
            - offset: 0x18 = FileHeader.SizeOfOptionalHeader
          - and:
            - description: (DWORD)dll_raw + dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i
            - number: 0x28 = sizeof(IMAGE_SECTION_HEADER)
            - or:
              - offset/x32: 0xF8 = sizeof(IMAGE_NT_HEADERS32)
              - offset/x64: 0x108 = sizeof(IMAGE_NT_HEADERS64)
      - loop:
        - and:
          - offset: 0xC = IMAGE_SECTION_HEADER.VirtualAddress
          - offset: 0x14 = IMAGE_SECTION_HEADER.PointerToRawData
          - offset: 0x10 = IMAGE_SECTION_HEADER.SizeOfRawData

From https://github.com/fireeye/capa-rules/pull/308#discussion_r600715392

williballenthin commented 3 years ago

this seems useful.

it make take a bit of work to enable this without affecting performance too much. but perhaps performance tuning is needed anyways.

i wonder if there are any edge cases with a crazy number of loops that we'd need to handle. and how does the following behave? can it be done efficiently?

loop:
  and:
    loop:
      offset: 10
Ana06 commented 3 years ago

@williballenthin 

loop:
  and:
    loop:
      offset: 10

I understand this as a loop which contains the offset 10. Something like this would for example match:

while(condition){
  var += 10
}

Do you mean that this may be too common and match too often or do we understand different things? 🤔

mr-tz commented 3 years ago

I think Willi's referring to nested loops like

while(condition1) {
  while(condition2){
    var += 10
  }
}