search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.85k stars 557 forks source link

vivisect extractor: bytes features for immediate operands #94

Closed mr-tz closed 4 years ago

mr-tz commented 4 years ago

currently this gets bytes features for many invalid immediate operators

        if isinstance(oper, envi.archs.i386.disasm.i386ImmOper):
            v = oper.getOperValue(oper)

for example add ebp, 0Bh etc.

this case should be fine-tuned or removed?

williballenthin commented 4 years ago

can you share some more detail here? are you saying that 0xB gets pulled out as an address and bytes fetched from there? i can see this being a problem for shellcode workspaces, but i wouldn't expect so for PE.

do you have an example in one of the test binaries handy? happy to dig into it if you have an example

mr-tz commented 4 years ago

Right, I was looking at shellcode in this case. If we want to accept it in these cases, this issue can be closed.

williballenthin commented 4 years ago

if we load shellcode at a nonzero address then this issue should be mitigated

On Fri, Jul 3, 2020, 12:48 PM Moritz notifications@github.com wrote:

Right, I was looking at shellcode in this case. If we want to accept it in these cases, this issue can be closed.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/fireeye/capa/issues/94#issuecomment-653647799, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABGHEBO5U5DMAT4E5JEWWDRZYRYRANCNFSM4OP2XJCQ .

williballenthin commented 4 years ago

accidentally committed on master. @mr-tz would you double check this implementation?

williballenthin commented 4 years ago

also fixed Format=blob upstream https://github.com/williballenthin/viv-utils/releases/tag/v0.3.14

mr-tz commented 4 years ago

great, thank you! 69 😄