Open williballenthin opened 1 year ago
Would also be cool to capture and explain multi-line strings, like:
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
should enumerate all the Windows API functions (and DLLs) so that they can be reasoned about (e.g., API not part of the import table).
i blindly pull all strings referenced by capa rules into an "expert" database which results in this output:
seems like a pretty good starting point!
For collecting community knowledge it should be easy to add raw entries by just adding to a file for example:
maybe use tab
\t
as separator so text can contain all symbols